Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce

Issue No. 41 - Evidence - May 22, 2018


OTTAWA, Tuesday, May 22, 2018

The Standing Senate Committee on Banking, Trade and Commerce met this day at 2:29 p.m. to study the subject matter of those elements contained in Divisions 2, 4, 5, 6, 7, 12, 16 and 19 of Part 6 of Bill C-74, An Act to implement certain provisions of the budget tabled in Parliament on February 27, 2018 and other measures.

[English]

Lynn Gordon, Clerk of the Committee: Honourable senators, as clerk of your committee, it is my duty to inform you of the unavoidable absence of the chair and deputy chair and to preside over the election of an acting chair.

[Translation]

I am ready to receive a motion to that effect. Are there any nominations?

[English]

Senator Marwah: I would like to nominate Senator Wetston.

Ms. Gordon: Are there any other nominations?

It is moved by the Honourable Senator Marwah that the Honourable Senator Wetston do take the chair of this committee.

Is it your pleasure, honourable senators, to adopt the motion?

Hon. Senators: Agreed.

Senator Howard Wetston (Acting Chair) in the chair.

The Acting Chair: Good afternoon and welcome, colleagues and members of the general public, who are following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce either here in the room or listening via the web. I am Howard Wetston, senator from Toronto, Ontario. Our first order of business would be for those senators here to kindly introduce themselves.

[Translation]

Senator Ringuette: Senator Pierrette Ringuette from New Brunswick.

[English]

Senator Marwah: Sabi Marwah from Ontario.

Senator Unger: Betty Unger from Alberta.

[Translation]

Senator Dagenais: Jean-Guy Dagenais from Quebec.

[English]

The Acting Chair: Thank you very much.

Today we are continuing our subject matter examination of various divisions of Part 6 of Bill C-74, the budget implementation bill, 2018, No. 1, with a focus on Division 16, amendments to certain acts governing federal financial institutions and related acts, and subdivision A regarding financial technology activities.

I am pleased to welcome the Privacy Commissioner of Canada, Daniel Therrien, accompanied by Barbara Bucknell, Director, Policy, Research and Parliamentary Affairs.

Commissioner, please begin with your opening statement, after which we will go to a question and answer session.

[Translation]

Daniel Therrien, Privacy Commissioner, Office of the Privacy Commissioner of Canada: Thank you, Mr. Chair. Good afternoon, honourable senators. Thank you for the opportunity to express my views in relation to Division 16 of Bill C-74, An Act to implement certain provisions of the budget tabled in Parliament on February 27, 2018 and other measures.

The amendments proposed in Division 16 of Bill C-74 remove impediments in the law in order to facilitate business relationships and engagement between federally regulated financial institutions and financial technology organizations, or fintechs. Currently, as I understand it, financial institutions can only deal with organizations that are engaged in primarily financial activities.

Any company that commercializes emerging financial technologies may be considered a FinTech. Fintechs may not be regulated in the financial sector, but Canada’s Personal Information Protection and Electronics Document Act, or PIPEDA, applies to all organizations that collect, use and disclose personal information in the course of a commercial activity. This includes fintechs and financial institutions.

It is our understanding that the intended effect of these amendments is to offer new flexibilities for the financial sector and its customers to take advantage of emerging technologies. However, it also broadens the types of organizations that may receive personal information from financial institutions, which raises privacy issues.

While advancements in new technologies and innovation are indeed desirable and could provide many benefits to Canadians, these objectives must be balanced with robust privacy protections. Innovation and privacy should be pursued concurrently. Whether Bill C-74 achieves this will depend largely on how PIPEDA is applied by organizations, and perhaps in part on the content, yet unknown, of regulations that the government has announced.

I have not been consulted by the government on the details of these amendments and the regulations in particular, so it is difficult for me to say whether the right balance has been reached. At this point, with the information I have, I would say the government’s efforts have been directed towards research and innovation without ensuring that privacy is adequately considered. It appears to me therefore that the government has not used the privacy by design approach.

[English]

Canadians are concerned about how their personal information is handled. Consent is central to personal autonomy and is at the heart of PIPEDA. Financial institutions and fintechs are required by PIPEDA to obtain valid and meaningful consent from their customers in order to collect, use or disclose personal information.

Under the law, consent is only valid when an individual understands the nature, purpose and consequences of their consent.

PIPEDA allows for different forms of consent, namely, express or implied. Where personal information is considered sensitive, express consent is required. Financial information has been held by the Supreme Court of Canada to generally be extremely sensitive. Therefore, we would expect that financial institutions and fintechs generally obtain express consent from their customers.

