CyberLex

CyberLex

Insights on cybersecurity, privacy and data protection law

Privacy Commissioner Seeks Public Input on Consent Model

Posted in Big Data, Internet of Things, Legislation, Privacy
Kirsten ThompsonBreanna Needham

On May 11, 2016, Privacy Commissioner Daniel Therrien announced the Office of the Privacy Commissioner of Canada (“OPC”) would seek public input on the issue of how Canadians can give meaningful consent to the collection, use and disclosure of their personal information in an increasingly digital age. The OPC has released a discussion paper (“Report”) on considerations related to “enhancing” the consent model under the Personal Information Protection and Electronic Documents Act (“PIPEDA”) and a notice of consultation and call for submissions inviting all interested parties to answer specific questions related to the Report and also to provide any thoughts on issues raised. The deadline for submissions is July 13, 2016.

The Report – An Overview

The Report considers the approaches taken by other jurisdictions to the issue of consent, including the EU General Data Protection Regulation (“GDPR”) reform initiative, which also recently included the initiation of a public consultation process, and the US approach, as governed by the Federal Trade Commission.

The Report also focuses on challenges that both businesses and individuals face when it comes to providing meaningful consent in an era of Big Data and the Internet of Things (“IoT”):

The consent model of personal information protection was conceived at a time when transactions had clearly defined moments at which information was exchanged. Whether an individual was interacting with a bank or making an insurance claim, transactions were often binary and for a discrete, or limited, purpose. They were often routine, predictable and transparent. Individuals generally knew the identity of the organizations they were dealing with, the information being collected, and how the information would be used…[N]ew technologies and business models have resulted in a fast-paced, dynamic environment where unprecedented amounts of personal information are collected by, and shared among, a myriad of often invisible players who use it for a host of purposes, both existing and not yet conceived of. Binary one-time consent is being increasingly challenged because it reflects a decision at a moment in time, under specific circumstances, and is tied to the original context for the decision, whereas that is not how many business models and technologies work anymore.

The Report goes on to offer several possible solutions to the problems in the current consent model and poses questions for reflection for the public consultation process.

The Suggested Changes

While noting that “[c]onsent should not be a burden for either individuals or organizations, nor should it pose a barrier to innovation and to the benefits of technological developments to individuals, organizations and society”, the OPC’s proposed “enhancements” to consent will likely cause concerns for business.

A great deal of the focus in the proposed reform revolves around creating processes that simplify complicated concepts such that individuals will be able to readily comprehend and appreciate the purposes to which their personal information may be put.

The proposed solutions are intended to address several specific challenges, including making informed consent and information related to privacy preferences more readily comprehensible individuals, creating “no-go zones” or “proceed with caution zones” to protect particularly vulnerable groups in high risk sectors, devising accountability processes that include independent third parties, placing a greater emphasis on fairness and ethical balance with regards to the use of personal information, and stronger regulatory oversight of privacy protection that includes enforcement mechanisms that can be implemented for deterrence purposes.

Proposed Enhancements to Consent

The Report advocates for privacy policies that lack opacity and privacy preferences that can be managed with greater ease through the following mechanisms and considerations:

  • Greater transparency in privacy policies – through communicating privacy information at integral points in time to increase the ease with which a consumer can understand the flow of information and utilizing layered privacy policies that are simultaneously inclusive and intelligible.
  • Managing privacy preferences across services – through the use of an independent third party that screens and controls preferences and the related release of personal information.
  • Technology specific safeguards – through built in compliance mechanisms and broadly constructed recommendations for best practices, including comprehensive disclosure requirements to consumers both pre- and post-purchase.
  • Privacy as a default setting – whereby privacy is an inherently integrated component by default.

What this means to business remains to be seen. “Layered” privacy policies will, at a minimum, require most organizations to rewrite their current their policies and add an additional layer of technological administration. The call for “dynamic, interactive data maps and infographics, or short videos” is unlikely to be met with enthusiasm by business, either. While the goal of transparency and readability is laudable, it is doubtful that consumers will spend any more time on these items than they do on existing text-based policies.

The use of an independent third party to manage privacy preferences across devices places the burden for doing so squarely on business. In this proposal, users would associate themselves with a standard set of privacy preference profiles offered by third parties and these third party websites would then vet apps and services based on the user’s privacy profile. It seems unlikely that these proposed third parties would offer this service for free.

