Industry Committee on May 6th, 2024

That's right. The overall structure of the consumer privacy protection act makes significant improvements to the existing Personal Information Protection and Electronic Documents Act in the treatment of both personal information generally and sensitive information. Some of what would be wrapped up in requiring express consent at this point will be further contemplated. For instance, what are the obligations for the general protection of personal information? What sorts of privacy programs do you need in place to ensure that you've done things like having effective controls? Have you left yourself vulnerable to cyber-risks or other aspects, for instance? Those are the sorts of things that will get covered in a privacy program.

There will also be further considerations about what it takes, and when you are allowed, to make a disclosure. When am I allowed to move financial data, for instance, from one payment process to another, and what are the guardrails around that?

There will be, as contemplated in the act, a very high standard set for the treatment of personal information writ large, including in a number of the instances that would get wrapped up in what it currently contemplates and tries to do through sensitive information. By making it sensitive, we are requiring its express consent, therefore taking away the flexibility of the context-specific reading that the Privacy Commissioner has asked for. It also suggests that all of the other things that will come later that protect that information won't be doing anything, when in fact they very much will.

I don't know if my colleagues want to weigh in.

I'll turn to the team. They can point to some sections that deal with the treatment of personal information and the important guardrails around it.

As I mentioned earlier, there are 17 instances where sensitive information is specifically mentioned, including in proposed subsection 15(5), which talks about the form of consent. It appears under “Retention and Disposal of Personal Information”, in proposed subsection 53(2). It also appears under “Security Safeguards”, in proposed subsection 57(1), and again in proposed paragraph 58(8)(a).

It's really throughout the entire act. If we're looking for areas of the act that speak to the responsibilities and accountabilities of data holders, it is quite well spread out.

My colleague might have a few other references for you.

We have to remember that when we talk about personal information writ large, it's not just about sensitive information. All the obligations, whether about security safeguards or about retention and disposal, as my colleague said, are applied to all personal information. It's the degree that changes.

With respect to any personal information, there is obviously the appropriate purpose. You can't collect, use or disclose any personal information unless you have an appropriate purpose for doing so, and that's an obligation that applies to all personal information, not just sensitive personal information. You can't use information just because you want to. That's an obligation that applies in all contexts.

I'll start. Then my colleagues will likely want to weigh in.

As noted, because financial data will now be deemed sensitive information, consumer-directed financing, as it's understood, will rely on the data portability obligations that are found within later sections of the CPPA, which would have a direct one-service provider for consumers to provide their information to another service provider. However, that doesn't obviate or shift away the realities of the financial services sector that then would follow.

That new fintech player is probably more reliant than others on third party processors or other aspects, because they've made their niche in one aspect of financial innovation, which is potentially providing services, but that doesn't mean they're going to have the whole back end that would normally be accompanied by a larger financial services provider. Every single one of those disclosures will require the express consent of their client, which means that when they want to provide a seamless financial services environment for their client, they will be going back to their client on numerous occasions to reseek their consent for the continued disclosure of financial information.

I don't know if Samir and Runa want to weigh in.

I'll add to that.

Having had the opportunity to speak to some of the experts in the open banking or consumer-driven banking space in recent days, I'm comfortable sharing that when considering specific issues related to consent, authorization and authentication—which are each different steps in the value chain that all need to be appropriately managed for different purposes within the consumer-driven banking system—insisting that all financial data become sensitive information changes the calibration of the work that's under way there. I think it would be entirely reasonable to say that it's likely to slow down the advancement of the work that's currently being contemplated. There's an important distinction to be made between express consent when sensitive or personal information is being managed and elements that, while still being designated as personal information, may not attract a level of sensitivity given the context of the use or disclosure that's being made to enable open banking, which in some cases is about transferring information to enable services to be provided.

The point here is that's it's a bit like an iceberg. We need to understand that express consent is visible and available to all of us as consumers in the system, but there's a lot of work that needs to go on in the plumbing, if you will, to share data that wouldn't be sensitive given the context, in order to enable the provision of services that we see at the consumer level.

I think there's a lot of financial data that many of us would be uncomfortable seeing shared outside of those we know, but context does matter. I could ask you if you're you okay with me knowing how much you have left on your mortgage or how much your monthly mortgage payment is. You would probably not want a wide body of people to know that. However, let's say I told you that when paying your mortgage, when you send the transfer—either automatically or, if you have to do it manually, through your electronic banking app—it was going to pass through six different processors to ultimately move from the part of the bank that has your savings account to the part of the bank that holds your mortgage, assuming that's even in the same financial institution. If I told you that it was going to pass through six or eight hands and asked, as it's probably pretty sensitive, “Do you want to make sure that you know about every single one of them?”.... I think if people knew that those disclosures were managed by a privacy program where there needed to be a clear rationale for why that information was being shared, and knew that the original collector was still ultimately accountable for its treatment and the privacy obligations throughout the entirety of the value chain, many people would say they're comfortable, they don't want say yes eight times and they want that information just to flow.

I think that's what makes it so tricky to say that in all instances this information is always sensitive, because in many cases it's not sensitive within a given context.

I think that's fair.

The business processes that I understand are currently in operation in the financial services sector have multiple players within them requiring multiple disclosures per transaction, and if each one of those disclosures is subject to express consent, that would be a very different financial services experience than what we have currently.

Mr. Perkins, I would note that Bill C-11 was contemplated by a previous Privacy Commissioner.

Yes, I am.