There has been a great deal of discussion about challenges to the consent model as a form of privacy protection. Privacy policies of organizations and the contracts they present to consumers for signatures are notoriously long, complex and extremely difficult to understand. Over the past several years, my office has set out to identify improvements to the current consent model. As a result of this work, we are in the process of finalizing our guidelines for consent, which will be released imminently and take effect January 2019. These guidelines will set out practical and actionable guidance regarding what organizations should do to ensure they obtain meaningful consent. For example, organizations must put additional emphasis on the following key elements: First, identify what information is being or may be collected about individuals; second, clearly explain any disclosure of personal information to third parties, including the types of information being shared, and be as specific as possible in naming these third parties — for financial institutions, third parties would include fintechs; third, make individuals aware of the purposes for collection, use or disclosure in meaningful language and, in particular, highlighting any purposes that would not be obvious to the individual and/or reasonably expected, based on the context, such as big data analytics, profiling or any activities unrelated to the financial service the customer seeks; and, fourth, make individuals aware of meaningful risks of significant harm or other consequences.

Here I come to the heart of the matter. If the financial sector obtains express consent, informed as recommended in our guidelines, a reasonable level of privacy protection will be achieved, in my view. However, I have reason to believe financial institutions and fintechs may wish to proceed otherwise and under the current law, I do not have the authority to require organizations to apply what I would argue are reasonable measures. It will take several years for concerned consumers to have their rights upheld by the courts.

I am therefore concerned about the changes in this bill. The most direct way to rebalance this legislation in my view would be to confer to my office the authority to order the financial sector to obtain explicit and truly informed consent.

In conclusion, effective privacy protection is central to consumers’ confidence and trust in emerging technologies. Any personal information transfers that would be facilitated as a result of the amendments in Bill C-74 need to be considered with all privacy obligations in mind, with the way in which organizations will apply them, and with any rules in upcoming regulations that may impact on privacy.

For the moment, I do not have reasonable assurance the right balance has been reached or that privacy-by-design principles have been considered in the development of this legislation.

Thank you, Mr. Chair. I look forward to your questions.

The Acting Chair: Thank you, commissioner.

Any comment, Ms. Bucknell, or will you potentially participate in questions?

Barbara Bucknell, Director, Policy, Research and Parliamentary Affairs, Office of the Privacy Commissioner of Canada: Yes.

Senator Marwah: Thank you for your comments. I’m glad that you are updating your guideline for consent but they still remain guidelines, right? Are the institutions bound by that?

Mr. Therrien: They are not law.

Senator Marwah: Will issuing guidelines for them apply to all organizations? You are suggesting that fintechs and, particularly, banks give you the power to do this. What about insurers, retailers, grocers and The Bay? Every company is now providing data — not just fintechs but into other technology companies. Innovation is fundamentally based on data and everyone is providing more data to get more knowledge and insights. You are just picking out one little sector here. What about all the other sectors that are doing essentially the same thing?

Mr. Therrien: Maybe I was not clear in the language used. I was focusing on this particular sector because that is the core of the provisions in question. My recommendation is I should be given the authority to make orders against all organizations subject to PIPEDA, including financial institutions and fintech organizations, but also other organizations.

I was focusing on financial institutions and fintechs in my statement because I think this is the core of Bill C-74. However, my recommendation is not limited to these two types of institutions.

Senator Marwah: How do you already manage the other organizations? Let us take the retailers already doing it. Are they bound by PIPEDA today?

Mr. Therrien: Yes.

Senator Marwah: They are. You’re saying that should also come under this and you be given authority to handle everything?

Mr. Therrien: Yes.

Senator Marwah: Interesting. Okay. Thank you.

Senator Ringuette: Thank you for being here, Mr. Therrien, and for the members of this committee to have agreed to receive you as a witness.

A few weeks ago, when officials from the department were in front of us, I had to ask three times if they consulted you with respect to the customer consumer privacy protection. At the end of the day, it was easy to see they had not met with you.

I look at your recommendation — this was probably after you were asked to appear in front of us to comment on the specifics. Essentially you are saying you were not consulted. You have concerns that you would like to see addressed with respect to order-making mechanisms from your part in regard to consent with the financial institutions and the fintechs.

Mr. Therrien: And other organizations, as clarified by Senator Marwah.

