Canada: Data Protection in the Financial Sector
1. Governing Texts
In Canada, the collection, use, and disclosure of personal information is governed by privacy legislation, as well as legislation specifically governing the financial sector.
Depending on the financial entity and the information involved, different legislation and guidelines may apply, depending on:
- the type of personal information and/or type of financial information involved;
- the nature of the activity as it relates to the information;
- the organisation involved, for example whether the financial institution is federally or provincially regulated, or both; and
- the location of the collection, use, disclosure, storage, or other processing of the information, and whether that information is transferred across provincial or national borders.
The following private-sector privacy legislation applies to businesses collecting, using, and disclosing personal information (including that of a financial nature):
- Federal: Personal Information and Protection of Electronic Documents Act, SC 2000 c 5 ('PIPEDA')
- British Columbia: Personal Information Protection Act, SBC 2003 c 63 ('BC PIPA')
- Alberta: Personal Information Protection Act, SBC 2003 c P-6.5 ('AB PIPA')
- Quebec: Act respecting the protection of personal information in the private sector, CQLR c P-39.1 ('QC Act')
The three provincial statues are considered to be substantially similar to PIPEDA, and thus apply instead of PIPEDA with respect to the collection, use, and disclosure of individuals' personal data within each province. Where the personal information crosses provincial borders, or is processed by a 'federal work, undertaking, or business', PIPEDA will apply. This includes banks.
The QC Act was recently amended to overhaul the regulatory regime in Quebec. Some of the new requirements will come into force in September 2022, with the remainder in September 2023. This note will refer to the new requirements, as applicable.
The following finance-specific legislation may apply to federally or provincially regulated financial institutions such as banks and federally regulated insurance companies:
- Proceeds of Crime (Money Laundering) and Terrorist Financing Act, SC 2000 c 17 ('PCMLTFA');
- Bank Act, SC 1991, c. 46 ('Bank Act');
- Insurance Companies Act, SC 1991, c 47 ('Insurance Act');
- Office of the Superintendent of Financial Institutions Guideline B-10: Outsourcing of Business Activities, Functions and Processes;
- Provincial Credit Unions or Casse-Populaires legislation; and
- Provincial Insurance Acts.
Canadian federally incorporated financial institutions, including banks, trust and loan companies, insurance companies, and credit unions are subject to the Bank Act. However, only banks and insurance carriers are exclusively under federal jurisdiction while other financial institutions, including insurance brokers, agents, and re-insurers, are subject to provincial or territorial regulations.
There are provincial and territorial statutes governing credit unions that contain provisions relating to the confidentiality of transaction information. Similarly, many provinces have legislation with respect to consumer credit reporting and generally impose specific obligations to credit reporting agencies, such as ensuring accuracy of the information and restricting the disclosure of the information under their control.
There are also many types of organisations that may not be traditional financial institutions but do process personal and financial information and will be subject to sector-specific regulations, and, in some instances, money laundering reporting requirements. Some examples include accounting firms, casinos, and public notaries.
1.2. Supervisory authorities
The Canadian banking sector is regulated by the Bank Act and is overseen by the Office of the Superintendent of Financial Institutions ('OSFI'). The Financial Transactions and Reports Analysis Centre of Canada ('FINTRAC') oversees compliance with PCMLTFA and its regulations. FINTRAC is Canada's financial intelligence unit mandated to detect and deter money laundering and the financing of terrorist activities
The private-sector privacy legislation referred to above is overseen by the relevant provincial or federal privacy commissioner. Chief among these is the Federal Office of the Privacy Commissioner of Canada ('OPC').
2. Personal and Financial Data Management
2.1. Legal basis for processing
Canada's privacy law regime is consent-based. Subject to defined exceptions, personal information may be processed only with an individual's knowledge and informed consent. The OPC describes this as 'meaningful consent'. The individual must also be notified of the purposes for which their personal information is being collected before or concurrently with obtaining consent. Consent can be express or implied. The appropriate form of consent depends on the sensitivity of the information, the reasonable expectations of the individual, and the risk of harm flowing from misuse of the information. If it is impractical to obtain consent before collection or if consent for additional uses is sought, consent may be obtained after collection but before use.
