Thank you, Mr. Chair.
I want to thank the members of the committee for having me here today.
My name is Philippe Letarte and I am head of policy and public affairs at Flinks Technology Inc.
Flinks is a technology company founded in Montreal whose mission is to enable consumers to control their finances and to create a customer-centred banking environment. That banking environment, which is also called an open banking system, is based on consumers' ability to control and direct the use of their financial data so they are able to receive the best financial services and products available to them.
To facilitate the discussion period and avoid any potential confusion relating to the technical terms, I am going to continue the rest of my address in English.
Flinks is pleased to see that the notion of control, or “consent” in the context of privacy legislation, is apparent throughout the CPPA, which, once enacted, will clearly constitute the cornerstone of all activities organizations engage in that involve the processing of personal information. This is a much-needed overhaul of the CPPA’s predecessor. It will introduce a more consumer-protectionist approach to processing activities, while also moving Canada’s privacy regime closer to what has been established across other OECD countries. Flinks is pleased to see that consent will now form the basis for all personal information processing activities.
As previously mentioned, one of Flinks' raisons d'être is to give consumers control over their personal and financial information, and more specifically to direct how such information is used and by whom. Inherently, this involves many participants in the ecosystem in which Flinks currently operates.
We do, however, remain concerned about the following wording set forth in proposed section 72 of the CPPA: “if both organizations are subject to a data mobility framework.” This proposed language raises questions related to how an organization takes part in this framework, whether there will be multiple frameworks for different types of organizations, what limits are in place if a given organization is not part of said framework, and what the requirements will be to remain compliant with such a framework.
This language is also incompatible with the proposed language in last week's fall economic statement and the policy statement on consumer-driven banking, which states that the federal “government will mandate participation for federally-regulated” entities.
It is now an indisputable fact that jurisdictions with successful open banking regimes have not only forced the participation of an overwhelming majority of their financial institutions and third parties in the framework but have also, because of strong and clear regulations, given confidence to consumers that adequate protections were put in place.
With the current wording, there’s a risk of inadequacy in CPPA and upcoming future consumer-driven banking regulations, in terms of which entities and datasets are covered by which framework, leaving Canadian consumers confused, and depriving them of the benefits of customer-driven finance. We therefore recommend changing the wording of proposed section 72 to make the participation in the data portability framework mandatory for organizations in the financial sector—not “if”, but “when”—and to avoid any potential loopholes or flaws among different regulations dealing with data portability rights.
We also have concerns about the concept of the “legitimate interest” exception to consent in proposed subsection 18(3) and proposed subsection 18(4) of the CPPA. The inclusion of this exception appears to lend itself to abuse in the absence of any further guidance or clarification, as no definitions are provided for “legitimate interest” or “adverse effect”. This creates the possibility of a scenario in which organizations are left to conduct their own assessment as to what the weights of a legitimate interest and adverse effect are, without any further information to rely upon in doing so. This is problematic, as an organization may, for example, seek to use the “legitimate interest” exception as a way of curtailing any limits the CPPA places on consent or on secondary uses of personal information. This type of interpretation or application of a legitimate interest by a participant in an open banking environment would completely erode any trust in open banking in Canada.
In light of this, please allow us to respectfully recommend clarifying this provision by establishing clearer definitions or providing assessment criteria for what a “legitimate interest” and an “adverse effect” are. In the same vein, we respectfully ask the committee to also clarify the types of scenarios or criteria for determining what is “clearly in the interests” of an individual, as mentioned in proposed subsection 29(1) of the CPPA.
In conclusion, I would like to reiterate the urgent need for Canadians to benefit from a true customer-driven banking system. Since the advent of the digital economy, not a great number of public policies have proven to be as beneficial as open banking. It helps drive competition and innovation in a very concentrated and archaic sector. It empowers consumers to make better-informed financial decisions while giving them control over their own data. It enhances the financial inclusion of the most vulnerable. It reduces drastically the cost of operation for small business owners and it stimulates entrepreneurship and foreign investment, and so on.
The measures proposed in the fall economic statement, doubled with the provisions and protections established by the CPPA, represent a unique opportunity to provide Canadians with financial freedom and adequate privacy protections while bridging the competition gap with trading partners and other modern economies.
I am happy to answer any questions the committee may have to the best of my capabilities.
I will answer equally well in French and English.