Proposed Alternatives to Consent

The Report contemplates practicable alternatives to the traditional approach to consent, such as the de-identification of data and types of information that may not necessarily require consent, as well as the necessary changes to the applicable legislative framework that may be required for implementation.

  • De-identification – While the anonymization of information necessarily strips it of the contextual factors related to personal information that necessitate consent, the increasing sophistication of both data sets and the methods for analysis leave concerns about the value of this approach as a privacy protection mechanism.
  • “No-Go Zones” – Areas or zones of personal information of vulnerable groups whose data would be subject to a limited level of processing or potentially a complete prohibition.
  • Legitimate Business Interests – Situations in which personal data could be processed for a legitimate purpose that would no longer require consent unless another fundamental right necessarily required it.

Proposed Governance Considerations

The Report advocates for a greater level of accountability associated with ensuring the adequacy of privacy protections, encouraging transparency and assuring that best practices are being implemented consistently. This would include codes of practice that function to create transparent obligations and suggestions for best practices by using privacy trustmarks to create accountability mechanisms by which regulators can evaluate and designate organizations as compliant, as well as ethical assessments and autonomous organizations with specifically delineated goals focused on protecting the privacy of individuals.

Proposed Enforcement Models

While the Report considers situations in which self-regulation at both the industry and organization level may be appropriate, it also strongly suggests that there is a need for independent oversight, with accountability facilitated through fines and the ability to create orders, as opposed to recommendations, in order to maximize effectiveness. While independence is seen as the cornerstone of any regulatory body in the future for ensuring privacy and meaningful consent, the Report focuses on a proactive compliance model that would serve a stronger deterrent purpose than that of the OPC as it exists today.

What Does this Mean for Businesses?

In the era of the IoT and Big Data, traditional conceptualizations of consent processes no longer necessarily apply. The OPC has expressed concerns about opaque consent processes that individuals don’t actually read or comprehend, and has indicated that the solution to this may include sector specific regulation on the collection and use of data as well as the associated consent processes utilized in obtaining personal information. Many businesses may need to both re-visit and re-word existing privacy policies and consent protocols in order to increase transparency, as well as the accessibility and intelligibility of the policies surrounding data and the purposes to which personal information will potentially be put.

Court Finds a Lesser Expectation of Privacy in Cameras than in Cell Phones and Computers

Posted in Internet of Things, Privacy, Social Media, Uncategorized
Joel Payne

Driven in part by advances in recording device technology such as wearable cameras and drone-mounted cameras, the trend of self-recording one’s life continues to grow.  The videos recorded on these devices are popular on social media and range from the mundane to the extreme.  Some even include criminal acts: illegally scaling structures and in some cases BASE jumping off of them, pushing cars and motorcycles to dangerous speeds, and all manner of other illegal acts that may endanger the performer and the public.  Given that filming one’s own crimes is a stupid thing to do, it is no surprise that courts are starting to see these videos introduced as evidence against the filmmaker/offender. However, some recording devices appear to attract a lesser expectation of privacy than others, based largely on judicial perceptions of predominant use.

Background

In R. v. Roy, 2016 ABPC 135, Judge H.M. Van Harten of the Provincial Court of Alberta made a ruling in a voir dire (an application in the course of a criminal trial to determine the admissibility of evidence) that contains an interesting discussion about individuals’ expectations of privacy in personal recording devices.  In this particular case, the device was a helmet-mounted GoPro camera.

The accused in this case, Mark Roy, and a friend were riding their motorcycles in Banff National Park in the June 2014.  It is alleged that park wardens witnessed Roy and his friend driving badly and speeding.  One of the park wardens reported witnessing Roy popping a “wheelie”, which the warden considered to be “stunting” in violation of the Traffic Safety Act.  When wardens attempted to stop Roy and his friend, the pair allegedly refused to stop and evaded the wardens during a short pursuit but were ultimately apprehended later. During the apprehension, an RCMP constable noticed that Roy had a GoPro camera attached to his motorcycle helmet and demanded that Roy turn over the camera; Roy refused.  The constable then arrested Roy and seized the camera.

