Proceedings of the Standing Senate Committee on
Banking, Trade and Commerce
Issue No. 54 - Evidence - April 4, 2019
OTTAWA, Thursday, April 4, 2019
The Standing Senate Committee on Banking, Trade and Commerce met this day at 10:30 a.m. to examine and report on the potential benefits and challenges of open banking for Canadian financial services consumers, with specific focus on the federal government’s regulatory role.
Senator Douglas Black (Chair) in the chair.
[English]
The Chair: Good morning and welcome colleagues and members of the general public who may be following today’s proceedings of the Standing Senate Committee on Banking, Trade and Commerce, either here in the room or listening via the web.
My name is Doug Black. I am a senator from Alberta, and I chair this committee.
I ask my colleagues to introduce themselves to the panellists.
Senator Klyne: Marty Klyne, Saskatchewan.
Senator C. Deacon: Colin Deacon, Nova Scotia.
Senator Duncan: Patricia Duncan, Yukon.
[Translation]
Senator Verner: Good morning. Josée Verner from Quebec.
[English]
Senator Stewart Olsen: Carolyn Stewart Olsen, New Brunswick.
Senator Marshall: Elizabeth Marshall, Newfoundland and Labrador.
Senator Wallin: Pamela Wallin, Saskatchewan.
The Chair: And, of course, we’re always assisted very ably and competently by our clerk and analysts.
Today marks our seventh meeting on the study of the potential benefits and challenges of open banking for Canadian financial services consumers, with a special focus on the federal government’s regulatory role.
Today we have two panels. It gives me great pleasure to welcome the witnesses in our first panel. From Innovation, Science and Economic Development Canada, we have Mark Schaan, Director General, Marketplace Framework Policy Branch. We have heard from Mark a couple of times on various matters, so welcome back. From the Canadian Radio-television and Telecommunications Commission, we have Chris Seidl, Executive Director, Telecommunications; Scott Shortliffe, Chief Consumer Officer; and Renée Doiron, Director, Broadband and Network Engineering, Telecommunications.
Thank all of you for being here. We will commence with opening remarks, Mr. Schaan, followed by Mr. Seidl, and then go to questions and answers.
Mark Schaan, Director General, Marketplace Framework Policy Branch, Innovation, Science and Economic Development Canada: Thank you, Mr. Chairman and members of the committee, for the invitation to appear before you this morning. It’s a pleasure to be back.
My branch is responsible for ensuring that Canada’s marketplace frameworks help promote competitive markets and instill consumer confidence. This work includes development and coordination of policies on privacy, data protection, intellectual property, insolvency and competition, all of which can have important linkages and even be important foundations for innovations like data portability and open banking.
[Translation]
I know you have had a number of witnesses over the course of this study who have given your committee much to consider and assess. What I may be able to add today is an understanding of the role marketplace frameworks can play in stimulating innovative new approaches, and in the need for coherence between our fundamental market laws and those that will introduce and regulate new, innovative and often disruptive approaches.
Laws of general application, such as competition, intellectual property, e-protection and privacy, provide the foundation for the digital marketplace, including activities that are core to enhancing data, digital and disruptive technologies. Some have noted that the current framework is ill-suited to regulate the data-driven economy. Furthermore, others question whether the legislative reform process itself may not be nimble enough to support digital transformation initiatives that are progressing and being implemented very rapidly. Also, these processes may not be inclusive enough to enable widespread adoption and social licence for such emerging technologies.
[English]
Our department, as part of a broader government effort, is seized by these questions and has been working in tandem, alongside initiatives such as this study and the Advisory Committee on Open Banking supported by the Department of Finance. Our efforts aim to ensure that Canada is well positioned with the necessary skills, privacy and trust to fuel innovation and unlock the potential of a data and digitally driven economy.
Specifically, ISED is responsible for the administration of the Personal Information Protection and Electronic Documents Act, commonly known as PIPEDA, which was established to build the trust and confidence of Canadians in the digital economy and has long been recognized as critical to its growth. The law does so by setting strong, flexible rules for consumer privacy protection. The act balances the privacy rights of individuals and the needs of business for information in support of their legitimate practices.
In June 2018, the Government of Canada committed to exploring options to enhance PIPEDA in response to a 2017 report by the Standing Committee on Access to Information, Privacy and Ethics in its study of PIPEDA. The committee recommended a number of reforms to the act to bring it more in line with the new consumer rights provided under the European Union’s General Data Protection Regulation, or GDPR, including the introduction of data portability rights for individuals.
Under PIPEDA, the principle of consent is also central to providing individuals with control over their information. Organizations are required to obtain consent from individuals for the collection, use or disclosure of their information. The 2017 report by the Standing Committee on Access to Information, Privacy and Ethics in its study of PIPEDA confirmed that consent should remain core to the privacy regime, but that it should be enhanced and clarified when possible and necessary.
In its response to the ETHI report, the government agreed that work is needed to ensure that consent remains meaningful under PIPEDA and that the consent regime can be enhanced and clarified. As a result, ISED is currently examining options to update consent provisions in PIPEDA as part of a broader PIPEDA reform to facilitate new business models that rely on information, while ensuring appropriate protections are in place.
In the context of open banking, enhancing consent provisions would be consistent with broader objectives to improve consumer choice, control and the ability for individuals to take advantage of innovative new services, while also ensuring the protection of sensitive financial data.
[Translation]
In its testimony to this committee on open banking, the Office of the Privacy Commissioner of Canada, or OPC, also expressed concerns pertaining to consent for sharing of personal information in an open banking environment. The OPC has published a set of guidelines for obtaining meaningful consent, which went into effect in January 2019. These guidelines have raised important considerations for bolstering consent as a meaningful control mechanism. They have also highlighted the need for more policy work to provide clarity and certainty around the use of sensitive information like financial information.
As noted in the government response, these policy changes require dialogue with Canadians. To this end, between June and October 2018, ISED conducted national consultations on digital and data transformation across Canada. One key theme of the consultations was “trust and privacy.” The consultations demonstrated that there is a strong push to balance the desire for enhanced privacy with the capacity for new technologies to stimulate innovation and social and economic benefits. The consultations also highlighted Canadians’ anxiety about a perceived lack of transparency and control regarding how their information is collected and used by new technologies and business models.
What I would note from the above is two things: One is that considerable work is under way to continue to ensure our marketplace framework laws, as well as sector- or activity-based regulations that work in parallel, are fit for purpose for a data- and digitally driven economy. Second, is the need for coherence and complementarity between the various levers governments and other key players in the marketplace bring to bear on these important and complex disruptions.
[English]
Data portability, including in the open banking construct, is just one of these important disruptions. It is an emerging concept in data and competition policy that requires organizations to allow consumers to transfer their data in a usable format between service providers. It is receiving increased interest in Canada and globally as a potential tool to address both data governance and competition issues. Open banking is essentially the application of data portability in the banking sector, where it is also subject to additional regulation on the transfer of data.
Data portability has the potential to enhance consumer control over personal information and to foster the entry of innovative service providers into markets otherwise dominated by data-intensive incumbent firms, such as in the banking sector. It also has the possibility of mitigating existing risks to data protection arising from current data transfer practices, such as screen scraping, which has been referenced in previous testimony to this committee, wherein unregulated third parties collect and store the banking credentials of customers to log into their accounts and provide them with price comparison, financial management and other services.
[Translation]
Open banking does pose some risks that require mitigation, notably ensuring that all actors within these new data chains can fully secure and protect the data in a way that builds consumer confidence and trust. This is why data portability similarly requires complementarity and cohesion between banking laws, general marketplace frameworks, and the regulatory actions of a number of key players. It will also benefit from common technical standards to support interoperability and to unlock its potential.
With this in mind, we are working very closely with our colleagues at the Department of Finance, amongst others, to ensure their approach to these issues aligns as we modernize our marketplace frameworks for this emerging data and digital reality. We are also looking at examples of international approaches in Europe, the U.K., Australia, Singapore and elsewhere, as well as input from stakeholders in Canada.
[English]
The question of open banking is one that is nested in a much larger dialogue on the appropriate role of marketplace frameworks and other regulations to support competition, fuel innovation and protect privacy, all in the aim of greater confidence, trust and growth in the Canadian marketplace. ISED will continue to evaluate the impact of disruptive technologies and business models, such as open banking, on competition, privacy and the other frameworks that can act as a foundation and a backstop as these disruptions take hold.
I am happy to address any questions you may have.
The Chair: Thank you very much, Mr. Schaan. As always, that’s very helpful.
Mr. Seidl, please go ahead.
Chris Seidl, Executive Director, Telecommunications, Canadian Radio-television and Telecommunications Commission: My colleagues and I welcome this opportunity to bring the CRTC’s perspective to your important study on open banking for Canadian financial services consumers. While the commission comes at this issue from a telecommunications perspective, not the banking sector, there is a clear link between them in today’s world of digital commerce.
The common ground is found in the CRTC’s universal service objective. Its goal is to ensure that all Canadians in rural and remote areas, as well as in urban centres, have access to voice and broadband Internet services on fixed and mobile wireless networks so they can participate in the digital economy.
