Industry Committee on May 6th, 2024

As it relates to financial data, I'll start, and then I'll turn to my colleagues to talk a bit about the treatment of financial data and information under the GDPR, because I know that was raised as a contrasting issue.

It's important to note that our system is somewhat unique in the sense that once a piece of personal information is deemed to be sensitive, it requires express consent, and it's not just express consent for it's collection; it's express consent for its collection, use and disclosure. That means express consent is required for its initial gathering from an individual and for its ongoing use. Then, when it needs to be disclosed to a party who is not the party who collected it, including in the process of business practices, express consent is required again.

Financial data and information is an extremely wide category. It includes transaction data. It includes information related to whether or not you hold more than one mortgage. It relates to a whole host of information that is, essentially, personal information that ties you to any type of financial transaction, of which there are many.

This would require express consent for every single collection, use and disclosure of that information. As an example, if I have an ongoing payment history with my bank and they need to use a third party processor, as many do for the purpose of continuing to use the transaction data, that would require express consent for every single one of the disclosures along the chain. It's not just when I first sign up for my bank account or even make the transaction; it is going to be required at every single step of the way. It is quite a broad category.

I think it's important to note the distinction between this express consent obligation and the varieties of ways in which processing and data information processing are allowed under the GDPR. For that, I'll turn to my colleagues, who can further enunciate why it hasn't gummed up the EU system. In part, it's because it's not understood in the same ways.

I'll turn it over to my colleagues.

I'll take the question on the GDPR.

The GDPR refers not to sensitive information, but to special categories of personal data. Those special categories, in article 9 of the GDPR, refer to:

...racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation....

Those are the categories in the GDPR. As Mr. Schaan said, financial data is not on the list of sensitive information for the GDPR.

To go back to first principles, it's important to note PIPEDA. One thing that will transfer over to the proposed consumer privacy protection act is an accountability principle such that collectors, users and disclosers of data will be accountable throughout the entirety of the life course of the personal information they've collected for its ongoing use and will be subject to the rules of PIPEDA as a function of those continued disclosures. It's one of the ways in which we ensure that in a data value chain, there is accountability throughout.

It's important to note that there is already quite a degree of responsibility placed on those who use, collect and disclose personal information. What “sensitive” will do, as I noted, is require express consent, notwithstanding the accountability principle. Across the value chain, there are a huge number of data transfers and disclosures that happen between entities that are not necessarily the same entity that did the first collection.

We've talked about banking, but even with retailers or others, there are often a significant number people. Your bank is using a third party like Interac, for instance, and then needs to transfer that information back to the host financial institution. If you used a credit card, for instance, a third party payment processor is often also involved before the information gets to your bank for the purposes of payment, and then it needs to be disclosed again to the original retailer for the purposes of clearing.

By buying an apple at the grocery store, you might see six or seven disclosures of personal information related to financial information, each of which would require the express consent of an individual for the payment and clearing of that one transaction. It becomes quite a lot when one imagines the broad category of financial data and the fact that we're now going to require express consent for every single step along the value chain, as opposed to relying on the accountability provisions of both the CPPA and PIPEDA and the rules associated with the use of personal information more generally.

I'll turn to my colleagues, but I'll just say that all of the provisions of the act that relate to personal information and its usage are overseen by the Privacy Commissioner, subject to complaints and potentially subject to remedies.

I will turn to my colleagues just to be more specific about the powers that the Privacy Commissioner has over the use of personal information, not just sensitive information.

As Mr. Schaan just said, the Privacy Commissioner has oversight over all collection, disclosure and use of personal information, which would include sensitive information. It would obviously include financial data as well.

The commissioner does a contextual analysis. Information that's not sensitive in one context may be sensitive in another context. Information together may become sensitive where individual categories are not sensitive. That's how the Privacy Commissioner looks at personal information. He determines whether it's sensitive or not and requires obligations that are commensurate with the sensitivity of the information.

The office absolutely looks at financial information. There are many cases where they have said that financial information is sensitive, and there are cases where they've said in another context that it's not sensitive.

That's correct.

I'm happy to start and then turn to my colleagues.

Essentially, you're right. There are some considerations that should be brought to bear on some of the pieces of paragraphs (f), (g) and (h).

As we spoke about at the last meeting, it's specifically been noted by the Privacy Commissioner that in two provinces, driver's licence information is not actually deemed to be personal information. It's important to segregate the driver's licence—because that's not what this amendment says—from the driver's licence number, which is what is specified. There's lots of personal information on our driver's licence, for sure, but what's being requested to be considered sensitive is the driver's licence number, which in two provinces has already been deemed by the Privacy Commissioner to not be personal information. Therefore, giving it the status of sensitive information not only heightens that, but actually requires express consent.

We've already been over financial data, but passwords often also have context that potentially should be considered.

With that, I will turn to my colleagues to further elucidate some of the issues in the back end of the list.

As Mr. Schaan pointed out, the context dependency for any analysis of sensitivity of any information is critical. It's a cornerstone of the OPC's submission to this committee that we start with a context analysis of collection, use or disclosure of any information. That's really important because, while there may be some scenarios where it is somewhat rare for a category to be considered sensitive or not sensitive, the contextual piece is what gives the commissioner the ability to ensure that privacy is being protected at the highest level.

With regard to the EU's GDPR, as Mr. Schaan already pointed out, financial data is not included in Quebec's Law 25, nor is it included in the EU or U.K. GDPR. Similarly, the aspect of passwords is not included in any other jurisdictions—save for California, where it's referenced in a very specific manner, which is that your login information for a sensitive use case would be considered sensitive information because it's what the password and the user credentials give access to. That's the nature of the sensitivity there.

Including passwords overall, of course, as we explained the last time we spoke at committee, is simply because it introduces a degree of non-neutrality in dealing with technologies that could also be problematic in some cases.

As Mr. Schaan already pointed out, a driver's licence has been specifically ruled not to be personal information by the OPC in two provinces, so adding the designation of sensitive personal information to something that the OPC himself has said is not personal information at all would be somewhat of a conflict.

I'll perhaps add a technical point.

The amendment also refers to social security information as being sensitive. Social security is not recognized in the Canadian system. It might be social insurance numbers, for example, that have been recognized by the OPC on many occasions as sensitive, but social security is not really a concept that exists in Canadian law.