Teresa Scassa - Blog

Teresa Scassa

Teresa Scassa

Class action lawsuits for privacy breaches are becoming all the rage in Canada – this is perhaps unsurprising given the growing number of data breaches. However, a proceeding certified and settled in October 2019 stands out as significantly different from the majority of Canadian privacy class action suits.

Most privacy class action lawsuits involve data breaches. Essentially, an entity trusted with the personal information of large numbers of individuals is sued because they lost the data stored on an unsecured device, a rogue employee absconded with the data or repurposed it, a hacker circumvented their security measures, or they simply allowed information to be improperly disclosed due to lax practices or other failings. In each of these scenarios, the common factor is a data breach and improper disclosure of personal information. Haikola v. Personal Insurance Co. is a notably different. In Haikola, the alleged misconduct is the over collection of personal information in breach of the Personal Information Protection and Electronic Documents Act (PIPEDA).

The legal issues in this case arose after the representative class plaintiff, Mr. Haikola, was involved in a car accident. In settling his claim, his insurance company asked him to consent to providing them access to his credit score with a credit reporting agency. Mr. Haikola agreed, although he felt that he had had no choice but to do so. He followed up with the insurance company on several occasions, seeking more information about why the information was required, but did not receive a satisfactory explanation. He filed a complaint with the Office of the Privacy Commissioner. The subsequent investigation led to a Report of Findings that concluded, in the words of Justice Glustein, that the insurance company’s “collection and use of credit scores during the auto insurance claim assessment process is not something that a reasonable person would consider to be appropriate.” (at para 13) The company eventually changed its practices.

Under PIPEDA, the Commissioner’s findings are not binding. Once a complainant has received a Report of Findings, they can choose to bring an application under s. 14 of PIPEDA to Federal Court for an order and/or an award of damages. After receiving his Report of Findings, Mr. Haikola took the unusual step of seeking to commence a class action lawsuit under s. 14 of PIPEDA. The defendants argued that the Federal Court had no jurisdiction under s. 14 to certify a class action lawsuit. There is no case law on this issue, and it is not at all clear that class action recourse is contemplated under s. 14.

The parties, in the meantime, negotiated a settlement agreement. However, quite apart from the issue of whether a class action suit could be certified under s. 14 of PIPEDA, it was unclear whether the Federal Court could “make an enforceable order in a PIPEDA class action against a non-governmental entity.” (at para 28) With advice from the Federal Court case management judge, the parties agreed that Mr. Haikola would commence an action in Ontario Superior Court, requesting certification of the class action lawsuit and approval of the settlement. The sole cause of action in the suit initiated in Ontario Superior Court was for breach of contract. The argument was that in the contract between the insurance company and its customers, the insurance company undertook to “”act as required or authorized by law” in the collection, use, and disclosure of the Class Members’ personal information – including information from credit reporting agencies.” (at para 56) This would include meeting its PIPEDA obligations.

The class included persons whose credit history was used as part of a claim settlement process. The insurance company identified 8,525 people who fell into this category. The settlement provided for the paying out of $2,250,000. The court estimated that if every member of the class filed a valid claim, each would receive approximately $150.

In considering whether a class action lawsuit was the preferable procedure, Justice Glustein noted that generally, for this type of privacy complaint, the normal recourse was under PIPEDA. The structure of PIPEDA is such that each affected individual would have to file a complaint; the filing of a complaint and the issuance of a report were both prerequisites to commencing an action in Federal Court. Justice Glustein considered this to be a barrier to access to justice, particularly since most individuals would have claims “of only a very modest value”. (at para 66) He found that “The common law claim proposed is preferable to each Class Member making a privacy complaint, waiting for the resolution of the complaint from the Privacy Commissioner with a formal report, and then commencing a Federal Court action.” (at para 67)

Justice Glustein certified the proceedings and approved the settlement agreement. He was certainly aware of the potential weaknesses of the plaintiff’s case – these were factors he took into account in assessing the reasonableness of the amount of the settlement. Not only were there real issues as to whether a class action lawsuit was a possible recourse for breach of PIPEDA, a proceeding under s. 14 is de novo, meaning the court would not be bound by the findings of the Privacy Commissioner. Further, the Federal Court has been parsimonious with damages under PIPEDA, awarding them only in the most “egregious” circumstances. It is, in fact, rare for a Federal Court judge to award damages unless there has been an improper disclosure of personal information. In this case, the insurance company was found to have collected too much information, but there had been no breach or loss of personal data.

This case is interesting because raises the possibility of class action lawsuits being used for privacy complaints other than data security breaches. This should put fear into the heart of any company whose general practices or policies have led them to collect too much personal information, obtain insufficient consent, or retain data for longer than necessary (to name just a few possible shortcomings). Perhaps the facts in Haikola are exceptional enough to avoid a landslide of litigation. Justice Glustein was clearly sympathetic towards a plaintiff who had doggedly pursued his privacy rights in the face of an insufficiently responsive company, and who had been vindicated by the OPC’s Report of Findings. Justice Glustein noted as well that it was the plaintiff who had sought to initiate the class action lawsuit – he had not been recruited by class counsel.

There is clearly also an element in this decision of frustration and dissatisfaction with the current state of Canadian data protection law. Justice Glustein observed: “If systemic PIPEDA breaches are not rectified by a class procedure, it is not clear what incentive large insurers and others will have to avoid overcollection of information.” (at para 88) Justice Glustein also observed that “While the Privacy Commissioner may encourage or require changes to future practices, it [sic] has very limited powers to enforce compliance through strong regulatory penalties.” (at para 88) This is certainly true, and many (including the Privacy Commissioner) have called for greater enforcement powers to strengthen PIPEDA. This comment, taken with Justice Glustein’s additional comment that the settlement imposes on the Defendants a “meaningful business cost” for the overcollection of personal information, are nothing short of a condemnation of Canada’s private sector data protection regime.

The government has heard such condemnations from the Commissioner himself, as well as from many other critics of PIPEDA. It is now hearing it from the courts. Hopefully it is paying attention. This is not just because PIPEDA obligations need stronger and more diverse enforcement options to provide meaningful privacy protection, but also because class action lawsuits are a blunt tool, ill-designed to serve carefully-tailored public policy objectives in this area.

 

 

The Ontario Energy Board (OEB) has just released a decision that should be of interest to those concerned about data governance for data sharing. The decision relates to an application by Ontario’s Smart Metering Entity (SME) for a licence to begin sharing Ontario’s smart metering data with third parties. The SME was established in Ontario as part of the governance structure for the data collected through government-mandated smart metering for all electricity consumers in the province.