Senator Ringuette: I want all of us to be certain: When the officials of the department were in front of us, they said that the privacy concerns within the Bank Act — our privacy concerns or my privacy concerns within the Bank Act — were great enough to allow this section of the budget bill without any concern for us. However, that is not what you are saying.

Mr. Therrien: Let me try to explain my position perhaps more fully and succinctly.

I think Department of Finance officials are of the view that PIPEDA, the act I administer, which does not apply only to the financial institutions, has certain privacy protections and, in their view, perhaps sufficient privacy protections.

Where I am coming from is this: Bill C-74 offers greater flexibility to financial institutions, given the evolution of technology, to interact with fintechs, which are not regulated under the financial sector, all with a view to improving their business and, ultimately, I assume, offer better services to their clients. I am not at all against innovation.

Senator Ringuette: No one is.

Mr. Therrien: The point is, however, this bill only facilitates greater innovation without fully considering the impact on privacy. I submit that a balanced piece of legislation would, of course, give greater flexibility to industry to take advantage of new technologies, but in a way that protects privacy. In my view, that leads to the guidelines we will issue imminently, which, if applied, should provide a reasonable level of protection.

However, as Senator Marwah has indicated, they are only guidelines; they are not laws. There is no assurance these guidelines will be followed. Hence, if we want to ensure not only that the law is theoretically applicable but it actually provides meaningful protection to consumers, I need to have the authority to compel companies to apply privacy protections.

Senator Ringuette: Let me read to you clause 310(5)(c). It provides regulation-making authorities to prescribe the circumstances in which companies may engage in activities that relate to financial services and information processing and technology activities, including the circumstances in which companies “may collect, manipulate and transmit” the information referred to.

It is financial services, but it goes further than that. It also says, “information processing and information technology activities.”

This is a full new slate of banking activity. It’s clear in the act they may “collect, manipulate and transmit” the information. Well, “information” is data and the data of financial institutions is their customers’ information.

Mr. Therrien: They are underlining the other difficulty with the structure of this bill as it relates to information sharing with fintechs — we don’t know the content of the regulations. In a good scenario, the regulations will enhance privacy protections. In a bad scenario, they will give further flexibility to share without privacy protection. We don’t know at this point what the regulations will say.

Senator Ringuette: What kind of specific amendments would you like to see to these sections?

Mr. Therrien: Privacy protection, according to this bill, might take the form of regulations that would truly enhance privacy, but that is an unknown. That is a possibility.

To backtrack, I am starting from the premise that innovation is good but needs to be balanced with privacy protection. What form should privacy protection take? It remains to be seen. It could be in the form of regulations, the content of which has not been yet announced. Regulations specific to this industry, financial institutions and fintechs, or it could be with a proper application of PIPEDA, the legislation of general application to all organizations, including the financial sector.

I have preference for the latter, frankly, because privacy is governed by PIPEDA for financial institutions as well as organizations in other sectors. That is the most direct way of addressing the issue.

Senator Ringuette: Within PIPEDA, the situation where a financial institution provides private information to a subsidiary insurance company — how can we stop that? How can we eliminate that kind of unfair competition using the transmission of data?

Mr. Therrien: From a privacy perspective, there might be issues around regulation of the financial sector and whether relationships between financial institutions and insurance companies should be regulated. That is not my domain, but I know there are these issues.

From a privacy perspective, I think proper regulation would ensure the consent given by the consumer, the client of the bank, is truly informed before that information is given to the subsidiary insurance company in your example. Here, the guidelines we are about to issue are relevant.

[Translation]

Senator Dagenais: Thank you for your presentation, Mr. Therrien, from which two things stand out. On page two, you say the government did not consult you on the details of these changes, which does not surprise me. I serve on a number of committees and I am realizing that the government does not always consult the key interested parties.

The other thing that stands out is on page three, where you say you are concerned that the bill does not adequately protect consumer privacy.

When dealing with a bank, consumers are required to share certain information with the institution, especially when opening a bank account. Consumers have to share certain personal information such as their name, address, and so on. Can you speak to this aspect and the risks for Canadians who provide personal information to banks, which can in turn do what they want with it? They can provide that information to insurance companies, of which they are in some cases shareholders. I am thinking of the insurance company, La Personnelle, CIBC, and the Desjardins Group. Is it more dangerous to disclose personal information to the banks, which can make it public, than to disclose such information on Facebook?

Mr. Therrien: As to the conditions under which banks should be able to disclose information to other commercial entities, I am completely neutral about that, as long as the client has given informed consent. There might be a personal benefit to an individual or consumer if their bank has dealings with other institutions, resulting in better service. In that case, if the consumer is informed of the benefits as well as the risks and makes an informed decision to enter into that kind of relationship with their bank, I have no problem with that.