Individuals must be given sufficient information to make an informed decision with respect to whether to give consent. This involves providing an individual with information on what personal data is collected, how it will be used and disclosed, and the consequences of providing or refusing consent if those consequences are not obvious.
Under the amended QC Act, express consent will be necessary for certain uses of sensitive personal information. This will likely be interpreted to include certain categories of financial information.
There are no sector-specific requirements for financial institutions, however, as indicated above, financial institutions are subject to PIPEDA and the substantially similar provincial statutes. Organisations must make available information on their policies and practices relating to personal data. Under PIPEDA, the following information is expected to be available from organisations, including financial institutions:
- the name or title and address of the privacy officer or equivalent;
- instructions on how to access personal data held by the organisation;
- a description of the types of personal data collected and the uses made of that personal data;
- an explanation of the organisation's policies, standards, or codes; and
- a description of what personal data is shared with related organisations (e.g., the service provider's subsidiaries).
There are no financial specific requirements in relation to data security and risk management. Under PIPEDA, organisations, including organisations in the financial sector, must implement safeguards that are appropriate to the sensitivity of the personal data. Safeguards should include physical, technical, and administrative controls to prevent loss, unauthorised access to, modification, or unauthorised disclosure of personal information. Some regulatory and self-regulatory bodies have published additional guidance, particularly with respect to cybersecurity. For example, OFSI and the Investment Industry Regulatory Organisation ('IIROC') have published cybersecurity guidance.
Canadian privacy legislation requires organisations to retain personal data only for as long as necessary to fulfil the purpose for which it was collected. PIPEDA recommends that organisations develop retention guidelines, which should include minimum and maximum periods as well as procedures for the safe and secure destruction of data. Personal data that has been used to make a decision about an individual must be retained long enough to allow the individual to access the information after the decision has been made. Under the BC PIPA, an organisation must retain that information for at least one year if it uses an individual's personal data to make a decision that directly affects the individual.
Individuals, financial institutions, and certain organisations, including but not limited to banks, insurance companies, credit unions, accounting firms, real estate brokers, and casinos in Canada are subject to the PCMLTFA and to its regulations.
Together, PCMLTFA requires regulated entities to undertake certain compliance activities primarily including:
- a documented and developed compliance program;
- know your client or identification protocols;
- ongoing monitoring and business relationship requirements;
- reporting of certain transactions; and
- record keeping.
While the PCMLTFA and FINTRAC outline details for each of the above-listed requirements, several financial entities that belong to sector-specific associations, including insurance companies, real estate brokerages, and securities dealers, have additional guidelines with respect to these requirements.
As an example, securities dealers, defined as 'persons and entities authorized under provincial legislation to engage in the business of dealing in securities or any other financial instruments or to provide portfolio management or investment advising services, other than persons who act exclusively on behalf of such an authorized person or entity', under PCMLTFA, are also regulated by IIROC. Securities dealers are also governed by dealer member rules. IIROC has produced several compliance guidelines, including the Anti-Money Laundering Compliance Guidance that details anti-money laundering and countering the financing of terrorism requirements applicable to securities dealers.
The following expands on the four requirements imposed by FINTRAC, however, as mentioned, additional requirements may apply to specific financial institutions:
Institutions subject to PCMLTFA must have a compliance regime in place, and must include the following elements:
- the appointment of a compliance officer;
- the development and application of written compliance policies and procedures;
- the assessment and documentation of the risks of money laundering and terrorist financing, and measures to mitigate high risks;
- the implementation and documentation of an ongoing compliance training program; and
- a documented review of the effectiveness of policies and procedures, a training program, and a risk assessment which must be conducted every two years at a minimum.
Know your Client / Identification
The requirement to identify a client, whether the client is an individual or entity, is determined by the type of transaction or activity as well as the specific financial institution. FINTRAC provides guidelines specific to each financial entity, including methods to identify clients and ongoing monitoring requirements.