Smart meters in Ontario collect fine-grained electrical consumption data. There are clear privacy interests in this consumption data as a person’s patterns of electrical consumption can reveal much about their activities, habits and preferences. In theory, fine-grained, aggregate, deidentified electrical consumption data can be useful for a broad range of purposes, including feeding the ever-hungry data economy. The SME was charged with governing this data resource in a way that would meet the needs of third parties (researchers, governments, and the private sector) to have access to the data while respecting consumer privacy. In 2019, Merlynda Vilain and I published a paper about the SME and its mandate to govern smart metering data in the public interest.

In its October 24, 2019 decision, the OEB considers an application by the SME seeking approval for its plan to provide access to smart metering data. The SME’s plan is built around three categories of data. The first, labelled “public offers”, consists of “highly aggregated products” ”such as monthly, seasonal or quarterly consumption data aggregated by postal district (i.e. the first digit of the postal code).” (OEB Order, p. 8) This data would be provided free of charge, and subject to unspecified terms and conditions.

The second category of data is “standard private offerings”. This consists of “pre-designed extracts based on popular data requests”. The examples provided include “Hourly or daily consumption data aggregated by 6, 5, 4 or 3 digit Postal Code at the municipal level, specifying the Distributor Rate Class and Commodity Rate Class”, as well as different types of visualizations. This category of data would be made available subject to a Data Use Agreement and at “market prices”.

The third category of data is “custom private offerings”, which are data sets customized to meet the demands of specific clients. These data sets would be subject to a Data Use Agreement and sold at “market price”.

Market price, is, of course, different from a fee for cost recovery. The SME in its application indicated that not only would the fees charged cover the costs of producing the data sets, any profits from the sale of smart metering data would be put towards lowering the Smart Metering Charge. In other words, the sale of data could potentially result in lower energy costs. This is an example of a plan to sell aggregate consumer data with a view to benefitting the class as a whole, although the extent of any benefits is difficult to assess without more information about market pricing and about the privacy risks and implications of the shared data. On the privacy issues, the SME maintained that shared data would be de-identified, although it acknowledged that there was some (unspecified) reidentification risk. It argued that factors mitigating against reidentification would include its work with a privacy consultant, compliance with guidance from the Office of the Information and Privacy Commissioner, the use of Data Use Agreements to limit the actions of the party acquiring the data, and the establishment of an Ethics Review Committee.

Those involved in data governance for data sharing will see how the SME’s proposal features some of the key elements and challenges in the data-sharing context. There is a perceived demand for high-value data, an attempt to meet that demand, privacy issues arising because the data is generated by individual activities and consumption, and a need to think about the terms and conditions of sharing, including cost/price. In this case, the data governance entity is a public body that must act under terms set by the regulator (the OEB), and it requires OEB approval of any data sharing plan. In this case, the OEB heard from the SME as well as a number of interveners, including the Building Owners and Managers Association, the Consumers Council of Canada, the Electricity Distributors Association, Ontario Power Generation Inc., and the Vulnerable Energy Consumers Coalition.

The decision of the OEB is interesting for a number of reasons. First, the approach taken is a precautionary one – the OEB sends the SME back to the drawing board over concerns about privacy and about the pricing scheme. In doing so, it appears to have paid some attention to the sometimes heated data governance discussions that have been taking place in Canada.

The OEB began by noting that none of the interveners objected to the first part of the SME plan – to make its “public offerings” category of data available to the public free of charge. In fact, this was the only part of the plan that received OEB approval. The OEB noted that “As these products would comprise highly aggregated data, they do not raise the same concerns about privacy as more tailored products.” It also concluded that the costs associated with preparing and sharing this data were part of the SME’s normal operations.

More problematic were the other categories of data for which sharing was planned. The OEB accepted that customers have a reasonable expectation of privacy “albeit a “significantly attenuated” one” (at p. 13) in their energy consumption data. The Board also noted that for some commercial customers, the consumption data might be confidential commercial information. The OEB observed that in spite of the fact that the plan was to de-identify the data, there remained some reidentification risk. It stated that “in light of the concerns expressed by stakeholders in this proceeding, the SME should proceed cautiously with third party access”. (at 13-14) The OEB considered that consumers needed to be well-informed about the collection and sharing of their data, and that while the SME has attempted to consult on these issues, “a more comprehensive consumer engagement process should take place.” (at 14) The OEB noted that “it is not clear form the evidence that consumers support the notion that consumption data (even if de-identified) should be offered for sale to third parties.” (at 14)

This approach reflects a shift in position on the part of the OEB. Past discussions of data sharing have regarded this data primarily as a public asset that should be put to use in the public interest. In the case of third party data sharing, this public interest was largely in the stimulation of the economy and innovation. What is different in this OEB Order is a much greater recognition of the importance of individual and collective consent. In its directions to the SME, the OEB asks for more detail from the SME’s consultation with consumers, the need to propose “a protocol for receiving and dealing with consumer complaints regarding the release of the data” (at 14), a plan for informing consumers about the release of deidentified information to third parties, and a need to obtain approval “of the basic terms of any Data Use Agreement with third parties.” (at 14).

In addition to these concerns about privacy and consultation, the OEB expressed reservations about the SME’s plans to share data at ‘market prices’. Some of the interveners noted that the SME held a monopoly position with respect to smart metering data, and there was therefore no market price for such data. The OEB called for the SME to develop a marketing plan that “should address pricing to ensure reasonably priced access by commercial and non-commercial users.” (at 14)

This decision is important and interesting for a number of reasons. First, it reflects a cautious, go-slow, precautionary approach to data sharing that might not have existed before Ontarians lost their data innocence in the debates over plans for Sidewalk Toronto. The OEB’s concerns include reidentification risk, proper consultation, accountability, and the terms and conditions for data sharing. The need to adequately and appropriately consult those individuals whose data is to be shared is an important theme in this decision. Although the SME claims to have made efforts to include consumer perspectives, the OEB is not satisfied that these efforts went far enough.

The decision also lands in the middle of the Ontario government’s data strategy consultation (which I have written about here, here and here). The consultation process – which lacks detail and is moving far too quickly – is clearly geared towards increasing data sharing and leveraging data for economic development and innovation, all while maintaining public ‘trust and confidence’. The Ontario government clearly wants to make some quick changes. Yet what this OEB decision reflects is a need to adopt a precautionary approach and to ensure adequate consultation and public awareness. As frameworks, models and templates are developed, things can being to move more quickly – but there is real value in getting things right from the outset.

Ontario is currently engaged in a data strategy consultation process. The stated goals are to create economic opportunities and to improve government services by facilitating greater data sharing and by using more analytics and artificial intelligence. The plan is to do this while maintaining the ‘trust and confidence’ of Ontarians. The consultation process has had an extraordinarily low profile considering what is at stake. That said, it is happening so quickly that it is easy to miss. Even for those paying attention, the consultation is long on boosterism and short on detail. This post outlines some reasons why Ontarians should be concerned.