Yet that consent must truly be informed. Sometimes commercial organizations — banks are no worse than others — obtain consent through documents that are extremely long and almost impossible to understand. I think that is a problem, which is why the guidelines we will be releasing seek to ensure that consumers have a better understanding of the relationship being offered and how the institution will use the information they disclose.

Senator Dagenais: You used the word “informed.” If I put myself in the shoes of a consumer who goes to a bank, I know bankers have a job to do, which is to find clients that will have a positive impact on their institution. When banks agree to open a bank account, they offer credit cards to attract you as a customer and to earn profits.

That said, if we were to make some quick amendments to this bill to reduce the negative impact on the privacy of Canadians, would you have any suggestions for us?

Mr. Therrien: The real issue that would significantly improve matters relates to the legal obligation of financial institutions to obtain generally explicit consent from consumers and to inform them, in a way similar to what we describe in our guidelines. This obligation would normally be part of PIPEDA, the general act pertaining to privacy in the private sector, but there could also be a specific regulation pursuant to Bill C-74 that would apply to the main institutions in question. You could make an amendment to include that protection in Bill C-74, either in PIPEDA or in the Bank Act.

Senator Dagenais: I would like to go back to my question. When you talk about informed consent, what do you mean by the consumer’s informed consent?

Mr. Therrien: That is a big question. The act that I apply, PIPEDA, does not define informed consent. It says that when a commercial organization obtains information from a consumer and wants to use it, it must obtain the consumer’s informed consent. This means, among other things — and this is clearly spelled out in the act — that the individual must understand the consequences of giving the commercial organizations permission to use their information.

This is at a very broad level. There are certain benefits of discussing principles at this broad level because PIPEDA applies to all commercial organizations and, as a result, must be drafted using fairly broad terms, broad principles that may be relevant regardless of the sector of activity. There are also disadvantages, however, because there is no legislative, legal or statutory definition of informed consent. That brings us to secondary instruments such as the guidelines that we are preparing to release, which do not have the force of law and which seek to more clearly define informed consent.

So my direct answer to your question is that you will have to read our guidelines because the act establishes very broad principles. As to a more specific definition of informed consent, you will find it in our guidelines.

Senator Dagenais: I hope a customer who is opening a bank account will not have to read all that.

Mr. Therrien: In the interest of practicality, what we are proposing in our guidelines, which I described briefly in my presentation and which, as I said, will be coming out very soon, is that the institution receiving the information — financial institutions, in this case — should focus on four things. Not 50 pages of information, but four key things.

There will probably be a long contract in any case, but the commercial institution must focus on four things: the information in question; how it will be used; who they will share it with; and the possible risk to the individual in disclosing it. For example, when a customer checks their information using an electronic device, if there was a pop-up window mentioning these four things, I think that would be a more practical and modern way of obtaining informed consent.

Senator Dagenais: Thank you very much, Mr. Therrien.

[English]

Senator Unger: Thank you for your presentation. I’m wondering about international privacy regulations. Are there any applicable in this context, or would it be necessary to write international privacy protection into the act?

Mr. Therrien: There is no international covenant or treaty that governs privacy at this point. It may be some time in coming, I would suggest. There may not be a consensus on what the privacy protection rules should be.

That being said, PIPEDA, the private sector federal law in Canada, is inspired by OECD guidelines adopted in the 1980s. These guidelines are the inspiration for a lot of domestic privacy protection laws across the world.

The closest we are, I believe, to any international rules would be these OECD compliance from the 1980s.

Senator Unger: That is incredible.

Mr. Therrien: There has been a lot of change, obviously, since 1980.

Senator Unger: Yes. I am also incredulous at the point you made that the government didn’t consult with you and that you only have guidelines. To me they should go hand in hand, but they don’t.

Mr. Therrien: That is my basic point. Again, I’m not against innovation, but it should go hand in hand with the protection of consumers, and in the case of the area of my interests, privacy protection. The two should be pursued at the same time. The main concern I have with this piece of legislation is, in my view, that it is one-sided. It only favours innovation and it forgets about privacy protection.

Senator Unger: Thank you very much.

Senator Marwah: I think you made the point that PIPEDA was done consistently across OECD, and benchmarked with OECD at the time it was put into effect. Since that time has any jurisdiction granted the equivalent of your office the type of legislative powers that you are now asking for?