Decision

One of the issues in this decision was whether the GoPro had been unreasonably seized from Roy, contrary to s. 8 of the Charter of Rights and Freedoms.  The RCMP obtained a warrant before accessing the images on the camera, so this issue was limited to whether the constable’s decision to take the GoPro upon arrest was itself an unreasonable seizure.  Judge Harten had no trouble finding that the constable was justified in seizing the GoPro to preserve evidence incidental to the arrest.

The judge, however, went on (arguably in obiter) to discuss Roy’s reasonable expectation of privacy in the GoPro.  It is this part of the analysis that raises interesting questions about privacy expectations in personal recording devices.  The judge started by recognizing that (at para. 25):[i]t’s well-known that people wear helmet mounted cameras to record their adventures be they skydivers, skiers, bungee-jumpers or, as in this case, motorcyclists. These recordings often find their way onto the Internet or become the subject of “reality TV” shows.

The judge then referred to the Supreme Court of Canada decision in R. v. Fearon, 2014 SCC 77, in which the Court created a new legal framework for permitting searches of cell phones incidental to arrest. The judge cited Fearon for the proposition that:

…the expectation of privacy in one’s personal digital devices is high, the level of expectation may vary depending on the type of device and the circumstances in which it is found.

Based on this proposition, the judge found:

The user of a helmet mounted camera who is under arrest in the circumstance, in which Roy found himself here, has a significantly lower expectation of privacy.

Should privacy expectations vary with the type of device?

The judge’s interpretation of Fearon is not entirely consistent with the Supreme Court of Canada’s analysis in that case.  Justice Cromwell, for the Fearon majority, affirmed the notion that a cell phone is not like a briefcase or a document (at para. 51).  Instead, the Court recognized that cell phones are essentially computers.  They hold an immense amount of data, which may include intimate details about a person’s life.  For these reasons the search of a cell phone may be a far more significant invasion of privacy than other searches incidental to arrest (for example, the search of someone’s pockets for physical items) (at para. 58).  The Court also noted two specific qualifications to its decision.  First, the particular capacity of a cell phone should not affect the analysis of the legality of a search.  A relatively unsophisticated cell phone should still be treated as the equivalent of a computer (at para. 52).  Second, the expectation of privacy is not affected by whether the cell phone is password protected or not (at para. 53).

While the type and nature of a device is undoubtedly part of the analysis of a person’s reasonable expectation of privacy in that device, the judge’s analysis in Roy seems to have assumed too readily that a GoPro is unlike a cell phone.  First, like cell phones, GoPro cameras have tremendous storage capacity.  It is irrelevant whether they are password protected or not.  And they are arguably as likely to contain intimate details of someone’s life as a cell phone—especially an unsophisticated cell phone.  While GoPro cameras are often mounted to record the use of a vehicle, that is not their only function and they are not permanently mounted.  A GoPro on a vehicle’s dash or on a helmet could easily contain video or images or someone’s children, a significant life event, an intimate encounter with another person, or routine work activities if used in the context of employment.

The device-specific, use-based approach to the analysis is unlikely to be helpful in the long term, either to law enforcement or individuals. There are a multitude of analogous recording devices on the market that come in all sorts of sizes and with a range of different functions and uses – many with network capacity that suggest an ability (but not a requirement) to publish or otherwise disclose the recorded information. A principled approach to recording devices, as suggested in Fearon, is more likely to result in a consistent and comprehensive legal framework.

Federal Agency Sanctioned for Private Company’s Actions (or, why there’s one less reality TV show on tonight)

Posted in Privacy, Privacy Act

The Office of the Privacy Commissioner of Canada (“OPC”) has found the Canada Border Services Agency (“CBSA”) responsible for the intrusive actions taken by reality TV producers –  a private sector company – the party that was responsible for obtaining and releasing personal information of a detainee.  While the OPC conceded that the collection of  the detainee’s personal information was part and parcel of what the CBCA is permitted to do, it found that by allowing TV cameras to be present during that collection, the CBSA permitted  a “real-time disclosure” of  that personal information in violation of its obligations under the Act. This an unusual, and expansive, understanding of the concept of “disclosure”.

Background

The media has recently reported that the hit reality television series, Border Security: Canada’s Front Line, will not be returning for a fourth season after the OPC recommended that the CBSA  end its participation in the program.

Border Security began airing in 2012 and had an audience of several millions of Canadians. In short, the program captured encounters between CBSA officers and the public and showcased what happened when people try to smuggle (among other things) Colorado marijuana, firearms, too much currency, and/or Chinese Peking duck into the country. It also highlighted situations where people attempted to enter Canada without the required documentation.