1. Major transformation without proper debate/consultation

Developing a data strategy is a good idea. Data-driven innovations are dramatically changing our economy and society. There are many ways for government to become more effective and efficient by embracing new technologies. It could also become more transparent and find new ways to engage citizens. To do these things some changes to the law and policy infrastructure will be necessary. Businesses seeking to innovate and grow in the digital and data economy will need better access to quality data and, among other things, new models for data governance and data sharing. Data-driven technologies also bring with them risks of harm and these too may need new legislation or normative frameworks. There is a lot to consider and some of the changes will be transformative, and will rely upon citizen data. These are all good reasons to consult deeply and broadly, both to seek input and to lay the foundations for a transparent public engagement.

The data strategy consultation was announced in February 2019, with a report to be published before the end of the year. The consultation centres around three discussion papers, the first of which was only made available in mid-August 2019 and the last of which has just been released, with comments due by the end of November. The public meetings held as part of these consultations are taking place on very short notice. The process is hurried, obscure and fails to properly engage the full range of stakeholders.

2, Superficiality

Quite apart from the rushed nature of the process, the discussion papers are woefully inadequate. They are full of assertions of the benefits of what is planned, with the occasional nod to the importance of privacy and trust. There is little detail about the nature, scope or timelines for what the government plans to do.

The discussion papers give only brief glimpses of things that merit a much more detailed treatment. For example, on the issue of broad-scale data sharing between different government departments and agencies, we are told that “while ‘connecting the dots’ between datasets can help government provide better services, there are privacy and cybersecurity risks to be managed.” ‘Connecting the dots’ can mean all sorts of things. Perhaps data matching will be used to find ways to improve service delivery. Data analytics might also be used to discover or anticipate certain citizen behaviors. This could include identifying patterns that suggest certain individuals are fraudulently obtaining benefits or cheating on taxes, or identifying children potentially at risk. The data-matching possibilities are endless. And while the goals might be important, there are significant risks of harm. Beyond privacy concerns, there are issues of discrimination and undue surveillance. What processes will be in place to ensure transparency and accountability as these programs are developed and implemented? The consultation documents are so general and superficial that they fail to identify, let alone invite engagement on some of the real challenges posed by the government’s (undisclosed) plans.

An alarming glimpse of what lies beneath the superficial gloss of these documents is found in the second discussion paper which focuses on “Creating Economic Benefits”. The document talks about the value that can be derived by the private sector from data shared by governments. It then casually states “Given that Ontario has a wealth of data in digital health assets, clinical and administrative health data can also be considered as a high-value dataset that may present various opportunities for Ontario.” This suggests that the government is planning to make the personal health data of Ontarians available to the private sector. As the Privacy Commissioner, in his comment on this aspect of the discussion paper, aptly notes, “It is important to distinguish between the high value of health-related data in terms of utilizing it to foster innovation and research, and its high monetary value (that is, health-related data as a commodity to be sold as a source of revenue for the government). The specific scope of what the government may be contemplating is not clear from the discussion paper.”

3. The Gaps

The government is designing a data strategy but its focus is relatively narrow. Ontario’s Privacy Commissioner has pointed out that there are many other data-related reforms that could enhance government transparency including open contracting and open procurement, as well as other reforms to improve access to government information. While the Simpler, Faster, Better Services Act introduced reforms around open data, open data is not necessarily the best route to transparency, especially with a government that has indicated it wants to be more strategic about its release of open data and that sees it primarily as a driver of the economy.

4. Social impacts

This consultation process relies far too much on the increasingly tired trope of “trust and confidence”. The first consultation document, a truly abstract exercise in asking people what they think about plans that have neither been discussed or disclosed, is titled “Promoting Public Trust and Confidence”. Trust and confidence must be earned, not promoted.

Although the first discussion paper identifies a broad range of issues, including bias and discrimination, surveillance, data privacy and security, these are raised largely in the abstract. In the subsequent discussion papers on creating economic benefits and smarter government, the issues are boiled down to individual data privacy and security. There needs to be a detailed, robust and informed discussion on the impacts of proposed technological changes on individuals and communities, as well as on limits, oversight and safeguards.

5. ‘Stakeholders’ and the Rest of Us

Another issue that should concern Ontarians in this consultation is whose voices really matter. The lightning fast consultation hints at some major changes, many of which are driven by industry demands (such as the massive sharing of personal health data with the private sector). Industry clearly has the ear of government and does not need the consultation process in order to be heard.

The data strategy consultation has been poorly publicized. The discussion papers have been published late in the process, contain little detail, and have narrow windows for providing feedback. The paper on trust and confidence was released in mid-August with comments due just after Labour Day. The timing could hardly be worse for ensuring public engagement. The public meetings around the province are scheduled with very short notice. This consultation favours larger organizations with the resources to throw together a quick response or to find someone who can attend a meeting at short notice. It does not favour the general public, nor does it favour civil society groups and academia with limited resources and personnel.

At the same time that this speedy data consultation is taking place, there are closed-door consultations underway with “stakeholders” about reforms to the Personal Health Information Protection Act. While there is no doubt that much could be done to modernize this legislation, the fact that it taking place behind the scenes of the superficial data strategy consultation is deeply troubling. There is also, reportedly, work being done on an ethical AI strategy for the government. Not only is this not part of any public consultation process, it is only hinted at in the third discussion paper.

It is also profoundly disturbing that institutions that serve the public interest such as the Office of the Information and Privacy Commissioner so clearly do not have the ear of government. The Privacy Commissioner’s input has been reduced to letters written in response to the discussion papers. These letters politely invite the government to seek out his expertise on issues that are squarely within his mandate.

Proposed massive technological change, ‘trust us’ assurances about privacy that fall short of the mark, and a disregard for early and inclusive consultations are a recipe for disaster. People are not data cows to be milked by government and industry, and acknowledged with only a pat on the rump and a vague assurance that they will be well looked after. The data strategy must serve all Ontarians and must be built on a foundation of credible and meaningful public engagement. As the Sidewalk Toronto process has demonstrated, people do care, the private sector doesn’t have all the answers, and transformative change needs social legitimacy.

An interesting case from Quebec demonstrates the tension between privacy and transparency when it comes to public registers that include personal information. It also raises issues around ownership and control of data, including the measures used to prevent data scraping. The way the litigation was framed means that not all of these questions are answered in the decision, leaving some lingering public policy questions.

Quebec’s Enterprise Registrar oversees a registry, in the form of a database, of all businesses in Quebec, including corporations, sole corporations and partnerships. The Registrar is empowered to do so under the Act respecting the legal publicity of enterprises (ALPE), which also establishes the database. The Registrar is obliged to make this register publicly accessible, including remotely by technological means, and basic use of the database is free of charge.

