CyberLex

CyberLex

Insights on cybersecurity, privacy and data protection law

Privacy Commissioner’s Report on Public Perception of Companies’ Privacy Practices Holds Lessons for Business

Posted in Privacy
Ljiljana Stanic

The Office of the Privacy Commissioner of Canada (“OPC”) recently released a preliminary report outlining the results of a series of focus groups conducted with Canadians about privacy and the protection of personal information.[1] Predictably, participants in the focus groups (which represented a small and restricted sample of Canadians) were concerned by the collection and protection of their information by private companies.

It is likely that the OPC will highlight these results in its upcoming comprehensive report on privacy and consent in September 2017, part of the ongoing review of the Personal Information Protection and Electronic Documents Act (“PIPEDA”),[2] as justification for the expansion of government oversight and enforcement powers in relation to the protection of customer privacy interests. Review of the data however, indicates that, at least among the relatively small sample canvassed as part of the focus groups, participants saw an independent role for Canadian companies in the protection of their data, apart from compliance with government regulations.

Study overview

This particular series of focus groups collected qualitative data with respect to the sharing of personal information with and by private companies. In total, 64 individuals in four Canadian cities participated in the focus groups conducted over three days by Phoenix SPI on behalf of the OPC.

All participants acknowledged that it was common to be asked to provide personal information when interacting or conducting transactions with Canadian companies, especially when those interactions or transactions took place online. Although there was widespread acknowledgement that these companies had legitimate reasons to collect this information, there was also a common feeling that, as customers, they had no choice but to give their consent to the provision of this information and that they had little or no control over what happened to that information once provided.

The study participants identified three broad areas of concern with respect to what they perceived to be the high volume of personal information that is collected by Canadian companies:

  1. The level of security of that information and the potential for hacking and consequent fraudulent use (e.g. identity theft);
  2. The sharing or sale of information with third parties, for whatever purpose; and
  3. A lack of understanding about companies’ privacy policies and practices and the consequences for companies if those policies are violated.

The report indicates a general feeling among the participants that the current system is skewed in favour of companies at the expense of the customer. Specifically, it was seen that most privacy policies are overly long and complex while remaining vague and unclear, with the result that customers consented to them without a proper understanding of their terms. That said, participants generally believed that corporate privacy policies, whatever their specific terms, operated to protect companies in their use of customer information, rather than the customers themselves.

Study participants also exhibited an overall level of skepticism about the type and quantity of information collected. For example, while participants made the obvious connection between the need to collect credit card information and pay for a good or service, they were less confident that demographic information such as age, gender, or level of education would be put to use other than for targeted advertising, junk e-mail, or sharing with other vendors. Few linked the collection of personal information to the potential for more personalized products or improved customer service. Consequently, some of the respondents stated that they avoided online transactions altogether or where possible withheld or provided false information.

Customers are, perhaps unsurprisingly, more willing to provide personal information to companies with whom they already have a relationship and whom they perceive as established and trustworthy. In this connection it is worth noting that there was a lower level of trust associated with smaller companies and those who ‘cold-called’ customers.

Opportunities for Canadian Companies

Given the perceived power imbalance in their relationship with companies, study participants expressed some support for further government involvement in the regulation of policies and practices with respect to the collection, storage, and sharing of personal information. These include

  • Government-imposed standardized policies written in plain language including “opt-out” provisions for different types of or uses for personal information;
  • Increased government regulation governing the collection, sharing, and security of personal information, including proactive audits of companies’ privacy practices and the imposition of penalties on violators (such as fines or public ‘naming’ of companies failing to meet standards);
  • A public information campaign with respect to privacy and the consent to sharing of personal information, including a public registry of companies that have experienced breaches in information security or have been found to violate privacy laws or policies.

Next Steps and Lessons for Business

As noted above, the OPC plans to release a comprehensive report on privacy and consent in September 2017 and it is not clear at this point what influence this particular study will have in that final report. Given the profile this study has been afforded by the OPC, notwithstanding its restricted scope and scale, it is likely to be used to support an argument for the grant of further powers to the OPC.

It this context, it is easy to overlook the ways in which study participants saw a independent role for companies, independent of government, in the protection of privacy. Canadian companies have a number of opportunities to anticipate the OPC and improve their privacy practices, while reassuring and improving relationships with customers . In particular, as suggested by the feedback by the study participants, Canadian companies should consider:

  • Informing customers how the collection of data can improve their experiences, such as through the provision of personalized results, recommendation, and customer service, rather than merely serve marketing goals;
  • Stating explicitly and in clear language how the information customers provide will be used by the company and under what conditions it will be retained, shared, and destroyed;
  • Revamping their current policies and practices to ensure that they are written in language that is as clear and customer-friendly as possible and providing, where appropriate, plain-language or bullet-point summaries of the policy;
  • Where appropriate, allowing customers to opt-out of providing specific information;
  • Exercising due diligence in verifying that customers have read and understood the terms of their privacy and personal information policies; and
  • Specifying the steps the company will take and/or the recourse available to the customer should personal information be compromised, or otherwise used or shared without consent.

[1] https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2017/por_201703_consent/.

[2] https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda_r/.

Paving the Way for RegTech: Australian and Canadian Developments

Posted in FinTech
Jason PhelanAna BadourDrew Wong

Recently, the Australian Securities and Investments Commission (ASIC), which regulates financial services and markets in Australia, provided recommendations and engaged in consultation on establishing best practices and guiding principles for the regulatory technology (RegTech) eco-system in Australia.

As discussed in our previous post in respect of UK developments in the area, “RegTech” can be understood as describing new technologies that facilitate the delivery of regulatory requirements. This demand has been driven by increasing levels of regulations and reporting requirements, which places operational challenges and new risks on the financial services sector. RegTech has the potential to complement financial services providers with streamlined compliance procedures in a cost-effective manner, which could also allow regulators to get access to and process a larger amount of data.

Generally, RegTech services help to declutter, analyze, and provide reports on large, intertwined, and complicated data sets to facilitate  access in a more consumable format. For example, RegTech applications include services to reduce the risk of money laundering activities conducted online, monitoring of online transactions in the digital payment eco-system, fraud prevention and audit trail capabilities.

ASIC Innovation Hub and Request for Feedback

In May 2017, ASIC published a report providing an update on the work of its Innovation Hub and outlining its approach to Fintech, RegTech and related areas. It also sought feedback from different stakeholders with respect to its proposed approach to RegTech.

In March 2015, ASIC established the Innovation Hub, which serves as a body and forum to assist new Fintech businesses navigate through ASIC’s regulatory framework. To date, the Innovation Hub has worked with 168 entities, notably providing them with informal assistance to help bridge any knowledge or resourcing gaps and providing them with access to senior ASIC staff to help streamline processes. Of the 33 new Australian financial services licenses and Australian credit licenses granted since March 2015, the businesses that who have engaged with the Innovation Hub received approval substantially faster than those who have not.