[Translation]
Broadband is the critical tool we use for everything from banking and shopping, to accessing health care and other government services. It is equally crucial to Canada’s future economic prosperity, global competitiveness, social development and democratic discourse.
That’s why, in December 2016, the commission announced that broadband Internet is now considered a basic telecommunications service. Our universal service objective calls for all Canadians to have access to fixed broadband at download speeds of at least 50 megabits per second, or Mbps, and upload speeds of 10 Mbps, as well as an unlimited data option. In addition, the latest mobile wireless technology needs to be available to all homes and businesses, and also along major Canadian roads.
We anticipate that 90 per cent of Canadian households will have access to 50/10 speeds by 2021, with the remaining households to be connected as soon as possible within the following decade. These expectations are closely aligned with the federal government’s recently announced national broadband target.
[English]
We are making significant headway in advancing this goal. As of December 2017, 97 per cent of households in urban areas had access to services that meet the universal service objective. However, just 37 per cent of households in rural areas had similar access at the end of 2017.
To help bridge the digital divide, the CRTC has established the broadband fund to support projects in areas that don’t meet these targets. The fund is designed specifically to improve broadband services in rural and remote regions that lack an acceptable level of access.
The fund will have up to $750 million over the first five years to build or upgrade access and transport infrastructure to provide fixed and mobile wireless broadband Internet service in underserved areas. Up to 10 per cent of the annual total will be provided to satellite-dependent communities. Special consideration may also be given to projects targeted at Indigenous or official language minority communities. The broadband fund is meant to be complementary to but not a replacement for existing and future private investment and public funding.
In late 2018, we established the criteria that will be used to evaluate and select applications for funding and publish maps that show which regions have access to the universal service objective and which do not.
In the coming months, we will issue a call for applications. The call will set out the length of the application period as well as eligible areas and the types of projects that will be targeted.
[Translation]
The CRTC also aims to ensure the needs of Canadians — and especially vulnerable Canadians — are met. For example, we recently held public consultations about a potential code of conduct for Internet service providers. If adopted, the code would establish consumer-friendly business practices, ensure contracts are easy to understand, and make it easier for Canadians to switch providers to take advantage of competitive offers.
We will announce our decision regarding an Internet code in the coming months.
It is important to note that similar codes are already in place for wireless and television services, which have proven to be effective in establishing protections for consumers. We also recently issued a report on aggressive and misleading sales practices in the communications market, and are considering a number of additional measures to empower consumers and promote their fair treatment.
[English]
Extending broadband to underserved households, businesses and along major roads will ensure that Canadians can take advantage of existing, new and innovative digital services such as open banking.
We would be pleased to answer your questions.
The Chair: Thank you very much, Mr. Seidl. That was also very helpful to us.
Senator Stewart Olsen: Thank you very much for your very interesting presentations. I will ask Mr. Seidl several questions because I don’t have and I don’t think Canadians have a clear understanding of exactly how CRTC is involved in broadband.
I would really like to know why in this day and age it’s not proceeding as quickly as it should. It sounds wonderful to say that by 2021 we’ll have 90 per cent of Canadians having reliable access, but that leaves 1.5 million Canadians without reliable access. Let me tell you, that will be in the rural areas and places that are difficult to get to.
I am wondering why we have to wait while you develop codes and all these other wonderful things, where the real necessity for Canadians to compete and to do everything is on their broadband access.
I’ll leave it at that, and then I’ll have a follow-up question.
Mr. Seidl: Thank you for the question.
In 2016, the commission set a new universal objective of 50 megabits and 10 megabits per second after major consultation. Right now, Canadians have access to Internet. About 99 per cent of households have access to a certain level. In 2016, we redefined the level to 50/10 to ensure that all Canadians get access to a level of service found in urban centres from our cable or other service providers that have these performing networks.
The challenge is in rural areas. The cost of deployment in rural areas and extending the network to a rural area does take time. That’s why the commission decided to shift its focus. It had programs in place to bring phone service to all Canadians. That was accomplished many years ago, but it took a while as well. We’re doing nation building here to build out the networks.
The commission is not necessarily a funding agency, but it takes money from service providers. That $750 million comes from service providers, and we redistribute those funds to projects to deploy the network out farther.
The commission is concerned about that and is working as fast as it can to try to bring that money to projects that will most sufficiently serve those rural areas.
Senator Stewart Olsen: That leads into my second question quite well. I am not really certain why the government has to pay for the broadband. It should be the networks and the service providers. I don’t understand why you can’t just say: If you want a licence to operate in this country, you have to do this, this, this and this.
That should be the mandate. Your oversight has to have some teeth in it. It maybe doesn’t. I am not sure. When you say every rural area has basic service, I would encourage you to go to rural areas because they do not.
Anyway, I’d like to know why we are involved with getting money from these guys and then saying where this is money is going, whereas you could say to the service providers: If you want a licence in Canada, you do this.
Mr. Seidl: The Telecommunications Act indicates that high-quality services should be provided to all Canadians. That is our goal. To build those networks in these regions is typically not very economical for a service provider, so they need the support to provide the service. We are in the process of providing that for them.
We expect market forces to deliver those services to certain areas of the country, but some areas are uneconomical to deploy the level of Internet we want every Canadian to have.
Senator Stewart Olsen: That’s my point right there. I don’t care if it’s not economical. They make enough money from every other place. That should be a part of what your department says is necessary if you want this provision of service to Canadians.
That’s my feeling, and I think I am echoing the feelings of Canadians across the country.
Senator Wetston: My first question is to Mr. Schaan. It’s obviously about open banking.
Mr. Schaan, should Canada proceed with open banking? If so, what would you see as the necessary preconditions for success?
Mr. Schaan: The question as to whether Canada should proceed with open banking will be answered by the Department of Finance consulting committee, the advisory group. They’ve heard quite a lot of good evidence for why open banking could potentially be quite useful to Canadian citizens.
Regarding the second part of your question in terms of what it would take or what would be the necessary conditions for actual success, there are a number of things. To my colleagues to the left, it would be that continued ability for Canadians to participate in a digital economy with digital infrastructure is a necessary precondition. There are a number of others. I’ll start maybe on the crunchy and get to the fuzzier.
On the crunchy I’d say, just like you need the physical infrastructure for Canadians to gain access, you actually need the engineering infrastructure as well as the back end. You need an agreed set of standards by which the data will flow. You need to ensure the data will be encoded in a particular way that both the giver and receiver have the capacity to be interoperable. That’s not easy.
We’ve seen from international examples that you can get to those codes in a number of ways in terms of the standard. In the U.K., that standard was created by the open banking entity. It was not left to a voluntary situation. We do see voluntary standards organizations that have taken on some of this work in other jurisdictions to be able to allow for that.
Probably I concentrated most of my remarks on the need for cohesion and complementarity of all of the various frameworks. Let’s imagine that we modernize PIPEDA tomorrow and say that there’s a right to data mobility or data portability. In the GDPR situation, there were some challenges around exactly what data portability meant. People at the citizen level assumed that data portability meant they would be able to go to a social media platform tomorrow and say, “Please provide me all of my data.” Then they would be able to take that and give it to someone else to recreate the exact experience they just had but with a different provider.
That’s not what actually occurs. You take your personal information in zeroes and ones. Maybe those zeroes and ones compute to someone else, but if there’s no other market offering out there, there’s no one to port it to.
If we introduced data mobility tomorrow, you would need to ensure all of the complementary regulations and structures that govern banking are aligned. You could very quickly say that you have a right to port your data, but to whomever you’re porting it is still subject to anti-money laundering and anti-terrorist financing regulations, and it still needs access to the payment rails. All of these things need to be complementary.
You can go even further. We can look at the statutes. The witness on the next panel probably has some thoughts on this in terms of the interoperability of the copyright associated with some of that data and the complementarity of the intellectual property frameworks of competition and privacy.
The last thing is the fuzzy one as a precondition around education and volition, which means you need to have a “want” on the part of consumers or otherwise to say, “Please move my data from point X to point Y.” You need to have an educated population that knows (a) why and (b) how.
As we’ve seen in the U.K. example, making that the burden of the citizen, potentially, doesn’t get you very far. You actually need for the citizen to be able to tell their institution to send the data over to another entity because if it rests with them, they’re not a great interlocutor.
I’d say standards, frameworks, infrastructure, volition and education are the necessary preconditions to make this a success.
Senator Wetston: That is a lot to think about. I am glad the committee is thinking about that.
I’ve been thinking about the notion of open banking, and I don’t like the term. It leads us in a direction that may be somewhat misleading.
In the past, when we talked about shadow banking, those in that sector don’t like that term. They use the term market-based financing. Doesn’t it sound better?
If we proceed with open banking, have any of you given thought as to whether or not we should find some way in Canada to characterize it as something that is not open banking? If you haven’t, that’s fine, and I’ll pass on, but I’d like your thoughts about that.
Mr. Schaan: I can start, and maybe my colleagues can fill in.
I have given some thought to the notion. I am not going to directly answer your question. I’ll answer a related one. It’s the same problem we have with data portability because data portability makes it sound as if you can easily move the data and port it to someone else; but there may not be an entity to port it to. The relevant constructs you are getting at that are fundamentally relevant to the citizen are: I can control my data and I can direct my data.