The applicant in this case is OpenCorporates, a U.K.-based organization dedicated to ensuring total corporate transparency. According to its website, OpenCorporates has created and maintains “the largest open database of companies in the world”. It currently has data on companies located in over 130 jurisdictions. Most of this data is drawn from reliable public registries. In addition to providing a free, searchable public resource, OpenCorporates also sells structured data to financial institutions, government agencies, journalists and other businesses. The money raised from these sales finances its operations.

OpenCorporates gathers its data using a variety of means. In 2012, it began to scrape data from Quebec’s Enterprise Register. Data scraping involves the use of ‘bots’ to visit and automatically harvest data from targeted web pages. It is a common data-harvesting practice, widely used by journalists, civil society actors and researchers, as well as companies large and small. As common as it may be, it is not always welcome, and there has been litigation in Canada and around the world about the legality of data scraping practices, chiefly in contexts where the defendant is attempting to commercialize data scraped from a business rival.

In 2016 the Registrar changed the terms of service for the Enterprise Register. These changes essentially prohibited web scraping activities, as well as the commercialization of data extracted from the site. The new terms also prohibit certain types of information analyses; for example, they bar searches for data according to the name and address of a particular person. All visitors to the site must agree to the Terms of Service. The Registrar also introduced technological measures to make it more difficult for bots to scrape its data.

Opencorporates Ltd. C. Registraire des entreprises du Québec is not a challenge to the Register’s new, restrictive terms and conditions. Instead, because the Registrar also sent OpenCorporates a cease and desist letter demanding that it stop using the data it had collected prior to the change in Terms of Service, OpenCorporates sought a declaration from the Quebec Superior Court that it was entitled to continue to use this earlier data.

The Registrar acknowledged that nothing in the ALPE authorizes it to control uses made of any data obtained from its site. Further, until it posted the new terms and conditions for the site, nothing limited what users could do with the data. The Registrar argued that it had the right to control the pre-2016 data because of the purpose of the Register. It argued that the ALPE established the Register as the sole source of public data on Quebec businesses, and that the database was designed to protect the personal information that it contained (i.e. the names and addresses of directors of corporations). For example, it does not permit extensive searches by name or address. OpenCorporates, by contrast, permits the searching of all of its data, including by name and address.

The court characterized the purpose of the Register as being to protect individuals and corporations that interact with other corporations by assuring them easy access to identity information, including the names of those persons associated with a corporation. An electronic database gives users the ability to make quick searches and from a distance. Quebec’s Act to Establish a Legal Framework for Information Technology provides that where a document contains personal information and is made public for particular purposes, any extensive searches of the document must be limited to those purposes. This law places the onus on the person responsible for providing access to the document to put in place appropriate technological protection measures. Under the ALPE, the Registrar can carry out more comprehensive searches of the database on behalf of users who must make their request to the Registrar. Even then, the ALPE prohibits the Registrar from using the name or address of an individual as a basis for a search. According to the Registrar, a member of the public has right to know, once one they have the name of a company, with whom they are dealing; they do not have the right to determine the number of companies to which a physical person is linked. By contrast, this latter type of search is one that could be carried out using the OpenCorporates database.

The court noted that it was not its role to consider the legality of OpenCorporates’ database, nor to consider the use made by others of that database. It also observed that individuals concerned about potential privacy breaches facilitated by OpenCorporates might have recourse under Quebec privacy law. Justice Rogers’ focus was on the specific question of whether the Registrar could prevent OpenCorporates from using the data it gathered prior to the change of terms of service in 2016. On this point, the judge ruled in favour of OpenCorporates. In her view, OpenCorporates’ gathering of this data was not in breach of any law that the Registrar could rely upon (leaving aside any potential privacy claims by individuals whose data was scraped). Further, she found that nothing in the ALPE gave the Registrar a monopoly on the creation and maintenance of a database of corporate data. She observed that the use made by OpenCorporates of the data was not contrary to the purpose of the ALPE, which was to create greater corporate transparency and to protect those who interacted with corporations. She ruled that nothing in the ALPE obligated the Registrar to eliminate all privacy risks. The names and addresses of those involved with corporations are public information; the goal of the legislation is to facilitate digital access to the data while at the same time placing limits on bulk searches. Nothing in the ALPE prevented another organization from creating its own database of Quebec businesses. Since OpenCorporates did not breach any laws or terms of service in collecting the information between 2012 and 2016, nothing prevented it from continuing to use that information in its own databases. Justice Rogers issued a declaration to the effect that the Registrar was not permitted to prevent OpenCorporates from publishing and distributing the data it collected from the Register prior to 2016.

While this was a victory for OpenCorporates, it did not do much more than ensure its right to continue to use data that will become increasingly dated. There is perhaps some value in the Court’s finding that the existence of a public database does not, on its own, preclude the creation of derivative databases. However, the decision leaves some important questions unanswered. In the first place, it alludes to but offers no opinion on the ability to challenge the inclusion of the data in the OpenCorporates database on privacy grounds. While a breach of privacy argument might be difficult to maintain in the case of public data regarding corporate ownership, it is still unpredictable how it might play out in court. This is far less sensitive data that that involved in the scraping of court decisions litigated before the Federal Court in A.T. v. Globe24hr.com; there is a public interest in making the specific personal information available in the Registry; and the use made by OpenCorporates is far less exploitative than in Globe24hr. Nevertheless, the privacy issues remain a latent difficulty. Overall, the decision tells us little about how to strike an appropriate balance between the values of transparency and privacy. The legislation and the Registrar’s approach are designed to make it difficult to track corporate ownership or involvement across multiple corporations. There is rigorous protection of information with low privacy value and with a strong public dimension; with transparency being weakened as a result. It is worth noting that another lawsuit against the Register may be in the works. It is reported that the CBC is challenging the decision of the Registrar to prohibit searches by names of directors and managers of companies as a breach of the right to freedom of expression.

Because the terms of service were not directly at issue in the case, there is also little to go on with respect to the impact of such terms. To what extent can terms of service limit what can be done with publicly accessible data made available over the Internet? The recent U.S. case of hiQ Labs Inc. v. LinkedIn Corp. raises interesting questions about freedom of expression and the right to harvest publicly accessible data. This and other important issues remain unaddressed in what is ultimately an interesting but unsatisfying court decision.

 

The second discussion paper in Ontario’s lightning-quick consultation on a new data strategy for the province was released on September 20, 2019. Comments are due by October 9, 2019. If you blink, you will miss the consultation. But if you read the discussion paper, it will make you blink – in puzzlement. Although it is clear from its title that Ontario wants to “create economic benefits” through data, the discussion paper is coy, relying mainly on broad generalities with occasional hints at which might actually be in the works.