As an example, FINTRAC requires securities dealers to follow certain identification measures for the following individuals or entities:
- any individual who conducts a large cash transaction;
- any individual who signs a signature card;
- any individual who is authorised to give instructions for an account;
- any corporation or other entity for which the securities dealer opens an account (including reasonable measures to obtain beneficial ownership information); and
- the guidelines provide a list of documents that are acceptable in confirming the existence of the above individuals or entities. For example, with respect to a corporation and its contact information, FINTRAC provides the following as acceptable documents: certificate of corporate status, a record that has to be updated annually under provincial securities legislation, a notice of assessment, or a published annual report signed by an independent auditing firm.
Ongoing monitoring and business relationship requirements
Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (SOR/2002-184), under PCMLTFA, requires financial entities to determine and implement a period of review of all information regarding the clients with which it has a business relationship. A financial entity is automatically in a business relationship with any client that holds an account with it, or with any person or entity with which it has conducted two transactions or activities within five years and where it was required to verify the identity of the individual or confirm the existence of the entity.
PCMLTFA requires entities to conduct a risk assessment for each client in order to determine the level of risk they pose in relation to committing a money-laundering or terrorist activity financing offence. The risk level will in turn inform the frequency of monitoring. Clients identified as posing a low risk will require less frequent monitoring than those in the high-risk category.
The following are examples of when a business relationship is established with a person or entity posing a higher risk:
- when the business relationship is with foreign politically exposed persons ('PEP's);
- when the business relationship is with a family member or close associate of a foreign PEP;
- when the business relationship is with high-risk domestic PEPs, heads of international organisations, or their family members or close associates; and
- when the business relationship with the client is determined to pose a higher risk based on the information the institution has obtained through ongoing monitoring.
In addition, a financial entity that provides services such as international electronic funds transfers, cash management, and cheque clearing to a foreign financial institution that does not have anti-money laundering and anti-terrorist financing policies and procedures in place must take reasonable measures to conduct the ongoing monitoring of all transactions within that banking relationship.
Financial information with respect to transactions involving large cash transactions, suspicious transactions, and large electronic fund transfers, such as CAD 10,000 (approx. €7,140) or more out of or into Canada, must be reported to FINTRAC.
In general, FINTRAC requires entities subject to the PCMLTFA to report in the following circumstances:
- where there are reasonable grounds to suspect that a transaction, or an attempted transaction, is related to the commission, or attempted commission, of a money laundering offence or a terrorist financing offence (suspicious transactions);
- where the entity knows that there is property in its possession or control that is owned or controlled by, or on behalf of, a terrorist or a terrorist group (terrorist property);
- when large cash transactions involving amounts of CAD 10,000 (approx. €7,140) or more are received in cash (large cash transactions);
- when the entity sends or receives instructions to transfer CAD 10,000 (approx. €7,140) or more internationally within a 24-hour period; or
- when the entity disburses CAD 10,000 (approx. €7,140) or more in casino disbursements within a 24-hour period.
Financial institutions are prohibited from informing anyone that the report was made and from informing anyone about the personal and financial information that was disclosed.
FINTRAC's record-keeping requirements are detailed in sector-specific guidelines, including but not limited to: record-keeping practices for financial entities, accountants, agents of the Crown, notaries in British Columbia, casinos, dealers in precious metals and stones, life insurance companies (including brokers and agents), money services business, the real estate sector, and securities dealers.
As an example, FINTRAC requires financial entities to keep the following records (this list is not an exhaustive list and exceptions may apply):
- suspicious transaction reports;
- large cash transaction records i.e. more than CAD 10,000 (approx. €7,140) in 24 hours);
- transactions of CAD 3,000 (approx. €2,140) or more for the issuance of traveller's cheques, money orders, or other similar negotiable instruments;
- records of electronic fund transfers of CAD 1,000 (approx. €710) or more;
- foreign currency exchange transaction records;
- account opening records;
- account records, such as deposit slips, statements, and cleared cheque records;
- credit arrangement records;
- credit card account opening records;
- trust records; and
- 'reasonable measures' records i.e. records of unsuccessful attempts to obtain a response from a client in connection with any record-keeping obligation imposed by PCMLTFA.
Again, financial institutions and the other entities overseen by FINTRAC may be subject to additional requirements imposed by their respective association, regulatory body, or provincial legislation.