Control and direction are two concepts that somehow need to figure into whatever it is that emerges in this particular space. You have control of the financial information about you, and you can direct it to people who can offer you services that are relevant to you.
Citizen controlled and directed banking is a long title. I don’t know what it is, but I would say those are the two concepts that are essential.
Senator Wetston: Any thoughts, Mr. Seidl?
Mr. Seidl: Open banking is not a focus for the CRTC, but we do focus on competition. From what I have read recently, it’s about opening up the market to more competition and more choices for consumers. That’s where I would put the emphasis.
Senator Klyne: I want to follow up on Senator Wetston’s question about whether we should go to open banking. I was hoping an answer might come up with regard to economic benefits and jobs created.
Given that you have studied open banking, could you comment on that?
Mr. Schaan: The potential benefits of open banking are twofold. You can consider them in two ways.
The first is obviously the notion of the benefits to the citizen and the consumer, in the sense they are given additional choice as to the providers that may be able to offer them options.
The second is that you are right. There is a growing fintech industry in the country and in other places that is creating all sorts of new disruptive services. It’s growing very quickly. It needs the clarity and certainty from a frameworks perspective to be able to grow.
That question is seizing the Department of Finance and its advisory through the framework laws on either the competition, privacy or even intellectual property side. It is seizing us in the sense of how we provide certainty and clarity to business about how these rules are to be set, what will be allowed, and how they will work.
Senator Klyne: That’s the segue to the question I really wanted to ask.
You had mentioned in your presentation that PIPEDA and the standing committee which studied it, confirmed that consent should remain core to the privacy regime. You also mentioned that an open banking enhancing consent provision would be consistent with broader objectives.
We heard from another panel that consumers would have control but not necessarily ownership of personal data under Australia’s proposed legislation.
Also, in some concluding remarks, you said that the question of open banking is nested in marketplace frameworks and other regulations to spur competition, fuel innovation and protect privacy, which all begs the question of regulatory framework and a regulator.
Where do you see that coming from in terms of a regulator, and who is to pay for that?
Mr. Schaan: That’s an important question. I am not going to totally deke it, but I am going to slightly deke it in that I’ll say that our framework laws are laws of general application.
When I explain my job to people, I say that I am responsible for all of our economic laws of general application that aren’t sector specific. Because if the law regulates a particular sector, it lives somewhere else. In the case of banking, that’s finance. In the case of resource industries, that’s Natural Resources Canada. There is a number of them.
Our regulator in the case of our framework laws are already well placed to regulate their particular aspect of this piece. In the case of competition, that’s the bureau. In the case of PIPEDA, that’s the Office of the Privacy Commissioner. In the case of intellectual property, there is a few of them but the primary ones are the Canadian Intellectual Property Office and the Copyright Board of Canada.
The question you are asking is: Who is the best sectoral regulator for the sector specific activities of banking that live on top of framework law? Framework law applies to everyone and to all activity. We are very certain that we don’t exempt industries or sectors from those frameworks. Whatever open banking does will have to be PIPEDA compliant and will have to live up to the Competition Act. I think the question as to which sector specific regulator is best posed to Finance or those who are more familiar with the actual specifics of banking.
In the case of the regulators that relate to my statutes, they are all paid for by general appropriation or, in the case of the Canadian Intellectual Property Office, as a separate operating agency that collects fees through patent and trademark applications. Other regulators like the CRTC have a mixed model. On your question of how to pay for it, it would vary.
Senator Klyne: The latter description is collecting fees; the former one is the taxpayer.
Mr. Schaan: Exactly.
Senator C. Deacon: I am thinking about the 3.5 million Canadians who are operating in an unregulated environment right now. I am also thinking about the portability of innovative, fast growing businesses that are central to the future of our economy. They can move to any country in the world overnight, which means we can attract them or we can reject them by not moving fast enough in terms of regulations that allow them to be profitable.
I layer on that a point you made that access is a precondition to open banking. That scared the crap out of me, because right now that means if we have got till 2021, maybe, and whatever else.
I am looking at that and saying that we need to be doing things now. There are Canadians who are at risk today. We have examples where government has been a leader in sharing data with CRA through Intuit TurboTax. It is a phenomenal example where government has proven it can be a leader. I want to hear where government will be a strong leader, moving swiftly in this area to enable the private sector to run.
Mr. Schaan: Certainly, on the broad questions of data digital, we share your desire and ambition. The national consultations our department ran on data digital were exactly around three core questions: What are the skills required to thrive; how do we fuel innovation; and what are the necessary privacy and trust pillars that need to be in place?
As my minister indicated publicly, there were investments in Budget 2019 and there will be more to come on that front. On the question of open banking specifically, that’s a question for my Department of Finance colleagues. In terms of the broad data and digital economy, you would find strong alignment with the notion that we need clarity and a strong approach to ensure that we can seize this moment.
To clarify your point on access as a precondition, I mean that primordially in the sense that if the service is by and large digitally offered, and I don’t have the capacity to participate in the digital environment, I can’t access the service.
We know from the CRTC numbers that a large majority of Canadians are already willing and potential consumers in that market. The question of universal access is one that the CRTC is striving toward.
Senator C. Deacon: Versus a precondition.
Mr. Schaan: The precondition is as an individual, not necessarily as a whole society. In order to have consumers participate, they need the tools.
Senator Wallin: I want to go back to a bit of blue sky. We have been having a conversation with the Brits and the Australians about language. To Senator Wetston’s point and to Senator’s Klyne’s point, we seem to have come down to talking about control versus ownership. That’s clear. We are talking about consumer directed data as opposed to consumer directed banking. It encompasses all sorts of things.
I have two issues to hear from you on. In addition, perhaps you want to make a comment. Looking at the legislative consumer data, the CDR, how do we do that and should we do that? What centralized authority will manage this? I am not referring to framework laws and sectoral regulations, but to a central authority.
Mr. Schaan: I think on the first one, you can come at it in a number of ways. I think people have used their particular frameworks depending on the nature of their jurisdiction and how they are structured.
In the Australian context, the ACCC is a different kind of regulator than our Competition Bureau. It’s empowered in a different way, not just because it has sector specific responsibilities, but it also has remedy-making powers.
You can probably glean from my remarks that we are looking at this through a series of framework laws, but the one that probably lends itself most directly is data mobility or data portability, something that is potentially enshrined in private sector privacy law. If that’s the case, you can flow from there potentially, just like in the Australian example where the data right is actually not sector specific and is not unique to banking. It is actually starting in banking and then moving to a whole bunch of sectors thereafter.
Similarly, just like in the GDPR, if it’s enshrined as a responsibility or obligation in PIPEDA we have similar ramifications. As I say, we can learn from the GDPR in the sense that the General Data Protection Regulation of the European Union says that you can access your personal information in machine-readable format.
Right now our PIPEDA says that you can get your personal information, but it doesn’t specify how and it doesn’t necessarily specify in what format. That’s one way in which you can potentially think about how to approach the CDR.
To your second question of a stand-alone regulator, again I’ll say that my colleagues at finance are probably thinking through this in a different way than I am, in the sense that in laws of general application, as I indicated, we aim not to be sector specific in our approach. We try not to design framework law to fit a particular kind of technology but actually to be technologically neutral. It begs the question in this particular case, though, for those who look at this sector: Who does that and who is best positioned?
Senator Wallin: How can we get there? I ask the same question every week, it seems, of any group of people before us. I think we are now in our seventh session.
How do we go about this? We have seen them do it in the U.K. because they did it sector specific and the banking industry stepped up. How can we just get there and have this discussion?
Mr. Schaan: There are a couple of ways you can get there. One of them is a coordinated cohesive approach between updates and modernization to framework law that match with a sector specific ambition. I think the sector-specific ambition will come potentially from my colleagues at the Department of Finance, as they conclude their advisory on it.
Senator Wallin: You think that is where it has to start. Thank you.
Senator Duncan: My questions will focus on the CRTC and your presentation.
I note you indicated in your presentation that in late 2018 there were published maps showing the regions which have access to universal service and those which do not. Could I ask that those maps be provided through the clerk to members of the committee so that we can exactly see what we are talking about?
Also in your presentation you referred to the program to improve services in rural and remote regions that lack an acceptable level of service. I am wondering if you would provide us with what you determine to be an acceptable level of service. I have a few points on an acceptable level in which I am especially interested.
The first issue is service. Members of the panel will forgive me for relaying this story, but every time someone digs a hole in Fort St. John, the entire banking system and Internet service go down throughout Yukon, along with the ability of people to buy things at Superstore.
The second issue relates to what Senator Stewart Olsen about the price of the Internet service. There is a substantial difference between the price paid for Internet service in Yukon or Hay River, Northwest Territories, and that paid in Calgary or Toronto.
The third point I would like you to address, if you wouldn’t mind, is the vulnerable Canadians you mentioned. I noticed that your approach was to develop an Internet code. I would like to ask if you would take a look at the British example presented to us by the open banking implementation entity. They referred to an organization that was established to deal with the vulnerable sector in Great Britain. Their methodology was to reach out to the vulnerable sector themselves, to have that social interaction and to have the ability to sit down with those folks who lack the ability to access the Internet or access online banking.
I am sure everyone here could think of folks who don’t do online banking for one reason or another. There is a vulnerable sector in our society who do not have simple things such as identification.