Governments around the world are clearly struggling to position their countries/regions to compete in a burgeoning data economy. Canada is (until the election period cooled things off) in the middle of developing its own digital and data strategy. Ontario launched its data strategy consultation in February 2019. The AI industry (in which Canada and Ontario both aspire to compete) is thirsty for data, and governments are contemplating the use of AI to improve governance and to automate decision-making. It is not surprising, therefore, that this document tackles the important issue of how to support the data economy in Ontario.

The document identifies a number of challenges faced by Ontario. These include skill and knowledge deficits in existing industries and businesses; the high cost of importing new technologies, limited digital infrastructure outside urban core areas, and international competition for highly qualified talent for the data economy. The consultation paper makes clear that the data strategy will need to address technology transfer, training/education, recruitment, and support for small businesses. Beyond this, a key theme of the document is enhancing access to data for businesses.

It is with respect to data that the consultation paper becomes troublingly murky. It begins its consideration of data issues with a discussion of open government data. Ontario has had an open data portal for a number of years and has been steadily developing it. A new law, pushed through in the omnibus budget bill that followed the Ford government’s election is the first in Canada to entrench open government data in law. The consultation document seems to suggest that the government will put more resources into open data. This is good. However, the extent of the open data ambitions gives pause. The consultation document notes, “it is important for governments to ensure that the right level of detailed data is released while protecting government security and personal privacy.” Keep in mind that up until now, the approach to open data has been to simply not release as open data datasets that contain personal information. This includes data sets that could lead to the reidentification of individuals when combined with other available data. The consultation paper states “Ontario’s government holds vast amounts of data that can help businesses develop new products and services that make Ontarian’s lives easier, while ensuring that their privacy is protected.” These references to open data and privacy protection are indications that the government is contemplating that it will make personal data in some form or another available for sharing. Alarmingly, businesses may be invited to drive decision-making around what data should be shared. The document states, “New collaboration with businesses can help us determine which data assets have the greatest potential to drive growth.” An out-of-the-blue example provided in the consultation paper is even more disturbing. At a point where the document discusses classic categories of important open data such as geospatial reference and weather data, it suddenly states “Given that Ontario has a wealth of data in digital health assets, clinical and administrative health data can also be considered a high-value dataset that may present various opportunities for Ontario.”

If personal data is on the table (and the extent to which this is the case should be a matter of serious public consultation and not lightning-round Q & A), then governance becomes all the more important. The consultation paper acknowledges the importance of governance – of a sort. It suggests new guidelines (the choice of words here is interesting – as guidelines are not laws and are usually non-binding) to help govern how data is shared. The language of standards, guidance and best practices is used. Words such as law, regulation and enforcement are not. While “soft law” instruments can have a role to play in a rapidly changing technological environment, Canadians should be justifiably wary of a self-regulating private sector – particularly where there is so much financially at stake for participating companies. It should also be wary of norms and standards developed by ‘stakeholder’ groups that only marginally represent civil society, consumer and privacy interests.

If there is one thing that governments in Canada should have learned from the Sidewalk Toronto adventure, it is that governments and the private sector require social licence to collect and share a populations’ personal data. What this consultation does instead is say to the public, “the data we collect about you will be very valuable to businesses and it is in the broader public interest that we share it with them. Don’t worry, we’re thinking about how to do it right.” That is an illustration of paternalism, not consultation or engagement. It is certainly not how you gain social licence.

The Ontario government’s first Consultation Paper, which I discuss here was about “promoting trust and confidence”, and it ostensibly dealt with privacy, security and related issues. However, the type of data sharing that is strongly hinted at in the second discussion paper is not discussed in that first paper and the consultation questions in that document do not address it either.

There is a great deal of non-personal government data that can be valuable for businesses and that might be used to drive innovation. There is already knowledge and experience around open data in Ontario, and building upon this is a fine objective. Sharing of personal and human behavioural data may also be acceptable in some circumstances and under some conditions. There are experiments in Canada and in other countries with frameworks for doing this that are worth studying. But this consultation document seems to reflect a desire to put all government data up for grabs, without social licence, with only the vaguest plans for protection, and with a clear inclination towards norms and standards developed outside the usual democratic processes. Yes, there is a need to move quickly – and to be “agile” in response to technological change. But speed is not the only value. There is a difference between a graceful dive and a resounding belly flop – both are fast, only one is agile.

 

A ruling under B.C.’s Personal Information Protection Act (PIPA) will add new fuel to the fires burning around the issue of whether Canada’s federal political parties should have to comply with data protection laws. In Order P19-02, B.C. Privacy Commissioner Michael McEvoy rejected constitutional challenges and ruled that B.C.’s data protection law applied not just to provincial political parties (something it indisputably does), but also to electoral district associations in B.C. established under the Canada Elections Act. The decision means that the hearing into a complaint against the Courtenay-Alberni Riding Association of the New Democratic Party of Canada will now proceed. The riding association will still have the opportunity to argue, within the factual context of the complaint, that the application of specific provisions of PIPA place unacceptable limits on the right to vote and the freedom of expression under the Canadian Charter of Rights and Freedoms (the Charter).

There has been considerable attention paid to the relatively unregulated information handling practices of Canadian political parties in the last few years. A 2012 report commissioned by the Office of the Privacy Commissioner of Canada laid out the legal landscape. In the fall of 2018, federal, provincial and territorial privacy commissioners issued a joint call for meaningful privacy regulation of political parties in Canada. In late 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics issued its report titled Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly in which it recommended, among other things, that Canadian political parties be made subject to the Personal Information Protection and Electronic Documents Act (PIPEDA). Instead, the federal government chose to amend the Canada Elections Act to add some fairly tepid requirements for parties to have and make available privacy policies. Meaningful oversight and enforcement mechanisms are notably absent. In April 2019, Office of the Privacy Commissioner of Canada issued guidance for political parties on how to protect privacy. On August 7, Open Media conducted a review of the privacy policies of Canada’s federal political parties, measuring them against the guidelines issued by the OPC. The review reveals a fairly dismal level of privacy protection. As noted above, B.C.’s PIPA applies to B.C.’s provincial political parties. A review of those parties’ privacy practices earlier this year resulted in an investigation report that makes interesting reading.

It is within this context that a B.C. couple filed a complaint with the B.C. Office of the Information and Privacy Commissioner after each received and email from the NDP’s Courtenay-Alberni Riding Association inviting them to attend a meet and greet with the federal party’s leader. The couple wrote a letter to the local NDP seeking to know what information the party had on them, from whom it had been sourced, with whom it had been shared, and how the information had been and would be used. When they did not receive a satisfactory response, they filed a complaint with the OIPC. Since the NDP objected to the jurisdiction of the OIPC in the matter, the OIPC issued a notice of hearing to determine the preliminary issue of whether BC’s PIPA applied to the Courtney-Alberni Riding Association (the Organization).