In mid-2016 the Innovation Hub expanded its scope and began to engage with RegTech businesses by providing them with informal assistance. ASIC met with a number of RegTech stakeholders and service providers to get a better sense of their business model and of the RegTech eco-system, as well as with domestic and international regulators to discuss developments in the area. ASIC currently conducts sets of trials of RegTech, including machine learning applications assessing document sets to identify useful evidence and social media monitoring tools.

In its report, ASIC described its new initiatives to complement its current RegTech activities, including the establishment of a liaison group composed of RegTech stakeholders who will meet three times a year to facilitate networking and collaboration opportunities within the RegTech sector, the hosting of a problem-solving event (“hackathon”) with the industry and a commitment to a small number of new trials of RegTechs. ASIC sought feedback from those new initiatives.

ASIC’s RegTech Roundtable 2017

As part of its current commitment to engage with the RegTech community, ASIC hosted its first RegTech roundtable discussion in February 2017 to discuss with a number of entities from across Australia, while regulators and government officials observed. The discussion focused on the current RegTech landscape and its future development, and on the commercial, regulatory and practical barriers to future potential of RegTech in Australia.

The emerging themes during the roundtable included:

  1. Current RegTech environment and emerging technologies – factors such as computer capacity, storage, data use, new technological applications, and the industry sentiment of focusing on efficiency, while maintaining a conduct risk management focus, as well as the opportunities offered by big data and machine learning, are contributing to driving the opportunities and growth in the RegTech market.
  2. Importance of real time monitoring – near real time monitoring of conduct by financial services providers has the potential to change the role of regulators’ from a “rear view mirror” approach to compliance to one focused on learning and prediction, which would save costs and facilitate more streamlined compliance, while having the potential to create a shift within organisations relying on proprietary systems towards an effective compliance culture.
  3. Cyber and information security – questions were raised with respect to the ownership of the data generated by RegTech services, access to such data, cyber security and protection of digital identity.
  4. Lack of human involvement – a potential risk could be formed from replacing the normally human involved process of ensuring compliance with a heavily relied upon process based on an automated system, while potentially creating disruption within organisations as RegTech will inevitably means changes for staff which could see such technology as a threat.

Beyond the themes and risks discussed, ASIC asserted that it sought to continuously engage and receive feedback from those affected by RegTech. ASIC’S intention appears to align the RegTech industry with current compliance systems to streamline and integrate RegTech to better facilitate upholding regulations and ensuring the existing industry is trained and adapts seamlessly.

Canadian Approach to RegTech

The Ontario Securities Commission (OSC) and ASIC previously entered into an agreement, pursuant to which, among other things, they committed to share information on emerging trends in each other’s markets and the potential impact on regulation.  The OSC has also shown its own interest in RegTech developments.  In November 2016, the OSC held its own hackathon bringing together members of the Fintech community to find solutions to regulatory problems arising in the area of RegTech. This hackathon brought in over 120 members of the Fintech community to facilitate discussion and produced a white paper with input from the Fintech and RegTech community.

More generally, in Canada, as discussed in a previous post, the Canadian Securities Administrators (CSA) announced earlier this year the launch of a regulatory sandbox, allowing Fintech businesses to apply with the CSA to receive regulatory relief to test their products and services. RegTech providers are specifically listed as one of the types of business models that is eligible to apply to the CSA regulatory sandbox.

For more information about our Firm’s Fintech expertise, please see our Fintech group’s page.

Department of Finance Releases Consultation Paper on New Retail Payments Oversight Framework Providing for Functional Regulation of Payment Service Providers

Posted in FinTech, Payments, Privacy
Ana BadourKirsten Thompson

On July 7, 2017, the Department of Finance issued the consultation paper “A New Retail Payments Oversight Framework” (the “Consultation Paper”) proposing a federal oversight framework for retail payments. Comments on the Consultation Paper are due October 6, 2017.

Summary of Proposed Oversight Framework

The Consultation Paper is discussed in more detail below, but the key elements are:

  • Broad Scope: The oversight framework would apply to any payment service providers (“PSP”) that perform any listed core functions and would capture credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments, and peer-to-peer money transfers.
  • Registration Requirement: All PSPs would be required to register with a “designated federal retail payments regulator”.
  • End-User Fund Safeguarding Measures: All PSPs that hold end-user funds overnight or longer would be required to meet certain requirements, including placing them in a trust account, and certain record-keeping requirements.
  • Operational Standards: All PSPs would be required to comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning.
  • Disclosure Requirements: All PSPs would be required to provide end users with certain information, including information on the key characteristics of their service or product, the responsibilities of customers and PSPs, terms and conditions, the end user’s account history of payment transactions, and receipts for transactions.
  • Third-Party Dispute Resolution: An external complaint body would be designated for customers to elevate complaints not resolved through PSPs’ internal complaint handling processes, and PSPs would need to advertise their complaint-handling processes.
  • Liability for Unauthorized Transactions: The payment-authorizing PSP would have to refund the payor for losses resulting from unauthorized transactions or errors, unless the payor acted fraudulently or failed to fulfil certain obligations.
  • Increased Emphasis on Privacy: The regulator for the oversight framework would promote awareness of, and compliance with privacy laws, including by directing PSPs, at the point of registration, to relevant guidance from privacy regulators.

The oversight framework is proposed to be principles-based, with tiering of measures (such that, for example, smaller firms may be subject to less stringent requirements), and a recognition of equivalent requirements under other legislative frameworks.

In addition, the Consultation Paper proposes the establishment of an advisory service for small firms that could guide and assist qualified PSPs in understanding the framework requirements based on their specific business models.

———————–

Details of Proposed Oversight Framework

  1. Scope of Retail Payments Oversight Framework

The Consultation Paper proposes a functional approach to regulation of retail payments in Canada, which would apply to any PSP that performs any of the following five core functions in the context of an electronic fund transfer ordered by an end user:

  • Providing and maintaining payment accounts for the purpose of making electronic fund transfers;
  • Enabling the initiation of a payment at the request of an end user;
  • Authorizing and transmitting payment messages;
  • Holding of funds; or
  • Fund clearing and settlement.

The Consultation Paper provides examples of PSP functions: credit card transactions, online payments, pay deposits, debit transactions, pre-authorized payments, and peer-to-peer money transfers. Certain types of transactions are specifically excluded:

  • Transactions entirely made in cash;
  • Transactions conducted via an agent authorized to negotiate or conclude the sale or purchase of goods or services on behalf of the payer or the payee, where the funds held by the agent on behalf of the payer or payee are kept in a trust (e.g., real estate agent or lawyer);
  • Transactions made with instruments that allow the holder to acquire goods or services only at the premises of the issuing merchant (e.g., store cards) or within a limited network of merchants that have a commercial agreement with an issuer (e.g., shopping mall cards);
  • Transactions related to securities asset servicing (e.g., dividends distribution, redemption or sale) and derivatives;
  • Transactions at ATMs for the purpose of cash withdrawals and cash deposits;
  • Transactions between entities of the same corporate group, if no intermediary outside of the corporate group is involved in the transaction; and
  • The clearing and settlement of transactions made through systems designated under the Payment Clearing and Settlement Act.