Developing an Internet code, with all due respect, may not be necessarily the CRTC’s responsibility. It might be housed in another department, but let’s see if there is perhaps a more equitable method to reach the vulnerable Canadians. If you wouldn’t mind, would you please address that?
Mr. Seidl: Sure, I’ll address your first two points in the question, and I will ask my colleague, Mr. Shortliffe, to cover the last point.
When we define accessible level, we define the universal service objective. As I mentioned, the speed requirements are 50 down/10 up for that and access to unlimited data so that you don’t get throttled when you get to a certain amount of usage. That’s how we define universal service.
We also have a quality of service requirement. We define very technical aspects to ensure that the service actually can perform at an appropriate level and can address latency, the delay you get on the connection, the appropriateness of the connection, or even loss of packets that are transferring there. We have set targets for those as well to define what we call our universal services objective for fixed access.
In terms of security, there is a desire for the network to be highly resilient to failures or to issues that happen through construction or other aspects. We look at improving projects that extend the network. Coverage is the most important. When we look at projects, we also have in there as part of our criteria the resiliency of the projects being put forward. We will evaluate those projects based on that criteria as well. We look at several different attributes, and that would be one of them, to ensure projects also improve the resiliency of the network and security as you mentioned on that front.
Obviously competition is very important. In terms of price, we don’t regulate the price of Internet except for the Northern Territory, Yukon and Northwest Territories. We regulate price for terrestrial Internet in those regions, but we found there wasn’t competition sufficient to protect the interests of consumers. We actually set those rates, and in some cases those rates are set below cost for the provider. Some compensation goes on between urban versus rural in the far northern areas.
We regulate those rates. They have to come to us for approval of any changes to those rates in both cable plants in Yellowknife and Whitehorse, as well as in the Internet plants in more remote regions.
In the applications that come before us the parties must indicate what price they want to offer. We made sure those prices are set as what you would get comparatively in a close urban setting. That will be one of the criteria they must commit to when they deploy these solutions out into the regions. We will look at some of the more granular aspects of that, but our goal is to ensure that the prices are set comparable to what you would get in an urban centre where there is competition from both cable and teleco.
I’ll pass it to Mr. Shortliffe.
Scott Shortliffe, Chief Consumer Officer, Canadian Radio-television and Telecommunications Commission: I took great interest in the British example. I confess that I am not familiar with that organization. I will do some more research to better educate myself.
In terms of an Internet code, we are building on what already exists in terms of the wireless and the television service provider codes. These codes were introduced over the last five years. In terms of working with consumers, we have found there was a lack of transparency. There were problems with overbilling.
We introduced codes which we revise every few years. We start with the wireless code. At that time we introduced the idea of a critical information summary so that when you’re getting a wireless phone you would see what you’re getting and what the billing structure should be.
We embedded PIPEDA in that. We worked and consulted with the Office of the Privacy Commissioner to make sure that we had protection saying, “Your wireless provider must disclose to you how your information will be used.” We extended that to television. Now we are extending it to Internet services. It’s an open proceeding in front of the commission, so I can’t tell you where it will end or I can’t discuss what our advice will be.
Concurrent with this, we had a major hearing on misleading and aggressive sales tactics. During that proceeding, in terms of vulnerable Canadians, we saw Canadians speaking a third language other than English or French. Some elderly Canadians and Canadians with disabilities were disproportionately affected by aggressive and misleading sales tactics. We have embedded that knowledge into what we are proceeding with to create in the Internet code.
I think the question you raised, if I understood it, includes the idea of economic vulnerability. It goes a bit wider than what we did in the most recent study. However, it is an important question for us to look at.
As a broader concern that ties into the broadband funding, we are extremely concerned with the growing effects of a digital divide. Canadians don’t necessarily have the same access to the same digital tools. That affects their ability to participate in democratic life. If you don’t have access to information on an easy basis, you can’t participate in society.
These questions underline the various tools we are trying to put into place to protect vulnerable Canadians. We are certainly looking for international examples. The advice you have given to look at the British example is something I will take back to and work with my team on.
Senator Marshall: My question is for Mr. Schaan. Mr. Seidl may wish to comment on it also.
I want to talk about the $1.7 billion announced in the budget. For open banking, we will need a lot of infrastructure. I think the funding provided by the government will probably help. I am also aware of the report the Auditor General released last fall with regard to connectivity in rural or remote areas, which I found to be somewhat critical.
Could you tie all those things together and tell us what are the plans for the $1.7 billion? In explaining it to us, could you also tie in what has been happening over the last several years? I believe your department had several initiatives. The one I was looking at was the 2016 Connect to Innovate program, which the government says was so successful and which the $1.7 billion will build on.
Could you talk about the $1.7 billion? What is the plan? How will this happen with open banking? Excuse me, Senator Wetston, I know you don’t like the name.
Senator Wetston: You are forgiven.
Senator Marshall: Could you speak about that, please?
Mr. Schaan: Unfortunately, the department has a very strong interest and role in the universal broadband fund announced in Budget 2019. It is not within my purview. I would be happy to have any colleagues within the department come back to you on that question.
My work is on the framework law side, and my colleagues are in telecom policy and other avenues.
Senator Marshall: Would the finding have no impact whatsoever on your area of responsibility?
Mr. Schaan: There is an intersect between connectivity and marketplace framework laws, but the questions I am mandated to steward on behalf of the minister are related to the law and its application, which is not necessarily a direct linkage to connectivity.
Connectivity is an important piece of an overall digital environment, but the questions I am asked to consider are: What is the state of our competition law; what is the state of our intellectual privacy laws; and what is the state of our privacy laws?
Senator Marshall: Mr. Seidl, would you have any comments on where you would like to see the government go with that funding?
Mr. Seidl: I can share what I know is in the budget. The $1.7 billion was toward connectivity. To help bridge that digital divide, the government adopted the CRTC target of 50 megabits per second down and 10 megabits per second up.
The $1.7 billion is broken into a couple of aspects. One is to give additional funding to CTI so they can go forward with other projects. They’re also introducing a new universal broadband fund, which will add another $1 billion. They’ve earmarked some of the money to go to low earth orbit satellite capacity to help remote regions with access. Obviously that’s the government’s program, but I am not familiar with the details.
Senator Marshall: When the government implements these programs, are you aware of the targets? In the past the amounts of money have been quite significant.
Are you aware of what they plan to do with the money, what their targets are and then what they actually achieve? Is that something you track or that you would be aware of?
Mr. Seidl: We definitely follow what they are doing. Obviously, they are contributing to closing the digital divide and that’s part of our goal. It helps to inform us on what we need to do on our end.
This is a shared leadership responsibility of the regulator, the private sector and the government, to take on this massive requirement to close the digital divide. It will take all of us to play our parts.
Senator Marshall: For the 2016 Connect to Innovate program, would you be aware of its results were? I find in government is a big fanfare at the beginning when the money and what’s going to be done are announced in the budget at the beginning, but not so much emphasis on what it actually cost and what it actually achieved.
Would you be aware of whether that program was successful? Would you know exactly what the government is planning to do with the $1.7 billion or what their targets are?
Mr. Seidl: I don’t have the details of those programs. I would defer to the department of ISED to provide that information.
Senator Marshall: At some point in time would you be provided with that information?
Mr. Seidl: With everyone else in terms of the results of that, yes. It is their program; it is not our program.
Senator Marshall: Not as a favoured interested party, but you would see it along with everybody else.
Mr. Seidl: Yes.
Senator Wetston: I am wondering if I could get your sense of it. At the end of the day, we are going to have to build a regulatory sandbox. That’s what it sounds like to me. It may not be the best way to approach this type of issue. In the U.K. they decided to create the Open Banking Implementation Entity. I am not sure whether we are able to do something that is a bit more focused and directed at the very issue we are trying to address, given the fact we have framework laws and sectoral laws. I know Finance is driving the bus more or less on this issue in the consultations.
Maybe you cannot answer this question, but how would you would view the ideal regulatory model, recognizing federal provincial issues, et cetera, that might allow us to move more quickly with the possibility of introducing what I don’t like to call open banking?
If you can’t, I understand. I have put my question, and we’ll have to think about it. However, if you could possibly provide some thoughts about that, it would be helpful.
Mr. Schaan: I can start. The Department of Finance is the right actor to think about the specific kinds of regulations that may be necessary for the specifics of open banking. Even if it is a trial or a kind of nimble structure that’s able to be a bit more agile and allow for the activity to start even though it’s not necessarily perfected, I would posit and reinforce the point I made in my opening remarks about coherence. No matter what, the activity will be regulated by existing framework laws, competition, PIPEDA, intellectual property, and others.
So I think, no matter what, we need to make sure that it’s coordinated and coherent. We’re working toward that end.
On the specific regulatory approach, you’re right that we can learn from international best practice in some regards. Hopefully some of this work will not necessarily take as long because we’ll be able to learn from what has been done in other places.
Senator Klyne: I have a quick question for CRTC and then back to ISED.
Regarding the 50/10 speed, what view has been taken to look forward since much of the context of discussion these days is approaching gigabyte speeds? I guess nobody will be playing Fortnite any time soon in the North.