Mr. Therrien: Absolutely.

Senator Marwah: Who are they in the OECD?

Mr. Therrien: The European Union would be the leading example. Later this week, there will be a new privacy protection law called the GDPR, the general —

Ms. Bucknell: General Data Protection Regulation.

Mr. Therrien: The GDPR will come into force this Friday, May 25, in the European Union. The data protection authorities, my equivalents in many countries in Europe, will not only have the authority to give orders, but they will have the authority to impose hefty financial sanctions — up to 4 per cent of the revenues or profits of the companies worldwide. That’s the leading example.

Even today, before the GDPR, many European data protection authorities have the authority to make orders against companies who do not comply with domestic law. In the U.S., the comparison to our immediate neighbour, there is no comprehensive data protection laws. My rough equivalent in the U.S., the federal trade commission, can investigate violations of the Federal Trade Commission Act, essentially the Competition Act in the U.S., and can reach settlements with companies where fines of millions of dollars are imposed. To use these two examples, the EU and the U.S., our most important trade partners, the recommendations I am making are already law. This makes certain commentators say that Canada’s laws are falling behind.

Senator Unger: The European Union and the U.S. equivalency of your office can impose fines or sanctions?

Mr. Therrien: In the case of the U.S. it is not quite fines. It has the effect of a fine. The federal trade commission investigates potential violations of the legislation they oversee. If there is a contravention they can enter into agreements with companies which often results in the imposition of penalties or sanctions which are hefty — in the millions of dollars.

Senator Unger: Thank you.

Senator Ringuette: This is a follow-up to the previous question in regard to what is happening in the European Union and the U.S. As I read the legislation before us, it’s not restrictive to financial services, fintechs, information processing and technology activities within Canada. I don’t think the intent was to restrict our banking sector from buying into innovation technology elsewhere. In regard to outside our borders, we have no means. The U.S. will take care of their U.S. citizens and their information, and so will the European Union. You have no jurisdiction in the U.S. to protect our information that might have been provided to a U.S. fintech, and they gave it to another one, and then to another one —

Mr. Therrien: That’s an interesting question. Of course, data travels across borders, including financial data.

I’ll start with PIPEDA. There is a principle in PIPEDA called the accountability principle, which clearly applies to Canadian financial institutions and fintechs among others. That requires an organization that obtains information, a Canadian bank, remains responsible for personal information that has been transferred to a third party for processing, let’s assume a company outside Canada. The organization, the Canadian bank, shall use contractual or other means to provide a comparable level of protection when information is processed by a third party, being the foreign company.

Canadian law, the accountability principle under PIPEDA, requires organizations that operate in Canada — in my example a Canadian bank — to have contractual arrangements in place with foreign entities to ensure the obligations the Canadian institution has in Canada continues to apply at a comparable level of protection even if the data leaves. That’s a level of protection that PIPEDA confers.

Another level of protection is if data moves from Canada to say the EU, or the U.S., what would be a contravention of Canadian law may also be a contravention of the other domestic law. I can cooperate with my equivalents in other countries under PIPEDA to do joint investigations. From that perspective, PIPEDA is not bad. I have the authority to join forces, as we have many times, with data protection authorities outside of Canada, so that a violation of Canadian laws, but also other domestic laws, is jointly addressed and there’s a sanction at the end of the day. From the perspective of investigations, I’m not concerned.

Senator Ringuette: When you were talking in my mind I was seeing a big bill board saying Equifax. Did you investigate and was there some fine of any sort? The information was provided by Canadian financial institutions. They were in front of us saying no, but it’s the only source, so —

Mr. Therrien: We are investigating currently.

Senator Ringuette: You’re still investigating.

Mr. Therrien: We are investigating. If we find there has been a violation of PIPEDA by Equifax Canada, the problem I have with the current legislation is that the result is in finding they have violated PIPEDA and a recommendation they change their ways, which they may or may not accept.

Senator Ringuette: You’re a toothless tiger.

Mr. Therrien: So to speak. In that case, there is also an investigation by my equivalents in the U.S., the Federal Trade Commission, who are investigating a similar breach by Equifax’s mother-house company, which will unfold and may lead to more concrete sanctions. At this point we are investigating, the FTC is investigating and no conclusions have been drawn.

Senator Ringuette: After this discussion, after your presentation and so forth, I have concerns and you seem to have many concerns with regard to the legislation in this bill. You seem to be well surrounded by a legal force.

Could you prepare for me an amendment that we could put in this section to make sure the privacy information has to receive consent from the consumer before it is collected and distributed?