Furthermore, the Consultation Paper states that the proposed retail payments oversight framework is to be limited to transactions that are carried out solely in fiat currencies, and not virtual currencies given their current limited use. The Government indicated that it will continue to monitor the use of virtual currencies in retail payments and may propose adjustments to the framework as needed.

Many types of Fintech entities in the payment space, particularly those offering e-wallets, prepaid cards and/or peer to peer payments, as well as more traditional payment entities such as merchant acquirers, would appear to fall within the scope of the proposed framework. In addition, entities that are already otherwise regulated, such as banks, credit unions, trust companies and money services businesses may also be PSPs.

In addition, although the Consultation Paper refers to “retail” payments oversight, the currently proposed scope of the framework contemplates more than what would be considered to be consumer transactions.

  1. Proposed Requirements

a. Registration – The Consultation Paper proposes a requirement that all PSPs register with the “designated federal retail payments regulator” (see “Regulatory Authority” section below) either when the oversight framework comes into effect or in the case of a new PSP, prior to launch. The Consultation Paper provides a list of information required to register in Appendix B, including the type of services and payment functions provided, the volume and value of transactions processed in Canada and globally in the last year (or expected to be processed in the upcoming year for a new PSP), the average amount of consumer funds held where the PSP is not a deposit-taking financial institution, the trust account where consumer funds are held, and the total assets value of the PSP. In addition, the PSP’s owners and directors would need to undergo a criminal record check. Furthermore, if Financial Transactions and Reports Analysis Centre of Canada (FINTRAC) determines or has determined that a PSP has committed a “very serious” violation of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act or, in the case of a money remitter, the PSP has not registered with FINTRAC, the PSP’s registration would be denied or revoked.

b. End-user fund safeguarding – The Consultation Paper proposes that PSPs that place end-user funds held overnight or longer in a trust account be required to meet the following requirements:

  • The account must be at a deposit-taking financial institution that is either a member of the Canada Deposit Insurance Corporation or covered under a provincial deposit insurance regime;
  • The account must be in the name of the PSP;
  • The account must be clearly identified as the PSP’s trust account on the records of the PSP and the financial institution;
  • The account may only be used to hold end-user funds;
  • The PSP must ensure that the financial institution does not withdraw funds from the account without the PSP’s authorization (e.g., service fees incurred by the PSP must be paid from the PSP’s general account); and
  • The assets held in the account must be cash held on deposit or highly secure financial assets that can be readily converted into cash.

PSPs would also be required to maintain detailed accounting records that would allow for the accurate identification of funds held in trust and the beneficiaries, and to report on their trust accounts in their annual filings to its designated regulator.

c. Operational standards – The Consultation Paper proposes that PSPs be required to comply with a set of principles related to establishing security and operational objectives and policies and business continuity planning:

  • A PSP should establish a robust operational risk-management framework with appropriate systems, policies, procedures and controls to identify, monitor and manage operational risks.
  • A PSP’s management should clearly define the roles and responsibilities for addressing operational risk and should endorse the PSP’s operational risk-management framework. Systems, operational policies, procedures and controls should be reviewed, audited and tested periodically and after significant changes.
  • A PSP should have clearly defined operational reliability objectives and should have policies in place that are designed to achieve those objectives.
  • A PSP system should have comprehensive physical and information security policies that address all major potential vulnerabilities and threats.
  • A PSP should have a business continuity plan that addresses events posing a significant risk of disrupting operations. The plan should be designed to protect end users’ information and payment data and to enable recovery of accurate data following an incident. The plan should also seek to mitigate the impact on end users following a disruption by having a plan to return to normal operations.
  • A PSP should identify, monitor, and manage the risks that end users, participants, other PSPs, and service and utility providers might pose to its operations. In addition, a PSP should identify, monitor, and manage the risks that its operations might pose to others.Operational system testing may be conducted through self-assessment for small firms or through third-party verification for larger firms.

d. Disclosure requirements – The Consultation Paper proposes that PSPs be required to provide end users with information on the key characteristics of the service or product (such as charges and fees, functions, limitations, security guidelines), customers’ responsibilities, the PSP’s responsibilities, terms and conditions, the end user’s history of payment transactions on an account and receipts for transactions.

Disclosures have to meet the following principles:

  • Information must contain adequate andrelevant content;
  • Information must be provided in a timely manner;
  • Information must be presented in language that is clear,simple and not-misleading; and,
  • Information must be easily accessible.

PSPs would also be required to provide a separate, concise summary containing key information related to a payment service on the cover page of the terms and conditions regarding the use of the service. Annex A to the Consultation Paper provides further detail on proposed disclosure requirements.

e. Dispute resolution – The Consultation Paper proposes that a designated external complaint body (ECB) be designated for PSPs to receive complaints that fail to be resolved through a PSP’s internal complaint handling process. PSPs would also be required to:

  • Advertise their complaint handling procedures and the possibility for customers to refer cases to the designated ECB;
  • Provide the ECB with all the information it may need in resolving the dispute; and
  • Participate in the dispute resolution process (e.g., participate in conciliation sessions and ECB consultations).

f. Liability for unauthorized transactions – The Consultation Paper proposes that payors not be held liable for losses for unauthorized transactions or errors unless they acted fraudulently or failed to fulfil certain obligations, and that the payment-authorizing PSP would have to refund the payor for losses resulting from unauthorized transactions or errors. Cases where the payor could be held liable include where (i) the payor has not taken reasonable care to protect the security of the payor’s passwords; (ii) the payor has not notified the PSP, without undue delay, that a payment instrument has been lost or stolen, or that a password has been breached; and (iii) the payor has entered the payee information incorrectly such that it was impossible for the PSP to transmit the funds to the right payee. Under these scenarios, the PSP would have to make reasonable efforts to recover the funds.

g. Privacy – The Consultation Paper notes that technological innovation has given PSPs the ability to collect and store many different types of personal and sensitive information and states that “weak protection of personal information by PSPs is a type of market conduct risk that may lead to a series of undesirable consequences for end users, such as financial or reputational harm due to data breaches”.

While the federal privacy legislation (PIPEDA) applies to all Canadian businesses in all sectors of the economy, including retail payments, the Consultation Paper states that “some PSPs may not be familiar with their responsibilities under PIPEDA or applicable provincial privacy legislation”.

The Consultation Paper proposes that the regulator for the oversight framework promote awareness of, and compliance with, PIPEDA and similar provincial legislation, including by directing PSPs, at the point of registration, to relevant, existing information published by the Office of the Privacy Commissioner or other provincial regulators regarding compliance with privacy-related obligations.

  1. Guiding Principles

The Consultation Paper states that “the proposed oversight framework would encourage innovation and competition” and aim to apply measures commensurate to the level of risk posed by each PSP.