Mr. Seidl: We continue to look at the target periodically. Back in 2011, we set it as 5 down/1 up and in 2016 it is 50/10. We will continuously review what is the appropriate level for Canadians, and we will take action to achieve that going forward. We’ve also set a target for mobile as well. It’s the latest generally deployed technology, which right now is long-term evolution and is available to 99 per cent of households today.
We are looking at both mobile and fixed access.
Senator Klyne: What kinds of resources are required to move up from the 50/10 speeds 10 years from now, say, in time and money?
Mr. Seidl: Technology continues to advance. Ideally, you want something that is scalable and can easily evolve. When fibre optics are put into a home, it’s ensuring the technology there can be scalable, though not necessarily inexpensively, once you have that access.
The next generation of mobile, 5G, is coming down the pipe. It will offer significantly higher speeds on the mobile front. That could even be a good solution for rural areas to give them higher speed connections with fixed wireless solutions. The technology will continue to evolve and, as I mentioned, satellite connectivity will also evolve.
Senator Klyne: It’s important to be there and that it’s scalable, which is good.
Mr. Seidl: Yes.
Senator Klyne: I have questions for ISED. What considerations in your study were looked at? Everything always seems to focus around banks. Credit unions have started to bubble up in the discussion. There is very little consideration of the pillars of their setup and how insurance and banks are kept apart. Then there are also investment dealers and trust companies.
The question I really want to ask is about foreign banks and foreign ownership of fintechs and third parties, but foreign banks participating in this open banking practice.
Mr. Schaan: I think that’s largely a question for Finance, unfortunately, because they are the regulator of financial activity. The one thing I’d say from a framework law perspective is that we have important provisions in our framework laws that take into account some of those considerations.
In PIPEDA, for instance, there’s an accountability principle that follows on. It doesn’t matter to whom you transfer the data, the accountability for the continued adherence to PIPEDA rests with the original. You can’t transfer it away. In the case of a foreign entity toward whom that data is potentially flowing, the privacy obligations are retained. You can’t transfer away your obligations to Canadians under our privacy law and no longer live up to PIPEDA.
Senator C. Deacon: Thank you for a really good session. I want to focus on the issue of net neutrality, on our resilience to that becoming a political whim in the future, as it just happened to be in the United States, and on building from the individual precondition of access.
This is for Mr. Schaan and the CRTC. How resilient are our current legislative and legal frameworks to the whim of net neutrality coming in at a certain point in the future? That could be very disruptive to individual access rights.
Mr. Schaan: I’d say that the general aim of our framework laws, because they are of a general application, is to be technologically neutral.
PIPEDA is a principles-based statute, so it aims to try to ensure that it is not wedded to a particular technological approach. You’ll probably hear this in much greater detail in your next panel. There is a feeling, as we modernize PIPEDA, that we need to ensure it is fit for purpose in a data and digitally driven environment. It may not be the fact that it’s principles based, but the principles need to reflect the new reality. That’s something that we’re seized with.
In terms of the Competition Act, it is a general application law that has done fairly being net neutral or technological neutral, but I think it raises some important questions that we’re starting to think about.
One example I’ll give you is that the Competition Act is predicated on human intent. Abuse of dominance or price fixing is predicated on the notion that there is an economic actor, that is a natural person who is perceiving that act.
If it’s an algorithm that is actually price fixing or abusing dominance, how does our law apply? Is it necessarily consistent with that approach? There are some people who say that it isn’t, and we’re continuing to cede that out.
The goal of the digital consultations and where we’re heading is to make sure our framework laws are fit for the purposes of a data and digitally driven economy. By and large they’ve done well. They’ve stood up to the change in technology, but we are constantly reviewing them to ensure they are actually capable of doing that.
Generally the laws of general application have been structured to be capable of being able to roll with the times.
Mr. Seidl: In terms of the telecom situation, the Telecommunications Act has provisions to ensure common carriage and no unjust discrimination with respect to any content carried over the telecom facilities.
The CRTC has some of the strongest net neutrality regulations in the world. What is happening in the States is not something that influences us. The provisions are there, and the CRTC has made a comment to the legislative review panel that the existing provisions are sufficient for the CRTC to ensure net neutrality remains strong.
Senator C. Deacon: That’s reassuring.
Senator Wallin: I have a question for the CRTC’s comments on the lack of cost effectiveness of taking service to rural areas where I live, and not just to remote and northern areas.
I guess we’ve come to accept a whole lot of fronts in terms of access or the view of government that somehow we can do what everybody in the city does when we can’t, such as plug in electric cars, which we can’t, and all those kinds of things.
I am trying whenever I can to have people focus and say there are two different kinds of Canada. We can’t forget about the other one because it’s not just a bunch of hillbillies with no cellphones. It’s real people who are trying to bank and watch the news and do all sorts of things.
You’ve mentioned 5G. Can you imagine any other possible structures that would take us into a post-tower world that wouldn’t have that kind of need? I don’t know whether you would use drones or what.
What is the thinking about doing that sometime in the immediate future, rather than in 10 years, when we do not even know what technology we’ll be talking about?
Mr. Seidl: There are several solutions out there for the rural areas. I mentioned 5G and fixed wireless. There are other companies experimenting with different solutions.
One that may be most promising is low earth orbit satellites, which are a constellation of satellites that will be deployed in the 2021-22 time frame. There are some experimental solutions up there now. Telesat is one of the companies that will be offering a low latency connection for even the most rural, remote and northern locations in Canada.
Senator Wallin: What kind of service would that provide?
Mr. Seidl: It is to be determined, but it will provide a high level of capacity as well as low latency because of the low earth orbit. It will be equivalent to what we can get from a fairly good Internet connection. We’ll have to see when it gets deployed what the pricing is, et cetera.
Senator Wallin: What is your best information on 5G? Some of us are not keen on doing business with Huawei, but are there alternatives?
Mr. Seidl: The standards will be finalized shortly. There are deployments happening in other countries. I was at a recent conference, and every country wanted to be number one in the 5G race.
You will see that coming into Canada in 2020-21 in certain areas. We’ll see where that gets deployed first, but it can offer a low latency and higher bandwidth solution with wireless, both mobile and fixed.
Senator Wallin: Anyway we cut it, there is not on the immediate horizon. We are talking about a year out.
Mr. Seidl: The connections are there. It is really getting the networks built out. It may be a fibre connection, a cable connection or a wireless connection. The technologies are there to offer the universal service. It’s really getting those networks built to those regions and deploying them where the population densities are sparse in those areas. It’s not cost effective for the providers.
Senator Wallin: And then we are full circle to the cost-effective argument.
Mr. Seidl: Our funding comes from other service providers. We take a percentage of all telecom revenue and fund that for rural and remote areas. It comes from all service providers.
The Chair: Senators, thank you for your questions. Witnesses, thank you for contributions today.
On a general basis, thank you very much for what you are all doing on a daily basis for the country. We will welcome you back at some point.
As we continue our study of the potential benefits and challenges of open banking for Canadian financial services consumers, with specific focus on the federal government’s regulatory role, I am very pleased to welcome back to this committee, in the second segment of our meeting, Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa, faculty of law.
Dr. Scassa, welcome back. It’s always good to benefit from your insight. We look forward to your remarks.
Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa, as an individual: Thank you for the invitation and opportunity to meet with you on this very interesting subject of open banking, and in particular on data ownership questions in relation to open banking.
It’s important to think about open banking as the tip of a data iceberg. In other words, if Canada moves forward with open banking, this will become a test case for rendering standardized data portable in the hands of consumers with the goal of providing them with more opportunities and choices while at the same time stimulating innovation in a variety of other sectors and areas.
The question of data ownership is an interesting one. It’s one that had been of growing importance in an economy that is increasingly dependent upon vast quantities of data. However, the legal concept of ownership is not a good fit with data. There are no data ownership rights per se in Canada law, or in law elsewhere in comparable jurisdictions, although in the EU the idea has recently been mooted and it kind of bubbles up again from time to time. Instead, we have a patchwork of laws that protect certain interests in data. I will give you a very brief overview before circling back to data portability and open banking.
The law of confidential information exists to protect interests in information or data that is kept confidential. Individuals or corporations are often said to own confidential information but the value of the information lies in its confidentiality, and that’s what the law protects. Once confidentiality is lost so is exclusivity, and the information is in the public domain.
The Supreme Court of Canada in 1998 also weighed in on the issue of data ownership in the criminal law context. It ruled in R. v. Stewart that information could not be stolen for the purposes of the crime of theft largely because of its intangible nature. Someone could memorize a confidential list of names without removing the list from the possession of its owner. The owner would be deprived of nothing but the confidentiality of and control over the information, but they would still have that information.
It’s a basic principle of copyright law that facts are in the public domain. There’s good reason for it. Facts are seen as the building blocks of expression, and no one should have a monopoly over them. Instead, copyright protects only original expression of facts. Under copyright law, for example, it’s possible to have protection for a compilation of facts. The original expression that’s protected lies in the way in which the facts have been selected or arranged.
It’s only the selection or arrangement that’s protected and not the underlying facts. That means those who create compilations of facts may face some uncertainty as to the existence and scope of any copyright. The Federal Court of Appeal recently ruled that there was no copyright in the real estate listing data of the Ontario Real Estate Board.