As an example, FINTRAC and IIROC require the following records be kept for securities dealers (this list is not exhaustive under either bodies and exceptions may apply):
- records on beneficial owners, control, and structure;
- records of the purpose and intended nature of business relationship with client;
- records on the measures taken by the securities dealer to monitor business relationships and the information obtained as a result of monitoring;
- suspicious transaction report records;
- large cash transaction records;
- signature cards, account operating agreements, or accounts applications;
- copies of official corporate records;
- account holder information;
- new account applications;
- client statements;
- confirmations of purchase or sale;
- trade authorisations;
- powers of attorney and joint account agreements; and
- all correspondence, including emails, about the operation of accounts.
Depending on the financial institution, exceptions may apply to a record keeping requirement.
PIPEDA and FINTRAC
The OPC published a guidance titled the PIPEDA and the Proceeds of Crime (Money Laundering) and Terrorist Financing Act.
The guidance includes explanatory notes with respect to how the OPC will interpret the privacy obligations under PIPEDA in conjunction with those imposed by FINTRAC. For example, the OPC recommends a bank's personal deposit application form should include language disclosing that certain information may be disclosed to a legal authority (i.e. FINTRAC), in order to meet legal obligations. The guidance also discusses the OPC's risk analysis of types of documents used for identifying clients. For example, the OPC highlights that certain provinces may prohibit using health cards for identification purposes and thus, certain institutions may need to consider alternative methods.
Canadian law recognises an implied contractual duty of confidentiality for all banks in their dealings with customers and their personal information. This is commonly referred to as the banker–client duty of confidentiality. However, a bank's duty of confidentiality to its customer is not absolute and subject to exceptions. These exceptions include:
- where disclosure is compelled by law;
- where the interests of the bank require disclosure;
- where there is a duty to the public to disclose; and
- where the customer expressly consents to the disclosure.
Confidentiality obligations regarding a customer's personal information, including financial data, are generally outlined in the terms of the commercial agreements between the bank and its customers.
The bank's duty of confidentiality to its customer coexists with the bank's privacy obligations with respect to personal information under PIPEDA. It is untested whether the exceptions in PIPEDA permitting the use and disclosure of personal information without consent modify the scope of the implied duty of confidentiality. However, it is very likely that this is the case.
A bank's common law duty of confidentiality to its customer is not absolute and subject to exceptions. These exceptions include:
- where disclosure is compelled by law;
- where the interests of the bank require disclosure;
- where there is a duty to the public to disclose; and
- where the customer expressly consents to the disclosure.
In addition, PIPEDA and its provincial counterparts contain several provisions in which personal information may be disclosed without the individual's knowledge or consent, so long as certain circumstances are met. Some examples include disclosure by an organisation that is:
- to a barrister or solicitor who is representing the organisation;
- to collect a debt owed by the individual;
- required to comply with a subpoena, warrant, or court order;
- to a government institution with lawful authority to request the information, if:
- the government institution suspects that the information relates to national security, the defence of Canada, or the conduct of international affairs;
- the disclosure is requested for the purpose of enforcing any law of Canada, a province, or a foreign jurisdiction carrying out an investigation relating to the enforcement of any such law, or gathering intelligence for the purpose of enforcing any such law;
- the disclosure is requested for the purpose of administering any law of Canada or a province; or
- the disclosure is requested for the purpose of communicating with the next of kin or authorised representative of an injured, ill, or deceased individual;
- On the initiative of the organisation, to a government institution or a part of a government institution where:
- the government institution suspects that the information relates to national security, the defence of Canada, or the conduct of international affairs; or
- the organisation has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province, or a foreign jurisdiction that has been, is being, or is about to be committed.
The foregoing provisions, as well as others under PIPEDA, may require further analysis based on case law or guidelines from the OPC. For example, the OPC has produced guidelines for when organisations may disclose personal information to another organisation without knowledge or consent of the individual for:
- the purposes of an investigation into a breach of the organisation's agreement, or breach of laws of Canada (that is being or is about to be committed) where it is reasonable to expect the individual's knowledge would compromise the investigation; and
- the purposes of detecting or suppressing fraud (or of preventing fraud that is likely to be committed) where it is reasonable to expect the individual's knowledge would compromise the investigation.