The Incident

On March 13, 2013, the show filmed the CBSA raiding a construction site in Vancouver, where officers found Oscar Mata Duran hiding. Officers proceeded to question Mr. Duran about his identity, immigration status, and employment. Mr. Duran had provided his verbal consent to be video recorded during this initial interrogation. Subsequently, Mr. Duran was processed at an immigration detention facility, where he was presented with a consent form in Spanish that would allow a private production company, Force Four Production, to film his interactions with the CBSA during his time at the detention centre. Following his stay at the detention centre, Mr. Duran was deported to his home country, Mexico.

The British Columbia Civil Liberties Association ( “BCCLA”) subsequently filed a complaint on Mr. Duran’s behalf, alleging that the CBSA’s participation in the television program violated, among other things, the laws regarding disclosure of personal information by a government agency. The CBSA argued that the program educated the public in Canada and around the globe “about the CBSA’s contribution to keeping Canada safe and prosperous, and would demonstrate the challenges that CBSA officers face and the professionalism with which they carry out their mandate”.

 The Law on Personal Information

The Privacy Act is legislation that recognizes a right to privacy by protecting Canadians’ personal information collected by the federal government. The Act applies to the federal public sector, which includes about 250 departments, agencies, and Crown corporations.

Section 3 of the Act defines personal information as information about an identifiable individual that is recorded in any form. Section 4 of the Act states that “no personal information shall be collected by a government institution unless it relates directly to an operating program or activity of the institution.”

Section 8 of the Act governs the rules regarding disclosure of personal information and provides that:

 Personal information under the control of a government institution shall not, without the consent of the individual to whom it relates, be disclosed by the institution except in accordance with this section.

Section 8(2) lists various circumstances where personal information may be disclosed, which includes when, “in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure”.

The OPC’s Finding

By way of the Finding, the Privacy Commissioner applied sections 3, 4, and 8 of the Privacy Act in order to determine whether the CBSA violated federal law by failing to obtain Mr. Duran’s consent prior to disclosing his personal information. In the end, the Commissioner concluded that the CBSA violated the Privacy Act by engaging in the television program and disclosing people’s personal information in the process.

What makes this Finding particularly interesting is that the Commissioner essentially applied the Privacy Act to the CBSA due to the intrusive actions taken by Force Four Productions –  a private sector company – the party that was responsible for obtaining and releasing Mr. Duran’s personal information. Normally, the Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to businesses and organizations in the private sector that use, store, and collect personal information. However, the Commissioner found that due to the CBSA’s contractual relationship with Force Four Productions, and the Agreement that governed this relationship, the private actor’s conduct could be imputed onto the CBSA, thereby implicating the Privacy Act.

The Commissioner clearly stated that as a matter of principle, federal government institutions cannot contract out of their obligations under the Privacy Act. The Commissioner found that “the spirit and intent of the Act would be completely thwarted should federal government institutions have the authority to enter into agreements to facilitate the engagement of activities for which the institution itself may not be authorized.”

In this case, the CBSA and Force Four Productions had an Agreement whereby the CBSA would facilitate access to customs controlled areas to allow the production company to film the enforcement operations. There are two parts of the Agreement that provided the basis for the Commissioner’s overall Finding.

Firstly, the Commissioner found that the CBSA played an integral role “in providing the necessary conditions for filming to take place . . . and that the CBSA [had] substantial control over the collection of personal information by Force Four.” Secondly, the Commissioner found that the CBSA controls the circumstances under which Force Four can film, and maintains control over the footage. The agency also controlled when and how footage is collected, and had the right to review the footage; to comment and approve the footage; to obtain an episode upon request; and to use and reproduce the footage for training purposes.

As a result, the Commissioner found it was not necessary to determine whether the CBSA actually participated in the collection of personal information itself. Rather, he found that the CBSA’s facilitation and control over the filming process “implicates the collection of personal information”, and therefore the CBSA had certain obligations under section 8 of the Privacy Act regarding any subsequent disclosure of that personal information (paras. 81-82):

However, the question of whether the CBSA can be said to be participating in the collection of personal information for the purpose of the Program is not determinative of our finding in this case. In our view, the CBSA is first collecting personal information in the context of its enforcement activities and thereby has a responsibility under the Act for any subsequent disclosure of the information that is collected for, or generated by, such activities.