To achieve these goals, the oversight framework is proposed to be built around the following guiding principles:

  • Principles-based requirements – Requirements are generally intended to be principles-based, both to accommodate the diversity of business models in the retail payments sector and to allow for flexibility in the case of future models.
  • Tiering of measures – The Consultation Paper states that consideration is to be given to tiering of specific measures such that, for example, smaller firms may be subject to less stringent requirements.
  • Recognition of equivalent requirements under other legislative frameworks – The Consultation Paper proposes that PSPs be exempt from having to implement a framework measure if the entity is subject to a substantially similar requirement under another federal or provincial statute (such as, for example, the Bank Act or credit union legislation).
  1. Advisory Service for Small Firms

The Consultation Paper proposes the establishment of an advisory service (similar to some of the regulatory sandbox models in other jurisdictions) for small PSP firms planning to commercialize a new product, process or service. Such advisory service could guide qualified PSPs through the registration process and assist by interpreting the various framework requirements based on their specific business model.

  1. Regulatory Authority

As noted above, the Consultation Paper refers to a “designated federal retail payments regulator”. Rather than explicitly address the creation of a new regulator, the Consultation Paper states that the framework will leverage the mandate and expertise of existing regulators, in order to ensure consistency in the implementation of similar measures across federal oversight frameworks. The Consultation Paper does not explicitly address which regulator will supervise those PSPs that are not currently subject to federal oversight.

Finally, the Consultation Paper provides that the regulator would have access to a combination of compliance tools that would allow for effective intervention with any type of PSP, set out in more detail in Annex C to the Consultation Paper, and including the issuance of guidelines, annual filing requirements, on-site examinations, and the ability to issue administrative penalties and compliance orders.

For more information about our firm’s Fintech expertise, please contact the authors and see our Fintech group page.

Update from the Canadian Securities Administrators on its Regulatory Sandbox for Fintechs

Posted in Financial, FinTech
Ana BadourHeidi Gordon

Last week, the Canadian Securities Administrators (CSA) published some additional information on its CSA Regulatory Sandbox. The CSA Regulatory Sandbox, which was first launched on February 23, 2017, is an initiative of the CSA, designed to support Fintech businesses seeking to offer innovative products, services and applications in Canada.

Generally speaking, businesses must register under Canadian securities laws if they are in the business of trading in, or advising on, securities. In addition, there are a number securities law requirements that may be triggered by or in the context of operating certain business models. The CSA Regulatory Sandbox is intended to allow Fintechs that meet the CSA’s criteria to register and/or obtain exemptive relief from Canadian securities law requirements, under a faster and more flexible process than through the standard channels.

The additional information published by the CSA last week outlines the following five step process involved when making use of the CSA Regulatory Sandbox:

  1. An interested Fintech would first present its business model to its local securities regulator’s staff. For Fintechs with a head office in Ontario, this would involve going through the Ontario Securities Commission’s OSC LaunchPad. Contact information for the other Canadian provinces and territories can be found here. At the discussion stage, securities regulator’s staff work with the Fintech to identify the regulatory requirements for which registration and/or exemptive relief may be needed. Staff and the Fintech may also discuss the Fintech’s eligibility to participate in the CSA Regulatory Sandbox, including limits and conditions that could be imposed.
  2. The Fintech would file an application with its local securities regulatory to register and/or obtain exemptive relief from regulatory requirements.
  3. CSA staff would review the application on an expedited basis.
  4. CSA staff would determine the limits and conditions that should apply to the Fintech in the CSA Regulatory Sandbox.
  5. If the Fintech agrees to the tailored program, it will receive authorization to operate for a given period in the CSA Regulatory Sandbox, subject to the limits and conditions imposed on its registration and/or exemptive relief.

The CSA Regulatory Sandbox is open to all Fintechs with innovative business models, whether start-ups or incumbents (e.g. a large financial institution subject to securities law requirements that has developed an innovative business model would be eligible to apply).

For more information about our firm’s Fintech expertise, please contact the authors and see our Fintech group page.

Searches of Electronic Devices at the Canada/US Border

Posted in Legislation, Privacy
Eva GuoKirsten Thompson

The possibility of arbitrary searches of the electronic devices of persons crossing into the US continues to raise concerns among Canadians and, in particular, privacy regulators. Recent statements (and subsequent legislative amendments) are attempting to address some of the legal issues.

On June 8, 2017, Daniel Therrien, the Privacy Commissioner of Canada,  sent a follow up letter  to the Standing Committee on Public Safety and National Security to provide additional input for the Committee’s review of Bill C-23, An Act respecting the preclearance of persons and goods in Canada and the United States (“Bill C-23”).

Mr. Therrien’s first letter of May 24, 2017 expressed his concerns about the US intention to conduct indiscriminate searches of  electronic devices at the border:

My immediate concern stems from recent announcements by the US administration that they intend to search at their discretion and without legal grounds other than a desire to protect homeland security the electronic devices of any and all aliens who seek to enter the United States. This would include intent to require persons seeking admission to the US to provide the password of their cellphone or social media accounts. It would appear that this policy would equally apply at preclearance locations in Canada

By contrast, according to Mr. Therrien, the Government of Canada’s policy is to perform border searches of persons seeking admission to Canada only if there are grounds or indications that evidence of contraventions may be found on the digital device or media.)

Searches of Electronic Devices are “Extremely Privacy Intrusive”

Mr. Therrien stated that groundless searches of electronic devices are “extremely privacy intrusive.” Bill C-23 recognizes the sensitivity of searches of persons, from frisk or pat-down searches to strip and body cavity searches. These searches legally cannot be performed unless an officer has reasonable grounds to suspect some legal contravention, notably the concealment of goods. In Mr. Therrien’s view, it is “extremely clear” that searches of electronic devices can generally be much more intrusive than frisk searches, for “electronic devices can contain the most personal and intimate information we hold”.

Mr. Therrien recommends that Bill C-23 be amended to place border searches of electronic devices on the same footing as searches of persons and therefore their performance should require “reasonable grounds to suspect”. A consequential amendment to the Customs Act would elevate to a rule of law the Canadian policy which provides that such searches may be conducted only if there are grounds or indications that evidence of contraventions may be found on the digital device or media.

Protections in Bill C-23 Hollow? 

In his original letter, Mr. Therrien had expressed the view that the protections offered under Canadian law by section 11 of the Bill appeared to be hollow, due to the application of the principle of state immunity, meaning it could not be enforced in a court of law. However, in his more recent letter, he offered his additional views and proposed a partial solution.

Mr. Therrien’s states that it is his understands that, according to the government, the protections of s.11 would not be completely hollow because in the event of a violation of Canadian law, the violation could be brought to the attention of the Preclearance Consultative Group, a bilateral working group created pursuant to Article XII of the 2015 Agreement on Land, Rail, Marine and Air Transport Preclearance, for discussions from state to state.

Mr. Therrien, while admitting the solution is a “very partial” one, proposed that this would at least recognize the principle that border searches on Canadian soil should be conducted in accordance with Canadian law and values.

Amendment to Bill C-23

On June 16, 2017,  the Standing Committee on Public Safety and National Security presented their report to the House of Commons and recommended an amendment to Clause 11, inter alia, by adding the following:

(2) The Minister must, in accordance with paragraph 2 of Article IX of the Agreement, provide every preclearance officer with training on the Canadian law that applies to the exercise of the preclearance officer’s powers and the performance of their duties and functions under this Act.