Organisations, including banks and other financial institutions subject to PIPEDA, are required to apply a 'reasonableness test' with respect to these disclosure provisions. The OPC provides the following guidance for organisations when applying the test:
- perform due diligence and exercise good judgment when relying on the exceptions under PIPEDA;
- carefully consider the explicitly outlined requirements of the respective provision;
- respect the limits set out in the provisions; and
- document the rationale for disclosure.
Further, certain minimum criteria must be met in order to rely on the disclosure provisions. As an example, in a disclosure relating to an investigation into a breach of an agreement, there must be a bona fide inquiry to determine the facts, which cannot be used as a fishing expedition. As an example, in a disclosure relating to detecting fraud, the OPC states the risk of fraud must be probable and not merely possible. Organisations are required to document these criteria and others as part of their analysis of whether they may rely on these disclosure provisions.
In certain circumstances, PIPEDA permits organisations to rely on implied consent to use personal information collected for a secondary purpose. This is permitted so long as:
- the secondary purpose is an appropriate purpose; and
- the organisation obtains meaningful consent from the individual.
PIPEDA permits disclosure when consent is implied and when the information is considered 'less sensitive'. This involves a balance between the legitimate business interests and the individual's privacy rights, recognising that PIPEDA is meant to protect the rights of every party, not only the individual whose information is in question.
In order to obtain 'meaningful consent' for a secondary purpose, an organisation must:
- provide either an opt-in or opt-out method. The type of method will depend on the sensitivity of the personal information involved and the reasonable expectations of the individual.
Generally speaking, the personal information collected, used, disclosed, stored, and otherwise processed by the insurance industry is regulated by PIPEDA. PIPEDA applies to private-sector organisations collecting information in the course of a commercial activity. The definition of organisation in PIPEDA is broad and covers corporations, associations, partnerships, sole proprietorships, and individuals. As such, PIPEDA applies to numerous transactions within the insurance industry, from brokers and agents, to claims adjusters and first-party statutory accident benefits insurers acting commercially.
If information collected, used, disclosed, stored, and otherwise processed by the insurance institution is solely within the province of British Columbia, Alberta, or Quebec, the provincial private sector legislation deemed substantially similar to PIPEDA may apply instead.
In addition to the Bank Act and its regulations specific to insurance institutions, the insurance industry is also regulated by the Insurance Act, as well as the provincial insurance statutes, for example Alberta's Insurance Act, RSA 2000, c I-3 and British Columbia's Insurance Act, RSBC 2012, c 1, and several others.
In addition to the federal Canadian Council of Insurance Regulators, most provinces have local regulators, including specialised bodies for specific insurance types such as accident, home, and life. For example, OFSI regulates the solvency and financial standards of property and casualty insurance companies, while the provincial counterparts of OFSI regulate the underwriting, rating, claims, and marketing practices of property and casualty insurance companies. Examples of these provincial regulators include the Alberta Superintendent of Insurance, Nova Scotia's Office of the Superintendent of Insurance, and the Financial Services Commission of Ontario ('FSCO'). Each provincial regulator may issue requirements and standards on its members with respect to personal information and data security within that province.
For example, Ontario's Statutory Accident Benefits Schedule, O Reg 34/10, outlines restrictions for insurance claim adjusters regarding how much information may be reasonably collected to assist the insurer in determining an applicant's entitlement to a benefit.
Lastly, the financial data of an insurer and other members of the industry are further regulated by provincial public access legislation. For example, British Columbia's Financial Institutions Act 1996 requires provincial insurers to post their audited financial statements on their official website within 90 days of the end of their financial year.
On 30 April 2021, the federal government implemented legislation for a proposed retail payments oversight framework, the Retail Payment Activities Act ('the RPAA'). Most provisions of the RPAA are not yet in force, and the specific obligations on affected businesses will be developed through the passage of regulations.