The Organization made three constitutional arguments objecting to the jurisdiction of the OIPC. The first is that PIPA cannot apply to federally registered political entities because s. 41 of the Constitution Act, 1867 gives the federal government sole jurisdiction over the conduct of federal elections. The second is that PIPA cannot apply because other federal laws, including the Canada Elections Act and PIPEDA are paramount. The third argument was that, if PIPA were found to apply, to the extent that it did so, it would place unjustified limits on the right to vote and the freedom of expression guaranteed under the Charter. As noted above, on this third issue, the adjudicator ruled that there was an insufficient factual context to make a determination. Because Commissioner McAvoy ultimately decided that PIPA applies, the third question will be considered in the context of the hearing into the actual complaint.

Commisioner McAvoy noted that PIPA applies to every “organization” in BC. “Organization” is defined broadly to include: “a person, an unincorporated association, a trade union, a trust or a not for profit organization.” The Riding Association, as an unincorporated association, falls within this definition. He ruled that it made no difference that the organization was established under the constitution of a federal political party or that it is involved in federal politics. He rejected the Organization’s rather convoluted argument that since PIPEDA also applied to ‘organizations’, it precluded the application of BC’s statute. The Commissioner noted that because there is no commercial activity, PIPEDA did not apply to the collection, use or disclosure of personal information by the organization, and thus did not preclude the application of PIPA.

Commissioner McAvoy rejected the first constitutional argument on the basis that PIPA does not attempt to regulate the conduct of federal elections. PIPA’s purpose relates to “the regulation of the collection, use and disclosure of personal information by organizations.” (at para 45) It has nothing to do with any election-related issues such as the establishment of political parties, voting processes, or campaign financing. PIPA itself falls within provincial jurisdiction over “property and civil rights” in B.C. The Organization argued that by applying to federal riding associations in the province, it attempted to affect matters outside the province, but the adjudicator disagreed. He stated: “Analysis of incidental effects should be kept distinct from assessment of whether a provincial statute is validly enacted under the Constitution Act, 1867” (at para 52). He noted that in any event, incidental effects do not necessarily render a statute unconstitutional.

The Commissioner also rejected the paramountcy argument. The Organization argued that PIPA’s provisions conflicted with the Canada Elections Act, as well as the Telecommunications Act and Canada’s Anti-Spam Legislation (CASL) and frustrated a federal purpose and therefore could not apply to federal riding associations in B.C. Commissioner McEvoy found that there was no actual conflict between the federal and provincial laws. The Canada Elections Act imposes no substantive obligations around, for example, consent to the collection of personal information. It is not a situation where one statute says consent is not required and another says that it is. The Canada Elections Act is simply more permissive when it comes to personal information. Because the do-not-call list established under the Telecommunications Act does not address email communications, which is the subject matter of the actual complaint, there is no conflict with that law. Similarly, he found no conflict with the CASL. Although the CASL permits political parties or organizations to send emails with out consent to solicit donations, the email that was the subject of the complaint before the OIPC did not solicit a donation, but was rather an invitation to an event. As a result there is no conflict between the laws. Further, case law does not support the view that a conflict is found simply because a provincial law has more restrictive elements than a federal law. The Commissioner stated: “the fact that the Canada Elections Act and the two other federal laws take a permissive approach to use of certain personal information of electors does not of itself establish a conflict with PIPA’s requirements (even if one assumes, for discussion purposes only, that PIPA actually prohibits that which federal law permits.) . . . It is possible to comply with both PIPA and the federal laws [. . .]” (at para 79).

Commissioner McAvoy also rejected the argument that the application of PIPA would frustrate the federal purpose pursued under the Canada Elections Act. He found that the Organization had not adequately established the federal purpose nor had it managed to demonstrate how PIPA frustrated it.

Clearly this particular skirmish is far from complete. It is entirely possible that the Organization will challenge the Commissioner’s decision, and the matter may head to court. Nevertheless, the decision is an important one, as it raises the clear possibility that riding associations of federal political parties in BC might be held to a far stricter standard of data protection that that required of political parties elsewhere in Canada. This will increase the growing pressure on the federal government to take real, concrete steps to ensure that political parties are held to the same standards as private sector organizations when it comes to collecting, using and disclosing personal information. Given vast amounts of data available, the potential for intrusive and inappropriate uses, the controversies around profiling and targeting, and the growing risks of harm from data breaches, this is an unacceptable legislative gap.

 

On July 31, 2019 the Ontario Government released a discussion paper titled Promoting Trust and Confidence in Ontario’s Data Economy. This is the first in a planned series of discussion papers related to the province’s ongoing Data Strategy consultation. This particular document focuses on the first pillar of the strategy: Promoting Trust and Confidence. The other pillars are: Creating Economic Benefit; and Enabling Better, Smarter Government. The entire consultation process is moving at lightning speed. The government plans to have a final data strategy in place by the end of this calendar year.

My first comment on the document is about timing. A release on July 31, with comments due by September 6, means that it hits both peak vacation season and mad back to school rush. This is not ideal for gathering feedback on such an important set of issues. A further timing issue is the release of this document and the call for comments before the other discussion papers are available. The result is a discussion paper that considers trust and confidence in a policy vacuum, even though it makes general reference to some pretty big planned changes to how the public sector will handle Ontarians’ personal information as well as planned new measures to enable businesses to derive economic benefit from data. It would have been very useful to have detailed information about what the government is thinking about doing on these two fronts before being asked what would ensure ongoing trust and confidence in the collection, use and disclosure of Ontarians’ data. Of course, this assumes that the other two discussion documents will contain these details – they might not.

My second comment is about the generality of this document. This is not a consultation paper that proposes a particular course of action and seeks input or comment. It describes the current data context in broad terms and asks questions that are very general and open-ended. Here are a couple of examples: “How can the province help businesses – particularly small and medium-sized businesses – better protect their consumers’ data and use data-driven practices responsibly?” “How can the province build capacity and promote culture change concerning privacy and data protection throughout the public sector (e.g., through training, myth-busting, new guidance and resources for public agencies)?” It’s not that the questions are bad ones – most of them are important, challenging and worth thinking about. But they are each potentially huge in scope. Keep in mind that the Data Strategy that these questions are meant to inform is to be released before the end of 2019. It is hard to believe that anything much could be done with responses to such broad questions other than to distil general statements in support of a strategy that must already be close to draft stage.