Mr. Therrien: We can certainly undertake to do that.

Senator Ringuette: Thank you very much, sir.

The Acting Chair: Thank you, senator. I just have a quick question to follow up.

The GDPR has received a lot of attention in the last several months and its application obviously is broader than just privacy. It’s really related to data and data protection but it covers a lot of areas. As you know, the opportunities in Europe, in fintech in particular, are more advanced than they have been in Canada. Potentially, in that environment, I believe there was certainly a need in Europe to potentially create a regulation or a legal environment in which this data is being shared and considered.

In Canada, when you think about the fintech issues in Part 16, for example — and we’ve chatted about that — there are a number of fintechs operating in Canada today and they’re continuing to grow in different areas. Have you had an opportunity to examine the regulatory framework around, for example, robo advisers and other fintechs participating actively in the private sector? Have you given any thought to the privacy considerations associated with those entities? They are very active.

Also, what is the relationship you have, and have you been working with your provincial colleagues, with respect to these areas? Obviously, there are a lot of privacy issues provincially and not just federally.

Mr. Therrien, could you help me with those two questions please?

Mr. Therrien: I’ll start with the reference to the GDPR and the regulatory framework in Europe.

The regulatory framework in Europe includes the GDPR for fintechs. I understand there are also some regulations that deal with open banking, for instance, that we do not have in Canada. In terms of comparing the regulatory framework in Canada and Europe, Europe seems to understand that regulation of these activities — financial technological innovations — is not antithetical to the pursuit of these businesses.

I would argue it helps to implement these new technologies and have the trust of consumers through appropriate regulations, including the GDPR in Europe and the kinds of recommendations I’m making today. I think those would help consumers accept that it may be in their interest and that the state is protecting them from potential adverse consequences of these new activities, which do provide benefits.

I do not think we have looked at the question of robots in these fields.

The Acting Chair: It’s not a question of robots but of robo advisers, and they are regulated to some extent.

My point is this: In examining how they use data, how data is transmitted and the consent they get from investors, for example, it may be worthwhile to look at that environment because it’s very active today. I’m not saying whether it’s good or bad but it’s certainly very active. I’m sure many investors are benefiting from investing in these entities.

I take that to the next step which is these are regulated at the provincial level primarily and my question, then, comes with respect to your relationship with the activities associated with the provinces in this important area? I think this is becoming more important given the significance we place on data and its use not just for privacy concerns but from the point of view of commercial concerns.

Mr. Therrien: I would answer this way: We are certainly looking very closely at the issue of artificial intelligence that may be used by financial and other institutions in analyzing data as you describe. With limited resources, we want to engage with a number of companies and, potentially, sectors to ensure that artificial intelligence is used in a way that is protective of privacy.

I cannot commit to doing that for the financial sector because we cover the whole territory of all organizations. Artificial intelligence is certainly close to the centre of our radar. Whether we engage with financial institutions as opposed to other industry sectors will be a question of use of resources.

In terms of sharing views and intelligence on developments in the technological sector with provincial colleagues — say, securities regulators or whatnot — we certainly have a close relationship with Privacy Commissioners across Canada. I’ll say it would be desirable. We will look to have efficient, effective relationships with provincial regulators, perhaps through our provincial Privacy Commission colleagues, who have a more direct relationship with provincial regulators.

The Acting Chair: The reason I’m mentioning that — and I know you know this — is that a very significant part of financial service is regulated at the provincial level, not just the federal level. All the banks really occupy a number of important roles in our capital markets but a big part of the banks are regulated by regulatory commissions and not necessarily simply by OSFI and federal financial responsibilities, particularly the sides of businesses that deal with securities, investment banking and other such areas of activity.

My point here, and I know you’ll understand this, is there is a big part of the financial markets that comes under more direct authority of provincial governments as opposed to the federal government. That relationship is important because those investors are investing and not really thinking much about whether it is federal or provincial. I think you understand my point.

Mr. Therrien: Thank you for that. These regulations serve a number of public interest purposes that may not focus on privacy and yet may have the effect of improving privacy in some cases. Yes, it’s important to know what regulators in other areas are doing because it may provide a benefit in terms of privacy protection, but that is not the core reason of these regulatory frameworks. I would suggest that there’s a gap or at least that PIPEDA still needs to apply in a rigorous way.

The Acting Chair: Do senators have any other questions following up from that?

If not, I want to thank you very much, Mr. Therrien, for your testimony and for coming today.

(The committee adjourned.)