It is worth noting that preclearance officer is a defined term in Bill C-23 to mean a person authorized by the Government of the United States to conduct preclearance in Canada. The amended version of Bill C-23 was read the third time and passed in the House of Commons on June 20, 2017 , and further it was read the first time and passed in the Senate on June 22, 2017 and a date for the second reading has been set.

Ontario Health Privacy Changes Establish New Breach Notification Requirements

Posted in Legislation, PHIPA
Shanon GrauerNicole RumbleHilary Smith

The Ontario Ministry of Health and Long-Term Care intends to ensure that health information custodians (HICs) pay due attention to the personal health information they control by introducing new notification and reporting obligations.

If the proposed amendments to O Reg 329/04 under the Personal Health Information Protection Act, 2004 (PHIPA) come into force,[1] notification obligations would start on July 1st of this year. Health information custodians would be required to: (1) notify the Commissioner if an individual’s personal health information is compromised; and (2) report to the Commissioner on the number of times they had to notify individuals that their privacy had been breached in a year (for this latter obligation, the first reporting period would start on March 1, 2018).

LHINS would be “health information custodians”

A “health information custodian” is a person or organization who, in connection with their work, has custody or control of personal health information.[i] Those designated as HICs include: health care practitioners, home care service providers, and health facilities (hospitals, pharmacies, labs, retirement homes).[2] Under the amendments, “Local Health Integration Networks” (LHINs) will also be designated as HICs. LHINs are responsible for the planning and funding of health facilities and home care services.[3]  This is as a result of earlier legislative changes that will see the LHINs becoming direct providers of home care services in place of community care access centres.[4]

Notification requirements in certain circumstances

Under the new rules, HICs must notify the Commissioner of “any theft, loss, or unauthorized use or disclosure” an individual’s personal health information. Essentially, the Commissioner must be informed of any breaches in patients’ privacy, or if their private information is compromised. However, the notification requirements only arise in certain circumstances. These circumstances would include:

  • Subsequent Disclosure: If the custodian had reasonable grounds to believe that the compromised information was subsequently used without authority[5]
  • Part of a Pattern: If the theft, loss or unauthorized use or disclosure is part of a pattern of similar thefts, losses or unauthorized uses or disclosures of personal health information under the custody or control of the HIC.
  • College: If the HIC has given notice to a professional College, as it is required to do if a member of that college was terminated or resigned from a theft, loss, or unauthorized use or disclosure.[6]
  • College Agent: If the HIC has given notice to a professional College as it is required to do if a college member has employed a health practitioner as his agent and that agent was terminated or resigned from the same.[7]
  • Intentional Use Or Disclosure: If the custodian has reasonable grounds to believe that the personal health information was intentionally used or disclosed without authority.
  • Nonetheless Significant: If none of the above apply but the custodian determines that the theft, loss or unauthorized use or disclosure is otherwise significant having regard to all relevant circumstances including,
    • the nature of the compromised information;
    • the number of records comprised;
    • the number of individuals whose information was compromised; and
    • the number of HICs or agents responsible for the theft, loss or unauthorized use or disclosure.

New Annual Reporting

And furthermore, under the new rules, an HIC would be obligated to report annually, on March 1st on the number of times, in the preceding calendar year, that the health information custodian had to notify individuals (in accordance with section 12(2) of PHIPA) of any theft, loss or unauthorized use or disclosure of personal health information. The first report would be due on March 1, 2019.[8]

And after submitting the report, an HIC may be required to provide the information contained in any notice, and any information relied on in giving the notice, if the Commissioner requests it.[9]

Health care providers are well advised to institute new methods of protecting patients’ information and of recording any theft or unauthorized use of that information when it happens.

___

[1] Personal Health Information Act, 2004, SO 2004, c 3, Sched A. O Reg 329/04.

[2] “Home care service provider”, own language but listed in paragraph 2 of 3(1), refers to a service provider within the meaning of the Home Care and Community Services Act, 1994 who provides a community service to which that Act applies. “Health facilities”, own language but listed in paragraph 4 of 3(1), refers to enumerated health facilities, programs or services under that paragraph.

[3] A “local health integration network” is defined in section 2 of the Local Health System Integration Act, 2006. Their designation will be prescribed pursuant to section 3(8) of the amended regulations.

[4] Patients First Act, 2016 (Ontario), received Royal Assent on December 8, 2016 (not yet proclaimed in force).

[5] Any use of the word “compromise” refers to theft, loss, or unauthorized use or disclosure.

[6] See section 17.1 of PHIPA.

[7] Ibid.

[8] This will be required under a new section 6.3 of the regulations.

[9] This will be under section 6.3(2) of the amended regulations.

[i] The definition of “health information custodian can be found under section 3(1) of PHIPA.

European Banking Authority Responds to European Commission Public Consultation on Fintech: Potential Takeaways for Canada

Posted in AI and Machine Learning, Big Data, Cybersecurity, Financial, FinTech
Ana BadourArie van WijngaardenCarole PiovesanBlake C. JonesHeidi Gordon

In March 2017, the European Commission issued a public consultation document on Fintech.  The goal of the European Commission (EC) document is to further the objective of a digital single market within Europe.  This will be done by supporting the development of digital infrastructure,  improving access to goods and services, and ensuring rules foster technological development.

The European Banking Authority (EBA) published its response to the public consultation in June 2017.  The EBA response is significant because it sheds light on how European banks are approaching the areas of artificial intelligence, roboadvisors, crowdfunding, and big data.  Institutions in other countries, including Canada, could benefit from careful analysis of the European approach to these issues as they craft their own Fintech strategy.

Artificial Intelligence and Roboadvisors – Potential Areas of Concern

Artificial Intelligence and big data analytics are areas where the European Commission is aiming to strike a delicate balance between fostering innovation and controlling risk.  Automated artificial intelligence applications, such as roboadvisors, have the potential  to provide  enhanced and more personalized service to customers. However, these applications are not without risk.

The EBA identified several areas of concern in its response paper:

  1. Access to Information and Transparency – Customers have both limited access to the underlying algorithms underlying roboadvice, and limited understanding of how the algorithms work. European regulators such as the European Commission and the UK Financial Conduct Authority have expressed concern that customers could receive  sub-optimal advice from a robadvisor without being aware this is the case due to lack of visibility into the underlying algorithm.   This could lead to poor investing decisions by customers.
  2. Cybersecurity Risk – Algorithms could be compromised by malicious actors or software error.  This exposes customers to the risk of financial loss.  Best practices in data security should be maintained at all times to protect against unauthorized data access, as well as data misuse without customer consent.
  3. Market Distortions Caused by Widespread Automation – Large scale use of passive investment vehicles based on similar algorithms could result in customers taking the same actions en masse.  This opens markets up to distorted pricing and in extreme cases to algorithm-influenced “flash crashes” brought on by sudden mass selling.  Such events could be particularly problematic for investors because the allocation of liability is unclear.
  1. Limited Data Portability – Machine Learning Algorithms, which improve based on their interactions with a customer, may be able to offer a more personalized customer experience. In many cases these algorithms are proprietary, and financial institutions are reluctant to share them with competitors. If individuals cannot take their data with them when they transfer to another financial institutions, there is a risk their new institution may employ a different algorithm which may not be suited to their data.  This could result in a lower quality customer experience.