That doesn’t mean that there are not a few interesting nuggets to mine from within the document. Currently, private sector data protection in Ontario is governed by the federal Personal Information Protection and Electronic Documents Act. This is because, unlike Alberta, B.C. and Quebec, Ontario has not enacted a substantially similar private sector data protection law. Is it planning to? It is not clear from this document, but there are hints that it might be. The paper states that it is important to “[c]larify and strengthen Ontario’s jurisdiction and the application of provincial and federal laws over data collected from Ontarians.” (at p. 13) One of the discussion questions is “How can Ontario promote privacy protective practices throughout the private sector, building on the principles underlying the federal government’s private sector privacy legislation (the Personal Information Protection and Electronic Documents Act)?” Keep in mind that a private member’s bill was introduced by a Liberal backbencher just before the last election that set out a private sector data protection law for Ontario. There’s a draft text already out there.

Given that this is a data strategy document for a government that is already planning to make major changes to how public sector data is handled, there are a surprising number of references to the private sector. For example, in the section on threats and risks of data-driven practices, there are three examples of data breaches, theft and misuse – none of which are from Ontario’s public sector. This might support the theory that private sector data protection legislation is in the offing. On the other hand, Ontario has jurisdiction over consumer protection; individuals are repeatedly referred to as “consumers” in the document. It may be that changes are being contemplated to consumer protection legislation, particularly in areas such as behavioural manipulation, and algorithmic bias and discrimination. Another question hints at possible action around online consumer contracts. These would all be interesting developments.

There is a strange tension between public and private sectors in the document. Most examples of problems, breaches, and technological challenges are from the private sector, while the document remains very cagey about the public sector. It is this cageyness about the public sector that is most disappointing. The government has already taken some pretty serious steps on the road to its digital strategy. For example, it is in the process of unrolling much broader sharing of personal information across the public sector through amendments to the Freedom of Information and Protection of Privacy Act passed shortly after the election. These will take effect once data standards are in place (my earlier post on these amendments is here). The same bill enacted the Simpler, Faster, Better, Services Act. This too awaits regulations setting standards before it takes effect (my earlier post on this statute is here). These laws were passed under the public radar because they were rushed through in an omnibus budget bill and with little debate. It would be good to have a clear, straightforward document from the government that outlines what it plans to do under both of these new initiatives and what it will mean for Ontarians and their personal data. Details of this kind would be very helpful in allowing Ontarians to make informed comments on trust and confidence. For example, the question “What digital and data-related threats to human rights and civil liberties pose the greatest risk for Ontarians” (p. 14) might receive different answers if readers were prompted to think more specifically about the plans for greater sharing of personal data across government, and a more permissive approach to disclosures for investigatory purposes (see my post on this issue here).

The discussion questions are organized by category. Interestingly, there is a separate category for ‘Privacy, Data Protection and Data Governance’. That’s fine – but consider that there is a later category titled Human Rights and Civil Liberties. Those of us who think privacy is a human right might find this odd. It is also odd that the human rights/civil liberties discussion is separated from data governance since they are surely related. It is perhaps wrong to read too much into this, since the document was no doubt drafted quickly. But thinking about privacy as a human right is important. The document’s focus on trust and confidence seems to relegate privacy to a lower status. It states: “A loss of trust reduces people’s willingness to share data or give social license for its use. Likewise, diminishing confidence impedes the creative risk-taking at the heart of experimentation, innovation and investment.” (at p. 8) In this plan, protection of privacy is about ensuring trust which will in turn foster a thriving data economy. The fundamental question at the heart of this document is thus not: ‘what measures should be taken to ensure that fundamental values are protected and respected in a digital economy and society”. Rather, it is: ‘What will it take to make you feel ok about sharing large quantities of personal information with business and government to drive the economy and administrative efficiencies?’ This may seem like nitpicking, but keep in mind that the description of the ‘Promoting Trust and Confidence’ pillar promises “world-leading, best-in-class protections that benefits the public and ensures public trust and confidence in the data economy” (page 4). Right now, Europe’s GDPR offers the world-leading, best-in-class protections. It does so because it treats privacy as a human right and puts the protection of this and other human rights and civil liberties at the fore. A process that puts feeling ok about sharing lots of data at the forefront won’t keep pace.

Friday, 19 July 2019 09:15

Open Banking in Canada - A Primer

I wrote a short paper on Open Banking in Canada for a presentation I gave to the Digital Strategy Committee of the Board of Directors of Vancity, a Vancouver-based credit union.  The text of this paper is available by clicking on "read more" and/or downloading the PDF attachment below.

Smart city data governance has become a hot topic in Toronto in light of Sidewalk Labs’ proposed smart city development for Toronto’s waterfront. In its Master Innovation Development Plan (MIDP), Sidewalk Labs has outlined a data governance regime for “urban data” that will be collected in the lands set aside for the proposed Sidewalk Toronto smart city development. The data governance scheme sets out to do a number of different things. First, it provides a framework for sharing ‘urban data’ with all those who have an interest in using this data. This could include governments, the private sector, researchers or civil society. Because the data may have privacy implications, the governance scheme must also protect privacy. Sidewalk Labs is also proposing that the governance body be charged with determining who can collect data within the project space, and with setting any necessary terms and conditions for such collection and for any subsequent use or sharing of the data. The governance body, named the Urban Data Trust (UDT), will have a mandate to act in the public interest, and it is meant to ensure that privacy is respected and that any data collection, use or disclosure – even if the data is non-personal or deidentified – is ethical and serves the public interest. They propose a 5-person governance body, with representation from different stakeholder communities, including “a data governance, privacy, or intellectual property expert; a community representative; a public-sector representative; an academic representative; and a Canadian business industry representative” (MIDP, Chapter 5, p. 421).

The merits and/or shortcomings of this proposed governance scheme will no doubt be hotly debated as the public is consulted and as Waterfront Toronto develops its response to the MIDP. One thing is certain – the plan is sure to generate a great deal of discussion. Data governance for data sharing is becoming an increasingly important topic (it is also relevant in the Artificial Intelligence (AI) context) – one where there are many possibilities and proposals and much unexplored territory. Relatively recent publications on data governance for data sharing include reports by Element AI, MaRS, and the Open Data Institute). These reflect both the interest in and the uncertainties around the subject. Yet in spite of the apparent novelty of the subject and the flurry of interest in data trusts, there are already many different existing models of data governance for data sharing. These models may offer lessons that are important in developing data governance for data sharing for both AI and for smart city developments like Sidewalk Toronto.

My co-author Merlynda Vilain and I have just published a paper that explores one such model. In the early 2000’s the Ontario government decided to roll out mandatory smart metering for electrical consumption in the province. Over a period of time, all homes and businesses would be equipped with smart meters, and these meters would collect detailed data in real time about electrical consumption. The proposal raised privacy concerns, particularly because detailed electrical consumption data could reveal intimate details about the activities of people within their own homes. The response to these concerns was to create a data governance framework that would protect customer privacy while still reaping the benefits of the detailed consumption data.