Of course, the growing value of data is driving some interesting arguments and decisions in copyright law. A recent Canadian case raises the possibility that facts are not the same as data under copyright law. This issue has also arisen in the United States. Some data are arguably authored in the sense that they would not exist without efforts to create them. Predictive data generated by algorithms are an example of this or data that requires skill, judgment and interpretation to generate.
Not that many years ago, Canada Post advanced the argument that they had copyright in a postal code. That’s an example of an argument that there’s ownership right in data.
In the U.S., a handful of cases have recognized certain data as being authored, but even in those cases copyright protection has been denied on other grounds. According ownership rights over data, and copyright law provides a very extended period of protection, would create significant issues for expression, creation and innovation.
The other context in which the concept of data ownership arises is in relation to personal information. Increasingly we hear broad statements about how individuals own their personal information. Those are not statements grounded in law. There’s no legal basis for individuals to be owners of their personal information. Individuals have interests in their personal information. Those interests are defined and protected by privacy and data protection laws, as well as by other laws relating to confidentiality, fiduciary duties, and so on.
The GDPR in Europe was a significant expansion and enhancement of these interests. Reform of PIPEDA in Canada, if it ever happens, could similarly enhance the interests that individuals have in their personal data.
Before I speak more directly of those interests, and in particular of data portability, I want to mention why it is difficult to conceive of interests in personal data in terms of ownership. Think about what personal data you could be said to own and what it would mean.
Some data is observable in public contexts. Do you own your name and address? Can you prevent someone from observing you at work every day and deciding that you are regularly late and have no dress sense? Is that conclusion your personal information or their opinion or both?
If your parents’ DNA might reveal your own susceptibility to particular diseases, is their DNA your personal information? If an online bookstore profiles you as someone who likes to read young adult literature, particularly vampire themed, is that your personal information, or is it the bookstore’s, or is it both?
Data is complex and there may be multiple interests implicated in the creation, retention and use of various types of data, whether it’s personal or otherwise. Ownership or right to exclusive possession is a poor fit in this context. The determination of ownership on the basis of the personal nature of the data will overlook the fact that there may be multiple interests entangled in any single datum.
What data protection laws do is define the nature and scope of a person’s interest in their personal information in particular contexts. In Canada, we have data protection laws that apply with respect to the public sector, the private sector and the health sector. In all cases individuals have an interest in their personal information, which is accompanied by a number of rights.
One of these is consent. Individuals generally have a right to consent to the collection, use or disclosure of their personal information, but consent for collection is not required in the public sector context, and PIPEDA has an ever-growing list of exceptions to the requirements for consent to collection, use or disclosure. This shows how the interest is a qualified one.
Fair information principles reflected in our data protection laws place a limit on the retention of personal information. When an organization has collected personal information that is now no longer required for the purpose for which it was collected, their obligation is to securely dispose of it, not to return it to the individual. The individual has an interest in their personal information but they do not own it. As data protection laws make clear, the organizations that collect, use and disclose personal information also have an interest in it. They may also assert some form of ownership rights over their stores of personal information, whether under copyright law or as confidential information.
As I mentioned earlier, the GDPR has raised the bar for data protection world wide. One of the features of the GDPR is that it greatly enhances the nature and quality of the data subject’s interest in their personal information. The right to erasure, limited though it might be, gives individuals control over personal information that they may have at one time shared publicly. The right of data portability, a right that’s reflected to some degree in the concept of open banking, is another enhancement of the control exercised by individuals over their personal information.
What portability means in the open banking context is that individuals will have the right to provide access to their personal financial data to a third party of their choice, presumably from an approved list. While technically they can do that now, it’s complicated and not without risk. In open banking, the standard data formats will make portability simple and will enhance the ability to bring the data together for analysis and to provide new tools and services.
Although individuals will still not own their own data, they will have a further degree of control over it. Thus, open banking will enhance the interest that individuals have in their personal financial information. That’s not to say it isn’t without risks and challenges, and I know you’ve heard a number of those.
Thank you for your attention. I look forward to your questions.
The Chair: Thank you very much. It’s complicated, isn’t it? I think it’s complicated.
Senator Stewart Olsen: Thank you for your presentation. I think it would surprise most Canadians because most Canadians think that we own what’s ours. It’s a little unsettling.
Do you know how Great Britain and Australia have handled the personal data issue of who owns it? Could we learn from that?
Ms. Scassa: I think legally it’s similar to the way it is in Canada. There’s no ownership right. I was reading the transcripts. I believe the Australian representative who spoke to this committee also said that there was no ownership right in Australia. It really is a question of interests and personal data.
One of the things that’s happened in the EU, and in the U.K. as well through the GDPR, is a significant enhancement of the interests of the data subject. The interests are stronger and there are more rights associated with those interests, but ownership is not one of them.
Senator Stewart Olsen: In your opinion would that be something that Canada should look at, or is it even possible to do?
Ms. Scassa: It’s certainly possible to do. PIPEDA and the other data protection statutes give Canadians an interest in their personal information, and a number of rights along with that interest in their personal information.
It’s certainly open to the government to enhance the nature and quality of those rights, to add a data portability right in some form or another, to enhance or strengthen consent, and to add a right of erasure or a right to be forgotten. All of these things are possible. It’s a question of what the government chooses to do with them.
Senator Wallin: I would love to ask the chair if we could have you back to talk about the right to erasure and to look at the role of the media in continuing to post information online that isn’t correct.
I am assuming you have views on that.
Ms. Scassa: On the right to erasure and the right to be forgotten, the Privacy Commissioner currently has a reference case heading to Federal Court on this issue.
It raises enormously important issues of freedom of expression, freedom of the media, and the rights of the media. There are a lot of very interesting issues in there.
Senator Wallin: Yes, and the court seems to have been ruling in favour of the media on some occasions.
You’ve gone right to the point because the 1988 Supreme Court ruling you referenced is about a thousand light years ago, and so much has changed in that time.
On this issue, do you think that we need to create some of these bodies or perhaps, as the Australians have done, a legislative definition of a consumer data right, then test it or ask for a reference, or test it in some real life situation? What’s your thinking around that?
Ms. Scassa: One of the things that our Privacy Commissioner has done recently in a number of contexts is argued that Canada needs to adopt a rights-based approach to privacy in Canada, the idea being the way in which PIPEDA was framed as this compromise between the needs of business to collect, use and disclose personal information and the interest of individuals and their data.
This balancing compromise is seen as being too weak now in a big data economy where everybody is trying to collect as much data as possible and individuals are left with very limited ability to realistically control what happens with their personal information.
The argument that we need to move to a rights-based framework would shift the balance and start with the rights of the individual, recognizing there are interests in collecting, using and disclosing that information, but with the rights of the individual up front and perhaps with more mechanisms for individuals and the commissioner to enforce and protect those rights.
Senator Wallin: This is literally off the top of my head. When we talk about legislation needed for a consumer data right to start that shift that you discuss, is that something that you think could helpfully or realistically be done as a stand-alone project?
Say I put some legislation forward in the Senate saying that I believe in a consumer data right, and it goes to the House of Commons and it’s magically accepted there.
Senator C. Deacon: Dream world.
Senator Wallin: Yes, a dream world. I am just dreaming. Would that at least start to form the basis for some of this discussion?
As you heard in our earlier panel, every time we talk about what the body is going to be, we then get into all of the discussions about all the various government departments that are going to look at this. Then they’re going to consult, and the horse is so far out of the barn.
Ms. Scassa: It was in 2000 or 2001 that Senator Sheila Finestone introduced a privacy charter. I can’t remember the exact title, but I will call it a privacy charter in the Senate. The goal there was to create a kind of bill of rights for privacy, setting out some basic privacy principles. This was before PIPEDA. PIPEDA was still in the bill stage. We hadn’t had private sector consumer data protection up to that point, and it wasn’t successful.
What the Privacy Commissioner has been talking about seems similar to that. I don’t know in terms of what he would like to see. I don’t know if it needs to be done as a separate, free-standing privacy bill of rights implemented by data protection laws among other things, or whether it would be significantly reworking PIPEDA and perhaps the Privacy Act so that they start with rights and then get into the details.
Senator Wallin: We are trying to figure some mechanisms as we create a report to actually move the ball forward instead of saying that we really should. We all know we really should.
I am personally in search of some mechanisms that might help that.
Senator Klyne: I think my question might have been answered. We seem to continually keep coming back to data ownership. We think we have it solved, and then another issue comes up.
I am getting wiser as we go along. At the expense of flogging this horse one more time, the whole aspect of data ownership, consent and control seems to be getting a little blurred and tossed around in various jurisdictions looking at GDPR or CDR and now PIPEDA.
At the end of the day, if you think about where this is going, whether it’s right-based ownership, and what we have available to us, what would be your one strong recommendation? Whatever you do, do not miss this.
The Chair: Or, you could make it two or three.
Senator Klyne: What’s keeping you up at night?
Ms. Scassa: A lot of things are keeping me up at night. If I had to really narrow it down, it is extremely important in the focus on the data protection piece not to lose sight of the surveillance piece when it comes to privacy. There is a tremendous overlap between the collection of personal information in the private sector and surveillance, both in terms of private sector and of public sector surveillance.