These concerns are not jurisdiction-specific and could apply to artificial intelligence applications in a Canadian context as well.

The EBA takes the position that the robo-advice industry is still developing and that, at this stage, careful monitoring, rather than full-scale regulation is needed.  Furthermore, since most Fintech services are provided online, the EBA argues regulators should be considerate of cross-border commerce and seek to avoid stifling innovation.  In the event that such regulation is introduced, the European Commission has committed to ensure that it will be based on the principles of technological neutrality, proportionality to business size and significance, and promotion of market transparency and integrity.

Crowdfunding Regulation – Call for Harmonisation

The European Commission requested public comment on the impact of national regulatory regimes for crowdfunding on the development of social funding platforms in Europe.  In January 2017, the European Crowdfunding Network issued a report on Crowdfunding calling for EU wide minimum standards for alternative finance legislation in member states.  The EBA raised the concern that national regulatory regimes create room for regulatory arbitrage between nations and increase the likelihood of regulatory gaps.  Since complying with different regulatory systems is quite costly, disparate national regulation of crowdfunding is a particular burden to Fintechs who do not have the same access to capital as established players.

The EBA suggests the introduction of an EU wide regime on Crowdfunding.  This would facilitate cross border alternative financing which would make crowdfunding easier for smaller European economies.  Harmonisation of regulations could also be helpful in prevention of terrorism financing or money laundering using alternative finance platforms.

The EBA also recommends harmonisation of the disclosure requirements for crowdfunding platforms.  At a minimum, crowdfunding platforms should conduct a risk assessment and publish it to potential investors or lenders.  A risk assessment should include a report on the creditworthiness of the issuers as well as disclosure documents on the risk of the investment being illiquid, the risk of loss, or the risk of unrealized return. These concepts are sensible ways to reduce the likelihood of fraud or marked risk in alternative finance forums.  They are also consistent with the EC principle of encouraging market transparency.

The concerns in Europe are not unlike those expressed by Fintechs operating in Canada. Although Canadian securities regulators have, over the last couple of years, made a number of changes to provincial exempt market regimes, which changes are intended to facilitate greater access to capital (in particular, for start-ups and small and medium-sized businesses), market participants have expressed similar concerns over the lack of a harmonized regime across all Canadian jurisdictions.

Conclusion

The EC consultation aims to ensure European regulators balance fostering Fintech innovation with minimizing risk, particularly with respect to roboadvisors, crowdfunding and artificial intelligence. In this respect, the EBA has strongly argued in favour of harmonisation of standards across Europe.  Developments in European Fintech regulation could potentially impact contractual arrangements of Canadian entities (either Fintechs or incumbents) engaged in cross-border activity within the European Economic Area.  In addition, European regulatory developments will be particularly relevant to Canadian Fintechs who are considering expanding to Europe.

For more information about our firm’s Fintech expertise, please see our Fintech group’s page.

Few “likes” for Facebook Forum Selection Clause: Supreme Court Finds “Strong Cause” to Not Enforce Forum Selection Clause

Posted in Class Actions, Privacy, Privacy Act, Social Media, Uncategorized
Jade BuchananMiranda Lam

Electronic terms of service govern billions of relationships worldwide, whether a user is joining a social media service, shopping online or accessing a blog. In each case, a binding contract is formed, the terms of which are usually set out in the website’s “terms of service” . But when a contract is made over the internet and there is later a dispute, whose law governs? What is the “forum” for the resolution of the dispute? What if the contract expressly designates a specific jurisdiction as the appropriate “forum”? In Douez v Facebook, Inc. (“Douez”), the Supreme Court of Canada refused to uphold the forum selection clause contained in Facebook, Inc.’s terms of service.

Background

The case involves Facebook, Inc. (“Facebook”) and the representative plaintiff in a proposed class action, Ms Deborah Douez. When Ms Douez joined and continued using Facebook, she agreed to terms of service which included committing to bring any claim against Facebook exclusively in Santa Clara, California.

Ms Douez’ dispute with Facebook started when she found her name and image being used in Facebook’s “Sponsored Stories” product. She initiated proceedings under BC’s Class Proceedings Act with a proposed class of the approximately 1.8 million British Columbians who appeared in Sponsored Stories. The claim was based on Section 3(2) of BC’s Privacy Act:

(2) It is a tort, actionable without proof of damage, for a person to use the name or portrait of another for the purpose of advertising or promoting the sale of, or other trading in, property or services, unless that other, or a person entitled to consent on his or her behalf, consents to the use for that purpose.

Facebook brought a preliminary motion to dismiss the claim, citing the forum selection clause, which read as follows:

You will resolve any claim, cause of action or dispute (claim) you have with us arising out of or relating to this Statement or Facebook exclusively in a state or federal court located in Santa Clara County. The laws of the State of California will govern this Statement, as well as any claim that might arise between you and us, without regard to conflict of law provisions. You agree to submit to the personal jurisdiction of the courts located in Santa Clara County, California for purpose of litigating all such claims.

Facebook obtained a favorable decision from the British Columbia Court of Appeal. Ms Douez appealed to the Supreme Court of Canada.

Summary of the Majority Decision

A narrow 4-3 majority of the Court found that Facebook could not rely on its forum selection clause.

The Court did unanimously affirm that forum selection clauses should continue to be considered under the test established in Z.I. Pompey Industrie v ECU-Line N.V., 2003 SCC 27 (“Pompey”). The Pompey test involves two steps. First, the party seeking to rely on a forum selection clause must prove that it is clear, valid and enforceable as a matter of contract law. Second, once the forum selection clause is accepted as valid, the party asking the Court to not enforce the clause needs to show a “strong cause” for doing so based on “all the circumstances.”

The Court’s consensus ended at Pompey. Three members of the Court, Justices Karakatsanis, Wagner and Gascon, decided that Facebook had satisfied the first step of Pompey and that the forum selection clause was valid. However, they found Ms Douez had shown a strong cause for not enforcing the clause.

The strong cause was based on two main factors. First, the power imbalance inherent in a unilaterally imposed contract (known as a contract of adhesion) between one individual consumer and one of the largest companies in the world. This power imbalance was increased by the fact that “unlike a standard retail transaction, there are few comparable alternatives to Facebook.”

Second, the Privacy Act was described as “quasi-constitutional”, because it was intended to protect the privacy rights of individuals. The decision explained the importance of adjudicating constitutional and quasi-constitutional rights in Canada:

Canadian courts have a greater interest in adjudicating cases impinging on constitutional and quasi-constitutional rights because these rights play an essential role in a free and democratic society and embody key Canadian values. There is an inherent public good in Canadian courts deciding these types of claims. Through adjudication, courts establish norms and interpret the rights enjoyed by all Canadians.

In addition to the power imbalance and the quasi-constitutional nature of privacy legislation, the three Justices cited two additional factors. First, it was in the interest of justice for the case to be adjudicated in BC, where there Privacy Act would be enforced and the Court would be well-positioned to understand the intention of the Legislature. The decision also cited the “comparative expense and inconvenience” of advancing the claim in BC, rather than California, which again favored a strong cause.