Not surprisingly, as the data economy surged alongside the implementation of smart metering, the interest in access to deidentified electrical consumption data grew across different levels of government and within the private sector. The data governance regime had therefore to adapt to a growing demand for access to the data from a broadening range of actors. Protecting privacy became a major concern, and this involved not just applying deidentification techniques, but also setting terms and conditions for reuse of the data.

The Smart Metering Entity (SME), the data governance body established for smart metering data, provides an interesting use case for data governance for data sharing. We carried out our study with this in mind; we were particularly interested in seeing what lessons could be learned from the SME for data governance in other context. We found that the SME made a particularly interesting case study because it involved public sector data, public and private sector stakeholders, and a considerable body of relatively sensitive personal information. It also provides a good example of a model that had to adapt to changes over a relatively short period of time – something that may be essential in a rapidly evolving data economy. There were changes in the value of the data collected, and new demands for access to the data by both public and private sector actors. Because of the new demand and new users, the SME was also pushed to collect additional data attributes to enrich the value of its data for potential users.

The SME model may be particularly useful to think about in the smart cities context. Smart cities also involve both public and private sector actors, they may involve the collection of large volumes of human behavioural data, and this gives rise to a strong public interest in appropriate data governance. Another commonality is that in both the smart metering and smart cities contexts individuals have little choice but to have their data collected. The underlying assumption is that the reuse and repurposing of this data across different contexts serves the public interest in a number of different ways. However, ‘public interest’ is a slippery fish and is capable of multiple interpretations. With a greatly diminished role for consent, individuals and communities require frameworks that can assist not just in achieving the identified public interests – but in helping them to identify and set them. At the same time protecting individual and community privacy, and ensuring that data is not used in ways that are harmful or exploitative.

Overall, our study gave us much to think about, and its conclusion develops a series of ‘lessons’ for data governance for data sharing. A few things are worthy of particular note in relation to Sidewalk Labs’ proposed Urban Data Trust. First, designing appropriate governance for smart metering data was a significant undertaking that took a considerable amount of time, particularly as demands for data evolved. This was the case even though the SME was dealing only with one type of data (smart metering data), and that it was not responsible for overseeing new requests to collect new types of data. This is a sobering reminder that designing good data governance – particularly in complex contexts – may take considerable time and resources. The proposed UDT is very complex. It will deal with many different types of data, data collectors, and data users. It is also meant to approve and set terms and conditions for new collection and uses. The feasibility of creating robust governance for such a complex context is therefore an issue – especially within relatively short timelines for the project. Defining the public interest – which both the SME and the UDT are meant to serve – is also a challenge. In the case of the SME, the democratically elected provincial government determines the public interest at a policy level, and it is implemented through the SME. Even so, there are legitimate concerns about representation and about how the public interest is defined. With the UDT, it is not clear who determines the public interest or how. There will be questions about who oversees appointments to the UDT, and how different stakeholders and their interests are weighted in its composition and in its decision-making.

Our full paper can be found in open access format on the website of the Centre for International Governance Innovation (CIGI): here.

 

In June 2019, the Standing Senate Committee on Banking, Trade and Commerce (BANC) released its report on open banking following hearings it held in the spring of 2019. The federal government, which has been conducting its own consultation into open banking, has yet to issue a report.

For those who have not been following discussions around this issue, ‘open banking’ refers to a framework that enables consumers to share their personal financial data with financial services providers in a secure manner. The anticipated benefits of open banking include providing consumers of financial services (both individuals and small businesses) with more and better financial planning and payment options, and stimulating innovation in the fintech sector. Open banking is no small undertaking. To work, it will require major financial institutions to adopt standardized formats for data. It will also require the adoption of appropriate security measures. A regulator will have to create a list of approved open banking fintech providers. There will also need to be oversight from competition and privacy commissioners. For consumer privacy to be adequately protected there will have to be an overhaul of Canada’s Personal Information Protection and Electronic Documents Act.

The BANC committee report reviews the testimony it heard and makes a number of recommendations. It begins by noting that approximately 4 million Canadians already make use of fintech apps to obtain financial services not otherwise available. These apps require users to provide their banking usernames and passwords in order to enable them to repeatedly access and screen-scrape financial data. It is a risky practice and one that may violate the terms of service for those customer accounts, leaving consumers vulnerable and unprotected. The Senate report notes that the legal and regulatory changes needed to implement open banking in Canada – as well as the necessary work on standards and interoperability – will take time. As a result, the first part of the report makes a number of recommendations to address, in the short term, the protection of Canadians who engage in screen-scraping.

The BANC committee notes that other countries – including Australia and the UK – are already further ahead than Canada in launching open banking initiatives. It expresses concern that Canada may be falling behind what is an international shift towards open banking, noting that “without swift action, Canada may become an importer financial technology rather than an exporter” (at pr. 14). The report makes a number of recommendations to facilitate the adoption of open banking in Canada, urging a “principles-based, industry-led open banking framework that would be integrated with existing financial sector and privacy legislation” (Recommendation III). The recommendations include work on developing standards, creating a registry of accredited providers of fintech services, legislating limits on the use of standardized and interoperable consumer financial data, creating a framework in which provincially regulated credit unions and caisses populaires can participate, improving broadband access for rural and remote communities, reforming PIPEDA, and creating appropriate regulatory oversight and enforcement mechanisms.

The BANC committee correctly links open banking to a broader data portability right. This portability right, which is present in the EU’s General Data Protection Regulation (GDPR), is one of the 10 principles articulated in the federal government’s new Digital Charter. The federal government’s recent discussion paper on PIPEDA reform also references data portability. Data portability is a mechanism by which individuals are given much greater control over their data – allowing them to ‘port’ their data from one provider to another. It also has potential to encourage competition and to stimulate innovation in the tech sector. However, for the BANC committee, consumer control is at the heart of open banking. The Committee clearly sees open banking as something that should benefit consumers. They characterize it as giving consumers more control over their personal financial information, and something that can provide them with a “more personalized, convenient digital banking experience” (at p. 37).

Indeed, the BANC committee report as a whole places consumer interests at the centre of the move towards open banking. As noted earlier, its first recommendations are oriented towards taking action to protect consumers who are engaging in screen-scraping to obtain the fintech services they want. It is also sharply critical of the federal government for not appointing a consumer advocate to its Advisory Committee on Open Banking, even though the Department of Finance indicates that it has consulted widely to obtain consumer and civil society input. The BANC committee expressed concern that not enough is known about the potential impacts on consumers of open banking, and recommends that more research be carried out as soon as possible on these issues, funded by the federal government.

 

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Page 7 of 37

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law