The RPAA sets out the general framework for the regulation of retail payments activities in Canada, while the details of the regime will be set out in the regulations enacted by the Department of Finance and guidelines developed by the Bank of Canada, which will be the designated supervisory authority under the RPAA. The RPAA applies to any 'retail payment activity' that is either performed by a payment service provider that has a place of business in Canada, or performed for an end user in Canada by a payment service provider that does not have a place of business in Canada but directs retail payment activities at individuals or entities that are in Canada. A payment service provider is an entity that performs payment functions as a service or business activity that is not incidental to another service or business activity. Payment functions include:
- the provision or maintenance of an account that, in relation to an electronic funds transfer ('EFT'), is held on behalf of one or more end users;
- the holding of funds on behalf of an end user until they are withdrawn by the end user or transferred to another individual or entity;
- the initiation of an EFT at the request of an end user;
- the authorisation of an EFT or the transmission, reception, or facilitation of an instruction in relation to an EFT; or
- the provision of clearing or settlement services.
Once all the provisions of the RPAA are in force, the completion of a prescribed application form and the payment of a registration fee will be required for payment service providers. A record of all registered payment service providers will be maintained and be made publicly available by the Bank of Canada, which also publish a list displaying entities who have been refused registration or whose registration has been revoked. The following may be used as a basis for refusal:
- reasons related to national security;
- if an applicant fails to provide requested additional information;
- if an applicant fails to comply with an order or undertaking required by the Minister of Finance;
- if an applicant fails to comply with a condition imposed by the Minister of Finance;
- if an applicant has provided false or misleading information;
- if an applicant is not registered as a money service business under the PCMLTFA;
- if an applicant has committed a 'serious violation' under the PCMLTFA; or
- if an applicant has been deemed to have committed a violation under the RPAA.
There are no specific requirements for the financial sector in relation to the transfer of personal data or their use of third parties or cloud computing.
Organisations, including financial institutions are responsible for the personal data in their control, including information that has been transferred to third parties, whether within the same jurisdiction or outside Canada's jurisdiction. Organisations must ensure that a third-party processor is handling the information in a legal and secure manner. Canadian data controllers must do so by contractual or other means with third parties to require third parties to provide a comparable level of protection as the Canadian data controller. Further, the third party must process the personal data only for or on behalf of the data controller, for the same purpose disclosed to the data subject, and not process it for any other purposes.
Individuals must be notified that their personal data may be disclosed to a third party to process on behalf of the data controller. This is generally disclosed to the data subject through the organisation's privacy notices.
Additionally, under the QC Act, organisations will be required to conduct privacy impact assessments for any transfer of personal information outside of Quebec. They will have to consider the 'legal framework applicable in the State in which the information would be communicated, including the data protection principles in the foreign state' and consider the sensitivity of the information in order to communicate personal information outside of Quebec. The assessment must establish that the information would receive an 'adequate' level of protection in the foreign jurisdiction.
In Canada, there are currently two legislative requirements to consider with respect to data breach notifications in the private sector.
First, financial Institutions in Alberta or outside of Alberta that collect, use, disclose, or otherwise process personal information of Alberta residents within Alberta are subject to AB PIPA, which implements mandatory breach provisions.
Second, PIPEDA also provides for mandatory breach reporting obligations for organisations that collect, use, disclose, or otherwise process personal information for commercial purposes, including financial institutions, for which PIPEDA applies. Data breach reporting, notification and record-keeping requirements under PIPEDA are found in the Breach of Security Safeguards Regulations (SOR/2018-64). Depending on the location of the affected individuals, and whether the data crossed provincial borders, a financial institution may be subject to both AB PIPA and PIPEDA breach reporting regimes.
Under both AB PIPA and PIPEDA, reporting and notification obligations are grounded in a 'real risk of significant harm' test. Financial institutions must report to the OPC and notify affected individuals if there is a 'real risk of significant harm' as a result of the breach of security safeguards. In determining whether the threshold has been met, the financial institution must assess the potential for 'significant harm'. Significant harm includes financial loss, identity theft, and negative effects on one's credit record. Further, significant harm includes bodily harm, humiliation, damage to reputation or relationships, loss of employment, business or professional opportunities, and damage to or loss of property.
Financial information such as banking and credit card data has almost always been considered to meet the threshold while financial statements may not.
Both AB PIPA and PIPEDA's breach requirements include provisions for the organisation, including a financial institution, to consider notifying any third party of the data breach, if notification could mitigate the harm to affected individuals. For example, a financial institution notifying law enforcement or credit monitoring agencies.
