The ongoing digital transformation of the financial industry spurred on by the competitive pressures of fintechs and consumer demand was supercharged by the current pandemic.
This accelerated digitization of the financial industry coupled with upcoming regulatory changes means privacy and cybersecurity issues will continue to be forefront issues that financial institutions will grapple with. Outlined below are five key privacy and cybersecurity issues organizations within the financial sector should be focusing on.
1. Canadian private sector privacy law reform: shifting sands
Canadian governments at the federal and provincial levels have announced their intentions to enhance the Canadian privacy law framework by moving private sector privacy laws towards an EU General Data Protection Regulation model, a model that empowers individuals by providing more control over their personal information.
Given the patchwork of federal and provincial private sector laws in place and on the horizon, financial institutions operating across Canada will need to anticipate the extent to which these updated and new privacy laws apply to them. Much of this will be driven by a constitutional division of powers analysis, the outcome of which may have significant operational and regulatory consequences on the financial sector. While there are common themes, such as enhanced control and regulatory oversight across the proposed reforms, there will be regional differences. For instance, Québec’s Bill 64 proposes to impose significant data residency and consent disclosure requirements that are not contemplated under PIPEDA. Similarly, PIPEDA proposes to allow businesses to rely on a “standard business practices” consent exemption, which is analogous to GDPR’s legitimate interests basis for processing personal information. There is no such exemption contemplated under the Québec and B.C. law reform proposals.
Traditionally, financial institutions have relied on their status as ‘federal work, undertaking or businesses’ (FWUB) to advance a position in privacy and data protection matters where PIPEDA is the governing statute. The Supreme Court of Canada decision in Bank of Montreal v. Marcotte, 2014 SCC 55 (Marcotte), and, more recently, the Québec Commission d’accès à l’information (CAI) decision in D’Allaire v. Transport Robert (Québec), 1973 ltée, 2020 QCCAI 152 (Transport Robert), foreshadow that financial institutions may need to develop a robust advocacy position on how and why PIPEDA continues to be the only applicable privacy law statute.
Malicious insider risk is enhanced when insiders with significant access to confidential or personal information are now routinely required to work remotely, without traditional supervision or communication channels.
Marcotte established a demanding threshold to exempt FWUBs from the provisions of provincial consumer protection laws. However, it did not necessarily close the door on future arguments challenging the application of a given provincial law’s provisions (including provincial privacy legislation) to a core banking activity. In Transport Robert, the CAI rejected a federally regulated transportation company’s PIPEDA paramountcy argument on the basis that there was no operational conflict between PIPEDA and the Québec private sector privacy act, and no frustration of purpose because both statutes pursue the same objectives. The CAI found that the Québec act does not target an essential and vital element of the FWUB to the point of impairing the core competence of interprovincial transport or labour relations and that the company did not provide evidence demonstrating a serious interference on Parliament’s jurisdiction in those areas. The OPC has also taken the view that both PIPEDA and provincial privacy legislation can, in some circumstances, apply to the same transaction.