Thank you very much, Mr. Chair, and good afternoon.
My name is Linda Routledge, and I'm the director of consumer affairs with the Canadian Bankers Association. With me today is Charles Docherty, our senior counsel. We are pleased to be here today to discuss the Personal Information Protection and Electronic Documents Act.
The CBA works on behalf of 62 domestic banks, foreign bank subsidiaries, and foreign bank branches operating in Canada and their 280,000 employees. The privacy and protection of clients' personal information is and always has been a cornerstone of banking. Given the nature of the services that banks provide to millions of Canadians, banks are trusted custodians of significant amounts of personal information. Banks take very seriously their responsibility to protect customers' information. They are committed to meeting not only the requirements of privacy laws but also the expectations of their customers. A former assistant privacy commissioner once acknowledged that privacy is in the banks' DNA.
The banks were among the first group of organizations subject to PIPEDA in 2001. We believe that PIPEDA has worked well to date to balance the protection of individuals' personal information with the legitimate use of personal information by organizations. PIPEDA is principles-based and technologically neutral, providing the necessary framework for innovation as well as new technologies and business models. It's generally well positioned to continue that mandate going forward. The banks would, however, like to suggest a few changes that we believe might enhance and clarify PIPEDA to make it more effective. These suggestions are related to three broad subject areas—meaningful consent, financial crimes, and access rights.
On meaningful consent, banks collect the personal information that is necessary to provide clients with the products and services they want. This information is collected according to the requirements of PIPEDA, and banks take steps to ensure that their clients understand the nature of the consent being provided. All banks have privacy policies in place and privacy officers who oversee compliance with these policies. Banks have a strong incentive to enhance their customers' ability to provide meaningful consent, because building their customers' trust is and always has been a top priority.
The committee heard from several other witnesses who questioned whether the consent that individuals provide is meaningful, given the complexity of terms and conditions when signing up for any product or service. We suggest that one way to address this concern may be to streamline privacy notices so that consent is not required for uses that the individual would expect and consider reasonable. In particular, we support the concept that express consent should not be required for legitimate business purposes. Some examples of such purposes might include the purposes for which personal information was collected, fulfilling a service, understanding or delivering products or services to customers to meet their needs, and customer service training.
Removing the requirement for express consent for legitimate business purposes would simplify privacy notices, thereby facilitating a more informed consent process where consumers can focus on the information that is most important to them and on which they can take action.
Second, the banking industry suggests that the current narrow definition of publicly available information is out of date. The current regulations reference the dominant technologies of the early 2000s, when the regulations were promulgated. We suggest that the committee should look at updating the definition with a view to modernizing it.
With regard to financial crimes, protecting the security and safety of its employees, customers, and the Canadian financial system is a priority for Canada's banks. Banks are constantly upgrading their security systems and work hard to prevent billions of dollars of financial crime each year. Banks work closely with law enforcement agencies and authorities across the country to help them with their investigations and the prosecution of suspected criminals.
Currently provisions in PIPEDA allow the sharing of information between organizations only where it is reasonable for the purposes of detecting, suppressing, or preventing fraud. This does not include other types of criminal activity such as theft of data or personal information, money laundering, terrorist financing, cybercrime, and even bank robbing.
To enhance the banking industry's ability to prevent this broader criminal activity, we recommend that the provisions in PIPEDA relating to disclosures without consent should use the term “financial crime” instead of “fraud” to capture the broader range of criminal activities that Canada's financial institutions deal with on a daily basis.
Further, we suggest that financial crime be defined to include first, fraud; second, criminal activity and any predicate offence related to money laundering and the financing of terrorism; third, other criminal offences committed against financial institutions, their customers, and their employees; and fourth, contravention of laws of foreign jurisdictions including those relating to money laundering and terrorist financing.
Financial crime negatively affects banks, consumers, and the economic integrity of the financial system. Banks understand the important role they have to play and have highly sophisticated security systems and teams of experts in place to protect Canadians from financial crime. We believe this amendment to PIPEDA would give banks greater ability to perform their role in this important endeavour.
Finally, on access rights, there are times when organizations create documents containing personal information related to anticipated litigation. Consistent with guidance issued by the Privacy Commissioner and provisions in the privacy laws of both Alberta and Quebec, this information should not have to be provided in response to an access request. We would ask that PIPEDA be amended to provide a specific exemption for these types of documents based on litigation privilege.
In conclusion, PIPEDA has served Canadians well over the last 17 years, encouraging organizations to protect the personal information they have about individuals and also encouraging individuals to be more aware of their rights and responsibilities to protect their own personal information. Nevertheless, as with any legislation operating in an environment that is continually evolving, there are some areas where slight adjustments and improvements would be desirable.
We hope that our commentary assists the committee with its review of the act.
We look forward to your questions.
Thank you very much.