A strong cause was not even required for Justice Abella, who wrote a separate decision that ultimately “broke the tie” amongst the seven justices and allowed Ms. Douez’ appeal to succeed. She found that Facebook had not met the first Pompey step of showing the clause to be enforceable as a matter of contract law. Justice Abella concluded that the forum selection clause was void relying on public policy, inequality of bargaining power and unconscionability.

In a dissenting opinion, Chief Justice McLachlin and Justices Moldaver and Côté were prepared to enforce the forum selection clause, finding that Ms Douez had not shown a strong cause.

Impact for Businesses

  • Forum selection clauses are still enforceable, even if they are not a silver bullet against being brought into litigation in unexpected places. Had Ms Douez been advancing a claim that did not impinge on “constitutional and quasit-constitutional rights” like those engaged in the Privacy Act, the forum selection clause may have been upheld. Indeed, six out of seven Supreme Court Justices were prepared to enforce Facebook’s forum selection clause, save for the existence of a “strong cause” in this instance.
  • When engaging with personal information, consulting local privacy counsel is a must. Privacy legislation varies from province to province and failing to appreciate even slight differences can result in class action claims.

Impact on the Future of Internet Law

The only thing that can be said for certain is that the interaction of the internet and the law is likely to produce more decisions like Douez. In fact, the Supreme Court just released Google Inc. v Equustek Solutions Inc. et al., which addresses if and when a Canadian court can order a search engine to delist certain websites globally.

Further, Douez is unlikely to be the last word on the specific issue of forum selection clauses. The Pompey test may open future debates about “strong cause” in the context of consumer contracts. The opinions of the divided Court in Douez could be used to provide supporting arguments for both sides in a situation where the facts are just slightly different.

Lastly, this decision is just the end of the first chapter of the Douez saga. Facebook’s preliminary motion was rejected but the class action has yet to be certified, so there is more internet law to come.

“Not There Yet”: Bank of Canada Experiments with Blockchain Wholesale Payment System

Posted in FinTech
Maureen GillisAlexandru Trusca

The Bank of Canada has issued a report on Project Jasper, its recently completed experiment testing the viability of distributed ledger technology (DLT) as the basis for a wholesale payment system. The experiment was a combined effort by the Bank of Canada and Payments Canada, along with Bank of Montreal, Canadian Imperial Bank of Commerce, HSBC, National Bank of Canada, Royal Bank of Canada, Scotiabank and TD Canada Trust. The experiment revealed that such technology is not more beneficial, at least for now, than the current centralized system of wholesale payments. However, the successful proof-of-concept highlighted best practices for wide-scale public/private cooperation and uncovered other opportunities for the implementation of the technology within the financial industry.

Bank of Canada and Project Jasper

The Bank of Canada embarked on Project Jasper to learn more about the feasibility, benefits and challenges of using DLT as the basis for a wholesale interbank payment system. These systems are crucial mechanisms for the financial industry that allow large financial institutions to process payments to each other as well as to and from central banks. Canada’s wholesale payment system, the Large Value Transfer System (LVTS), is operated by Payments Canada and processes an average of $175 billion in payments each business day. Despite the large sums processed, LVTS payments are relatively simple and thus presented a reasonable starting point for practical testing of a DLT system.

Project Jasper involved the building and testing of a simulated wholesale payment system using a DLT-based settlement asset. The experiment’s dual objectives were to evaluate whether a test system could meet international standards for systemically important payments infrastructure, including the Principles for Financial Market Infrastructure (PFMIs), and to collaborate with the private sector on a practical DLT application.

The first phase of the project involved the building of a settlement capability on an Ethereum platform and the demonstration of the ability to exchange the settlement asset between participants. The second phase was built on a Corda platform[i] and introduced a liquidity saving mechanism (LSM) where only the net difference between transactions actually settles, mirroring the LSM function in the existing centralized system. Project Jasper required the creation of a novel LSM designed specifically for a distributed ledger, believed to be the first of its kind. The second phase also used a consensus system that allowed the Bank of Canada to serve as a notary with access to the entire ledger, allowing the Bank of Canada to verify the funds involved in transactions. Relying on these two custom features built within the Corda platform, the Bank of Canada, along with Payments Canada, ran a set of simulated transactions.

Experiment Assessment

While the experiment validated that a DLT-based wholesale payments system can likely satisfy risk concerns and PFMIs related to credit risk, liquidity risk and settlement risk, other areas such as settlement finality, operational risk, as well as access and participation requirements are still of concern. The highest operational risks relate to resilience:

  1. Continued back-up and security needs: While the project demonstrated that the core of a DLT-based wholesale payments platform can deliver high availability at a low cost, once additional technology components, such as digital keys, identity and system access management—all important elements of Project Jasper, but currently based on centralized models—are added to the system, the typical challenges associated with a single point of failure faced by existing centralized systems re-emerge. This vital information must be backed up and secured to ensure it is not lost, mishandled or abused, similarly to the current security measures of centralized systems. Up against the highly efficient existing system, the high costs of initial design of the DLT system suggested that the bulk of cost savings that might arise from the use of this kind DLT system would arise from a reduction in bank reconciliation efforts, not from the core system.
  2. Difficult balance between privacy and transparency: While Project Jasper partitioned data in such a way as to create a significant amount of privacy for transactions, it also introduced significant challenges for data replication across the network, a key feature and advantage of DLT, because each participant’s node had access to only a subset of data, introducing a point of failure at each node. More robust data verification requires wider sharing of information. The balance required between transparency and privacy poses a fundamental question to the viability of the system for such uses once its core and defining feature is limited.
  3. Settlement risk: Principle 8 of the PFMIs requires settlement finality. Defining the conditions under which a transfer in the wholesale payments system is considered irrecovable and unconditional is central to the system’s operation and involves both operational and legal components. Phase 1 of Project Jasper underlined some of the challenges the use of Ethereum poses for settlement finality, as its proof-of-work (POW) concensus mechanism is probabilistic, meaning that although settlement becomes increasingly certain as a transaction becomes progressively more immutable over time, there is always a small possibility that a payment could be reversed. The use of the Corda platform and the notarial function of the Bank of Canada have potentially introduced in Phase 2 of Project Jasper an element of irrevocability, but stress testing would be required to confirm that settlement risk had been adequately addressed.
  4. Potential for restricted DLT systems to create single point of failure: The notary consensus system implemented in Phase 2 of Project Jasper, while important for verification, also creates a single point of failure, with the implication that an event such as an outage at the Bank of Canada would prevent the processing of any payments. Activities such as permissioning of nodes and establishment of operational standards continue to require significant centralization. Given these considerations, it was concluded that restricted distributed ledger schemes such as Project Jasper may decrease operational resilience or incur more expense when compared against current centralized systems.