All of the data collected by the private sector is available in one way or another to law enforcement and national security. The more data is collected in the private sector, the more is available.
If you think about open banking, the idea that open banking will take all consumers’ financial information from across all banks, credit card companies and so on and render it into standardized formats, there are enormous consumer benefits. You have heard a lot about how it can stimulate innovation.
If you think about the incredible potential all of that standardized financial data would provide for running data analytics to look for the indicators of financial fraud, money laundering, tax evasion, and all of these sorts of things, then you have really just enabled another dimension of the surveillance state.
While there is a public interest in detecting and catching that criminal activity, there are also real risks with opening those doors without providing the additional safeguards required to ensure that we don’t have constant fishing expeditions or this level of surveillance where all of us are being watched at all times, based on the data we leave behind.
My one big thing was: Don’t lose sight of the fact that anything that happens in the private sector with collection of personal information also has implications in terms of surveillance. Appropriate measures have to be thought of to address the extent to which access is provided to data and the conditions under which that access occurs.
Senator Klyne: That keeps me up at night.
The Chair: Thank you for that, Senator Klyne.
Senator Wallin: I want to come back to the line you used when talking about consent:
Individuals generally have a right to consent . . . but consent for collection is not required in the public sector context, . . .
Ms. Scassa: Yes.
Senator Wallin: Is that what you were just referring to?
Ms. Scassa: No. Governments have to provide notice of collection, but consent isn’t typically a requirement because there is a sense that governments have to do what they have to do.
You can’t decline to give consent to provide your personal income tax information. There are a whole range of contexts where you simply have to provide information to the government in order to receive services.
Senator Wallin: I am just thinking, on Senator Klyne’s point, if the banks have all the information and the government under the surveillance state rules has the right to look at it because they are searching for money laundering activity, once you put it in the public sector we don’t have the ability to contest it.
Ms. Scassa: There has been some really interesting case law starting to bubble up around production orders and warrants issued in the criminal context, but for very large volumes of data.
The typical case is a so-called tower dump warrant, where police are conducting an investigation and want data from three cellphone towers in the vicinity of a crime, which was committed, and then are going to look through all that cellphone data. They can go to court, and they require judicial authorization for that.
There are some interesting issues about how ordinary citizens get to raise Charter issues or privacy issues. Those are ex parte hearings. The individuals don’t necessarily know that this is taking place, or that their data was captured by those cellphone towers.
How do the privacy interests of the public even get before the courts? Sometimes the telecos raise those issues on behalf of them, but there are also issues about what happens to that data after it has been provided to the police under a production order and about whether any terms and conditions are placed on the secure retention, disposal and destruction of the data so that it can’t be used for other purposes.
There is a lot of detail that isn’t necessarily well attended to. The more we create searchable troves of private sector data, the more we have to attend to the detail of how we are going to make sure that access to that is appropriate and subject to oversight.
Senator C. Deacon: Dr. Scassa, I am moving my questions as my colleagues are asking theirs because you are opening up this whole question in a very important way.
I am struggling with the tension of our need to move swiftly because of the risk of losing global business opportunities, the need for our social and economic well-being, and the need for consumers to control and be informed in terms of their own use of data and how it’s being used around them.
Could you look to the Baltic states in one way of the ways they have moved into the govtech area? I know this is separate from open banking or consumer-directed banking, but I think there is a connection that every time their data is touched within government they are informed. The individuals at the origin of those data are informed.
I am really starting to feel that the transparency in this world in terms of how your data is being used and control over how your data is being used are probably the only places where we can actually make some real movement today in the shorter term because of all the complexities in law. We have to move swiftly in order to protect Canadians from what’s already going on. There are already 3.5 million Canadians who are in an unregulated environment.
Could you speak a bit about the transparency side and whether or not I am on the right track with that?
Ms. Scassa: Yes. I think that what Estonia has managed to do is impressive and interesting. Certainly, that kind of tracking is possible and is implemented in some contexts in Canada. If you go to a hospital in Ottawa and you are subsequently concerned that someone at the hospital has inappropriately accessed your health care data in the hospital systems, there is actually an auditing mechanism to check on who has accessed the data. These things are technologically possible, are implemented in some circumstances and can be very privacy protected.
Estonia has enormous advantages, or at least a couple of enormous advantages on the tech side, over Canada. One is that it’s small, so doing something like this is a much less daunting prospect than it is in Canada.
Senator C. Deacon: Just to be clear on that important point, only because it is one jurisdiction not suffering from federal and provincial actors.
Ms. Scassa: That was going to be my second point. I was thinking about how to frame that delicately.
I grew up in this country. I understand the value of federalism and I understand the diversity that exists across the country. I don’t want to be disrespectful to a political structure that has served Canadian society in some important ways. However, in the digital context, federalism is proving to be a real problem. I am not sure what the solution is. Normally, the solution would be for everybody to sit down and come to some agreement.
The Chair: No, that doesn’t work.
Senator C. Deacon: Could I drill into that a bit? We need to hack a solution here, an imperfect solution. Is there ability for the federal government to lead in some ways and allow provinces to opt in? The reason I say that is that these businesses are movable very quickly. They can come into Canada or out of Canada. They will leave Canada if we don’t have the right regulatory framework for them to be successful, but Canadians need to be protected. That balance is important.
If the federal government were to lead and allow provinces to opt in, there is both an economic benefit and a consumer benefit that provinces could be able to deliver quite rapidly. Is there that leadership opportunity potentially?
Ms. Scassa: There is, and the federal government has done it with other things in the past. For example, the federal government has shown a lot of leadership on open data and has worked to develop data standards and a standard open licence that could be adopted by provinces and municipal governments to increase the interoperability of open data in Canada. That’s an example of that kind of leadership.
PIPEDA is an example, in a sense, because it was national private sector data protection law enacted in the face of a lot of constitutional queasiness. Every once in awhile constitutional issues bubble up around PIPEDA, but less now than they used to. It was essentially one of those schemes where, if the provinces didn’t come up with their own legislation, PIPEDA would apply to the provincial private sector in terms of data protection. That’s another example, as is open banking to some extent.
I know you have heard of the situation of credit unions, which are under provincial jurisdiction. We are going to move forward with this issue. I know the federal government is in conversation with provinces around the issues of credit unions and caisses populaires.
This is another example of where some leadership can be shown, but it has to be done carefully. There are risks and challenges, and to some extent those can slow things down.
[Translation]
Senator Dagenais: Thank you, Ms. Scassa, for your presentation.
Do you have any idea how many Canadians are, I wouldn’t say reckless, but who don’t necessarily care about the personal information that circulates about them?
Ms. Scassa: I don’t have any figures, but in my experience, I would say that it’s the majority, and maybe even all Canadians, because it’s really impossible to know where our personal data goes. This is a considerable problem and a lack of control. We are talking about the control rights that exist over personal information for individuals, but the reality is that, in many contexts, we have completely lost control.
Senator Dagenais: It can become a concern.
Ms. Scassa: Absolutely.
Senator Dagenais: When we talk about adopting a new system, it can be dangerous if we don’t have all the guidelines in place. Unless I’ve misunderstood, it seems to me that our rules may contain a black hole. Where should the government take priority action to enhance consumer protection?
Ms. Scassa: I believe that the reform of the act respecting the protection of personal information in the private sector is a good starting point. There has been talk for many years of reforming this legislation, as it is becoming increasingly ill-suited to our digital environment. I’d start there.
Senator Dagenais: I’ll give you an example; often, we travel with our tablets or cell phones and, when we return to Canada, we end up with information that we have not given or that is found indirectly. We have a lot of questions, because I would tell you that I think we have to be careful when travelling with electronic devices. Often, to subscribe to certain services, we quickly provide our email address and then find out that these companies have much more information than that. The government will have to take a serious look at the issue of privacy and discuss it with other countries, because it sometimes tends to come out of Canada.
Ms. Scassa: There you go. It is interesting; it is certainly not the majority of companies that decided not to do business in Europe after the General Data Protection Regulation came into force, but there are some American companies that we do business with or the websites of these companies that have decided not to do business in Europe anymore, because of this high protection of personal information. What message does it send?
Senator Dagenais: Thank you very much, Ms. Scassa.
Senator Verner: Thank you very much. Following on from the questions that have already been asked by my colleagues, I have already received a number of answers or at least comments. Still, I’d like to go back to the ownership of our personal information. It’s more of a comment than a question, but it seems disturbing to me that we don’t have our own personal information. However, if there are problems, justice looks to us to solve them. I am referring in particular to identity theft, where consumers find themselves defending their names. However, at the outset, they were told that they didn’t own their data. It seems to me that there is a contradiction in these statements.
You did speak in your presentation, because that was my question, either about a fundamental reform of the federal Personal Information Protection and Electronic Documents Act or about a new act that would apply mainly to financial data in a digital context.
My question is this: Which option do you prefer? I think you mentioned to my colleague that it would certainly be the Privacy Act in a context of such rapid technological change that would deserve attention.
In this context, in the case of other countries that have implemented an open banking system, because we all want to be at the forefront and be part of the future, what privacy tool do they have? Do they have more comprehensive laws than ours here in Canada?