Under PIPEDA's regulations, financial institutions are required to maintain a record of every breach of security safeguards, even if that breach did not result in a real risk of significant harm to an individual. Financial institutions must retain these records for two years.
In addition, the QC Act will impose breach reporting requirements on organisations collecting, using, and disclosing the personal information of Quebec residents. Under the QC Act, organisations will have reporting requirements for 'confidentiality incidents', which are defined as access, use, or communication of personal information not authorised by law, or a loss or any other breach in the protection of such information (similar to PIPEDA and AB PIPA). Companies in Quebec will be required to notify individuals impacted by a confidentiality incident where the breach poses a 'risk of serious injury'. In such cases, organisations will be required to report incidents to the provincial regulator, the Quebec Commission on Access to Information ('the CAI'), as well as any individual whose personal information is impacted by the incident as soon as is practicable. Failure to do so may result in the CAI compelling disclosure to affected parties and administering administrative monetary penalties. Organisations will be required to keep a register of confidentiality incidents that affect their customers' personal information, whether they pose a 'risk of serious injury' or not and send the register to the CAI on request.
In addition, since November 2019, securities dealers subject to IIROC are also required to report a cybersecurity incident or breach to IIRCO. A cybersecurity incident includes any act to gain unauthorised access to, disrupt, or misuse a securities dealer's information system, or information stored on such a system, which has resulted in, or has a reasonable likelihood of resulting in:
- substantial harm to any person;
- a material impact on any part of the normal operations of the securities dealer;
- invoking the dealer's business continuity or disaster recovery plan; or
- the securities dealer being required under any applicable laws to provide notice to any government body, securities regulatory authority, or other self-regulatory organisation.
The above will likely also apply if the incident has been experienced by a third-party service provider, such as an information system service provider.
IIROC's breach reporting rules are broader than those imposed under PIPEDA, which occur in two stages:
- a securities dealer must file an initial report with IIROC describing the cybersecurity incident within three calendar days of discovering the incident; and
- a securities dealer must subsequently submit a detailed investigation report within 30 calendar days of the incident.
Dealers must exercise their own discretion in determining whether an incident meets the reporting threshold. The initial report must contain certain information, including a description of the cybersecurity incident, the date or time period during which the incident occurred, the date or time period in which the securities dealer discovered the incident, a preliminary assessment of the incident, a description of the response steps taken and contact information.
A detailed investigation report must contain certain information, including a description of the cause of the cybersecurity incident, an assessment of the scope of the incident, the number of affected individuals, detailed response steps taken, and actions that the securities dealer has or intends to take to improve its cybersecurity incident preparedness.
There is no single Canadian regulatory body that has jurisdiction over FinTech. Rather, depending on the type of FinTech-related product or service provided by the financial institution, a number of regulatory bodies, many of which are discussed above, will have jurisdiction.
In particular, FinTech businesses that provide banking, insurance, consumer credit, or capital raising services will find themselves subject to the same laws and regulations as incumbent businesses in the same areas. Further, FinTech businesses will be subject to more general business regulations such as PIPEDA and the substantially similar provincial private sector statutes, AML regulations, and consumer protection laws.
As noted throughout, the OPC oversees compliance with PIPEDA. The OPC has the power to investigate, including summoning witnesses, on its own initiative or following a complaint. Under PIPEDA, the OPC may also commence applications in the Federal Court of Canada to require an organisation to comply with PIPEDA if, following an investigation and a report of findings, the organisation fails or refuses to amend its practices.
The Office of the Information and Privacy Commissioner of Alberta, the Office of the Information and Privacy Commissioner for British Columbia, and the CAI each have private sector oversight responsibilities within their respective provinces. Each has similar powers to those of the OPC, including the power to conduct investigations, audits, and inquiries, as well as to apply and participate in litigation with their respective provincial courts. However, unlike the OPC, the provincial regulators also have order-making powers. Moreover, the QC Act empowers the CAI to impose administrative monetary penalties for violations of the QC Act, reaching the greater of CAD 10 million (approx. €7.1 million) or 2% of the global turnover from the previous year for organisations.
11. Additional Areas of Interest
No further information.
Luca Lucarini Associate