Conclusions

Despite Project Jasper highlighting significant limitations to the use of DLT within the wholesale payment space, it still proved valuable in the eyes of the stakeholders involved. The participants, including public-sector and private-sector partners, stated that they learned a great deal about the technical aspects of DLT technology, discovered best practices for wide-scale cooperation and uncovered insights into other paths that may be explored to help reap the benefits of such technology through other Fintech innovations. One key insight that Project Jasper illuminated is that cost savings or efficiency gains can be obtained “if a DLT-based core interbank payment system can serve as the basis for other DLT systems to improve clearing and settlement across a range of financial assets”, such as stocks, bonds, derivatives and other, more decentralized systems with long settlement times, interacting with the wider financial market infrastructure by combining different elements on the same ledger.

Notably, this proof-of-concept exercise excluded many governance and legal considerations of traditional wholesale payment systems, including anti-money laundering requirements, suggesting that a true production system could have significant additional complexity to address.

Commenting on the experiment, Carolyn Wilkins, senior deputy governor of the Bank of Canada, and Gerry Gaetz, president of Payments Canada, concluded that, as against the necessity for interbank systems to be safe, secure, efficient and resilient, as well as to meet all international standards, “DLT-based platforms are just not there yet.” Consequently, they indicated that near-term modernization of Canada’s payments system will not involve distributed ledgers. Nonetheless, it will involve wide-scale innovation and collaboration across many public and private parties, the benefits of which were also demonstrated in Project Jasper.

[i] R3 has created an open-source distributed ledger platform named Corda that is designed to record, manage and automate legal agreements between businesses. Two important differentiators from traditional blockchains include the ability to support various consensus mechanisms and the ability to restrict access to the data within agreements to those explicitly entitled to it.

For more information about our firm’s Fintech expertise, please see our Fintech group’s page.

 

 

 

 

A Glimpse into a Tangled Future: Implications of an Increasingly Connected World

Posted in AI and Machine Learning, Big Data, Internet of Things
Kevin Stenner

Looking forward to living in a house that reduces your workload by mowing your lawn? What about having your front door beam you photographs of everyone your adolescent children let into your home while you are at work? Or, even better, a door that will only open for certain people at specific times during the week?  As the Internet of Things (IoT) continues to expand into every nook of daily life, these “advances” are not only the way of the future – they are the way of the present.

In response to this proliferation of the IoT and IoT devices, the United States Government Accountability Office recently released a technology assessment of the IoT (the “Report”) respecting the status and implications of an increasingly connected world.  The Report highlighted the benefits of the IoT’s rapid emergence.  However, it also made sure to stress the challenges presented by a future where our refrigerators can provide a summary of our late night snacking habits to our insurance companies, or worse, our personal trainers.

The Benefits of Living in a Connected World

There is no shortage of benefits that can be derived from IoT devices.  Some of these benefits are obvious; imagine a surgeon operating on you through smart glasses that overlay digital aids onto the physical world.  Some benefits are less obvious, such as cow monitoring devices used by ranchers to determine when cows are in their optimal breeding cycle.

Clearly, there can be little debate that the benefits of IoT devices are seemingly endless. Consumers are seen to benefit from the use of wearables, networked electronic homes and collision detection systems in vehicles.[i]  Industry benefits through an optimization in operations and the public sector benefits through the management of service delivery.[ii]

The Downside to the IoT

However, despite the significant benefits of IoT devices, there are also real dangers associated with this increased connectivity and, more importantly, there seems to be little consensus on how to regulate the IoT moving forward.

Information Security Challenges

As the Report identifies, the rapid adoption of IoT devices into everyday situations has the potential of bringing the effects of a device’s poor security into homes, industries and communities.[iii]  The risk is that unauthorized individuals and organizations can gain access to IoT devices for malicious purposes.[iv]  Furthermore, this risk is exacerbated as many IoT devices were built without anticipating the threats associated with internet connectivity.[v]  As an example, researchers found that they could remotely gain control over a vehicle’s steering and brakes through wireless communication.

Although numerous agencies have issued extensive guidelines in respect of protecting IoT devices, there is no standard for the implementation of these guidelines and there is no consensus on how to deal with the associated risks.[vi]

For example, the Federal Trade Commission recommends that companies prioritize and build security into their devices.  However, the risk is that by implementing access controls and security measures, the functionality and flexibility of IoT devices could be affected.[vii]

As an additional security feature, the National Institute of Standards Technology and AT&T recommend that consumers take steps to ensure that their IoT devices are updated with the most current software upgrades.[viii]  Although this suggestion is practical, it is based on the assumption that an IoT device can easily be updated, that the update will increase the security of the device and that the consumer will ultimately install the update.  This suggestion also raises an interesting question as to who would be responsible for any damage caused by a rogue vehicle if the owner had failed to install a software upgrade that may have prevented the vehicle from being wirelessly hijacked.

Privacy Challenges      

Other major hurdles for the developers of IoT devices are to ensure: i) that the devices do not inappropriately collect or misuse personal information; ii) that suitable methods for notifying customers about how data will be used are developed; and iii) that a consumer’s consent is obtained for the collection and use of personal data.[ix]  As an example, in many cases IoT devices collect information through sensors that are embedded in everyday items and that record data while an individual is unaware that data is being recorded.[x]  Despite this constant monitoring, many of these IoT devices do not seek consent or do not have the means to seek consent.  In addition, even if an IoT device requested consent, would consumers take the time to properly review and understand the consent that they were providing?

There are also the concerns that information harvested from IoT devices can be used for a variety of purposes unrelated to the consumer’s use of the device and that this information could ultimately be linked with other harvested information to provide a detailed profile of an individual’s habits.[xi]  Accordingly, experts suggest that data harvested from IoT devices should be de-identified.  However, not only is there no standard process by which data can be de-identified, but the de-identification of data must be done in such a manner that the information cannot be re-identified.[xii]

Final Word

Although the Report does not provide a solution on how to manage the proliferation of IoT devices, it does highlight that fact that in the United States there is no single “federal agency that has overall regulatory responsibility for the IoT”.[xiii]  Canada has a more centralized privacy regime and in that respect has an advantage (and may provide more certainty to businesses), but IoT involves more than just privacy.

As IoT devices continue to become cheaper and move into all facets of life, governments in Canada will need to determine if and  how to get involved.

Based on the Report, it would seem that one of the first areas where government may look at is in the adoption of guidelines to ensure that IoT devices are built to minimum security standards.  The threshold question of whether this is approached as a regulatory initiative, a framework document, or in partnership with a third-party standards body and/or industry would need to be answered.

Furthermore,  concerns regarding consent, data harvesting and the de-identification of personal information – concerns central to IoT devices – were front and centre in the recent hearings on the review of Canadian privacy legislation (PIPEDA). While IoT devices and manufacturers may not be regulated specifically, it is likely that coming amendments to privacy laws will impact those in the IoT ecosystem.

[i] The Report at pgs 16-19.

[ii] The Report at Appendix II.

[iii] The Report at p 26.

[iv] The Report at p 26.

[v] The Report at p 28.

[vi] The Report at p 27.

[vii] The Report at p 28.

[viii] The Report at pgs 29-30.

[ix] The Report at p 31.

[x] The Report at p 33.

[xi] The Report at p 35.

[xii] The Report at p 35.

[xiii] The Report at p 55.