Ms. Scassa: This is certainly the case in the United Kingdom, where the protection of personal information is much more substantial. In Australia, I believe that responsibility has been assigned to the competition bureau. I am not sure exactly what they are doing in this area to protect personal information. Moreover, I believe that the laws are not yet in force, so these countries have no practical experience in their implementation.
Whether an amendment is made to a banking law, perhaps to provide for privacy issues in the context of an open banking system, or whether the Privacy Act is used instead, it would certainly be possible to have specific protections in a sectoral law created for an open banking system. This may be necessary in some contexts.
For example, should a general right be created in the Privacy Act on the issue of data portability, or is it done sector by sector? It may be more practical, and individuals may be better protected if we go sector by sector with specific terms, rather than a general law that is impractical in some contexts because, even if there is a right of access to portability, there is no standardization of data.
Senator Verner: Clearly, it isn’t easy to implement an open banking system. As for your comment about Canadians in the small business sector who want to join the open banking system, I note that the vast majority are not really aware of how their information flows. I think it will be a major project when we want to move this project forward. Thank you very much.
Ms. Scassa: Yes.
[English]
Senator Marshall: Thank you for a very interesting presentation. You mentioned in your opening remarks about the disposition of personal information that’s no longer required. Is there something in place now, and what would you see a disposition covered under an open banking scenario?
In your opening remarks you say, “collect personal information.” If it’s no longer required, the obligation is to securely dispose of it. That’s really grey when it’s no longer needed. I can see organizations wanting to retain whatever they have and never dispose of it.
Do you see some sort of regulation around this? What is there now and is it satisfactory? What would it be under an open banking system?
Ms. Scassa: Now PIPEDA certainly requires limits on data retention. Those limits are meant to be tied to the purpose for which the data was collected. When it’s no longer necessary for that purpose, it has to be disposed of. In a big data economy, the temptation is to hang on to all data for as long as possible because you never know what it will be useful for or what you can do with it. That can put individuals at enormous risk.
In a number of ways, they can be put at risk because the more data is stored, the more data is vulnerable to hacking. It can also put them at risk in the sense that there can be all kinds of old and out-of-date data about them that may be used to profile them or to inform decision making about them. That is certainly a challenge with respect to data retention. With the problems of data being everywhere and not knowing where it’s ended up, it’s also a difficult one to control.
In terms of banking, there are fairly strict regulations about the retention of certain types of financial information. Banks have to keep certain types of records for prescribed periods of time. Those are generally fairly well regulated. I am not sure, but I would expect the major banks would also have data retention policies and practices where they specify how long certain data is kept and when it is to be disposed of.
Senator Marshall: And that they will comply. Once you move to open banking, my perception is that the open banking system will be more open, and that you have more players in there accessing the information. Even in regulation, I know there might be a requirement with regard to the secure disposal of records, but who makes sure the data that is supposed to be disposed of is actually disposed of and that it is done securely?
I remember a case several years ago where medical records were supposed to be disposed of and they were all found in a dumpster. Is there any way to make sure that what is supposed to be done is actually done?
Ms. Scassa: The best way to do it is to make organizations accountable for their practices. That’s partly why the discussion has been going on around enforcement under PIPEDA and whether the Privacy Commissioner needs additional tools at his disposal because the enforcement mechanisms are fairly weak. Usually what happens is that there is a data breach or it comes to the surface that something hasn’t been done. The argument around enforcement is that if you can send a strong message, then that’s how you get companies to invest more into making sure their practices are both in place and complied with. I think that informs that discussion.
There is an interesting around open banking, portability and access that I was listening to Mark Schaan talk about. I am going to try to corner him at some point and talk to him about the intersection between the access right under PIPEDA, because he was talking about the general law, and any data portability right that might arise under open banking. The discussions I have heard so far around open banking have talked about having standardized financial data that customers get to control. They get to decide which companies are on a list of approved companies. The regulator is also involved in making sure that these companies are vetted so that they can share their data.
PIPEDA has the general right of access to data. Mark Schaan talked a bit about access right, and that is a law of general application. It seems to me that once you create accessible and portable data in standardized format under open banking, unless you specifically modify or limit the access right under PIPEDA customers will still have the right to access their data, based on the PIPEDA access rights. They can take that data and give it to anyone they want to whether or not they are approved. That means third party companies that haven’t been approved and maybe operate in other jurisdictions could advertise their services to individuals or promote their services to individuals who might decide to port their data to them.
In the same way we are told open banking will protect Canadians against screen scraping. By creating authorized companies and giving them those options, I think there will be a protective element. I am interested in how you reconcile standardized portable data with the right of access under PIPEDA and the fact there will still be others who are interested in encouraging consumers to exercise that right and then share that data. I think that’s something that is worth thinking about.
Senator Marshall: That’s a big vulnerability. When I think about your comments on the surveillance state in the context of what you have just talked about with regard to the disposal of data, it could be frightening and could lead you to stay awake at night.
The Chair: We have lots of reasons now.
Senator Duncan: Thank you, Senator Marshall, for raising the point of health care records. If you will permit me, in the early 2000s Prime Minister Chrétien raised an issue in conversation about former Minister Lalonde seeking medical treatment in British Columbia. It was a discussion about how come your health care card will not give your doctor the information you need when you are travelling across the country. This is something we have everywhere. That gave birth to, I believe, Canada Health Infoway and that whole system.
We have a complete patchwork of operating systems across the country. On the upside, we have the ability to bill interprovincially, and it works really well and payments are made. Services are rendered and payments are exchanged between the provinces. Of course, it’s a provincial responsibility.
Aren’t there some applications in that whole exchange of information with which the Privacy Commissioner and Dr. Scassa might be familiar? All of the provincial protection of privacy commissioners have ruled on health care records, disposal of records and breaches of confidentiality.
Are there some parallels? Are there some lessons to be learned that could be applied in our desire for regulation and a framework or a regulatory sandbox around this? To the point of surveillance, it could also help doctors, if we were able to exchange information about drug-seeking clients and pharmacare across the country.
There are parallels, but try to assess your health care information. Good luck, if it’s not you.
The Chair: What do you have to say about that, Dr. Scassa?
Ms. Scassa: Sector-specific data retention limits are easier to define. One of PIPEDA’s challenges is that it applies across many different types of private sector organizations and activities. The principles tend to be framed in very general terms, and what will be a reasonable retention period will vary depending on the nature of the organization, its size, and all of those sorts of things. It’s harder to have clearly defined limits or restrictions. If you’re talking about a specific sector, I think you can be more prescriptive.
That’s one piece to think about in the context of the discussion on how to implement open banking, how much of it is sectoral, and how much is managed by the broad cross-sectoral legislation like PIPEDA.
Open banking is a very interesting test case in terms of the mobilization to standardize data across the country and across various different organizations and companies that hold that data and of making it portable and interoperable. This is a very interesting piece that was chosen for a variety of different reasons. It will, if it goes ahead, provide important lessons for other sectors in Canada as well.
Senator Duncan: If we’ve tried to do it with health information, are there not lessons that we could learn and apply to this discussion? That’s my question. Sorry if I wasn’t clear.
Ms. Scassa: I think the contexts are a bit different when you’re dealing with the private sector. Perhaps there’s a bit more agility than with government, so they can move faster. They already have to share information among each other for a variety of different purposes. They work together on a number of issues and in many respects.
It’s probably easier to do it in the financial sector and the banking sector than it is in health care sectors across provinces. Even within a single province, you will have different hospitals using different medical data systems. There’s a lack of coordination and interoperability that you have to overcome in the first place in the health care sector, whereas banking has the agility of the private sector, is well established, and talk to and interact with each other.
The Chair: Perhaps we can leave it there. We’re now five minutes over, but we have one last question from Senator Deacon, if we can be mindful.
Senator C. Deacon: I think you just said what I was hoping to get an answer on. I want to confirm and make sure I get it on the record to the positive or the negative.
The mobilization of standard data practices in the area of banking across this country could be a very effective test case in helping us to develop how this might be rolled out further.
Ms. Scassa: Yes.
Senator C. Deacon: It seems to have the conditions for success or necessary to really see what needs to be done.
Ms. Scassa: Yes, I think that’s right. Certainly this kind of data sharing for innovation purposes and for consumer purposes is being talked about in a lot of different contexts. Yes, I think it is an important test case. I think it’s a sector where there is some potential for success because of the sophistication of the players.
Senator C. Deacon: The fact the horse has already bolted the stable and in light of the data around the world, in my mind this would seem to be an urgent issue for us to make headway on. It’s already happening out there. If we start to bring forward some regulation and containment, we will all win.
Ms. Scassa: There’s a certain urgency to moving on these things. I would hope and would like to see in the “we will all win,” some significant privacy reform come out of this.
Senator C. Deacon: Fair enough, absolutely.
Ms. Scassa: I would also like to see some things that are not just for the financial sector but also take into account the needs and rights of individuals.
Senator C. Deacon: Thank you very much, Dr. Scassa.
The Chair: Senators, thank you. Dr. Scassa, it’s great to have you back with us. You’re not only intelligent. You’re extraordinarily articulate, and we benefit from hearing you. Thank you very much.
Ms. Scassa: Thank you.
(The committee adjourned.)