Following our investigation, we are of the view that there is a real-time disclosure of personal information by the CBSA to Force Four [the producer] for the purpose of Filming the TV Program. Under section 8 of the Act, unless the individual otherwise provided consent, this personal information collected by the CBSA may only be disclosed for the purpose(s) for which it was obtained, for a consistent use with that purpose, or for one of the enumerated circumstances under section 8(2).

Lessons for Business Contracting with the Federal Public Sector

The Privacy Commissioner’s Finding raises a number of potential red flags for private individuals and businesses that contract with government institutions.

This case appears to suggest that when a private entity enters into an agreement with a federal government institution, and the collection of personal information is involved, the OPC may find the government actor to be in violation of the Privacy Act for actions the private entity took if:

  • the government actor provides the necessary conditions for the collection of personal information to take place;
  • the government actor has “substantial control” over the collection of personal information;
  • the government actor controls the circumstances under which the private actor can collect personal information; or
  • the government actor controls the personal information itself.

This could very well result in the end of a potentially very profitable contractual relationship.

It remains unclear whether this Finding will have any precedential value moving forward. However, individuals and businesses that work alongside the federal government would do well to exercise caution in their contractual relationships by first conducting privacy assessment in order to determine how personal information will be collected, used, stored, and transmitted.

* Amanda Iarusso is a summer student in the Toronto office of McCarthy Tetrault.

Changes to Ontario’s Health Information Privacy Law Include Breach Notification, Increased Penalties

Posted in PHIPA, Privacy
Julia Johnson

Notification to affected individuals and regulators will be required in the event of unauthorized use or disclosure of personal health information under amendments to Ontario’s health information legislation.

The Ontario legislature passed Bill 119[1] in May, which amended the Personal Health Information Protection Act, 2004, c 3, Sched. A (“PHIPA”) and repealed and replaced the Quality of Care Information Protection Act, 2004, SO 2004, c 3. PHIPA governs the collection, use and disclosure of personal health information by health information custodians, such as doctors and hospitals. The Information and Privacy Commissioner for Ontario (“Privacy Commissioner”) oversees PHIPA and had been advocating for amendments to PHIPA to regulate electronic health records (“EHRs”) and the creation of shared provincial electronic health record system.

Among the amendments to PHIPA is a revised definition of a “use” with respect to personal health information. Under the new definition, use means “to view, handle or otherwise deal with the information”. This change aims to prevent snooping into the health records of individuals.

The amendments also create a positive obligation for health information custodians to protect against the unauthorized collection of personal health information. The new section 11.1 states: “A health information custodian shall take steps that are reasonable in the circumstances to ensure that personal health information is not collected without authority.”

Notification requirements

Significantly, similar to new federal privacy laws governing the private sector, Ontario’s new amendments include data breach notification requirements, whereby health information custodians must notify affected individuals if personal health information about an individual in its custody or control is used or disclosed without authority. The health information custodian must also notify the Privacy Commissioner.

Health information custodians are further required to give notice to a College of a regulated health profession when an employee, agent or member of the College, is terminated, suspended, or subject to disciplinary action resulting from the unauthorized collection, use, disclosure, retention or disposal of personal health information.

Clarification of agent obligations

Under PHIPA, health information custodians may use agents, such as hospital employees and third-party service providers, to collect, use, or disclose personal health information on their behalf. A new amendment clarifies that an agent’s permission to do so may be subject to conditions or restrictions imposed by the health information custodian or a prescribed requirement and that any collection, use, or disclosure by an agent must be in accordance with law.

Electronic health record governance

A major part of the amendments contemplate a governance framework for a shared provincial electronic health records for which there is no single health information custodian. Section 55 of the Act now states that the “prescribed organization has the power and the duty to develop and maintain the electronic health record.” The prescribed organization will manage and integrate personal health information and oversee the EHR, including monitoring and logging access. Under the PHIPA General Regulation, eHealth Ontario is a prescribed organization that maintains a provincial electronic health record.

The new EHR part also provides for “consent directives” which individuals may submit to the prescribed organization to withhold consent to the collection, use and disclosure of personal health information by means of the EHR. Consent directives may be overridden in certain circumstances, such as a significant risk of serious bodily harm, but health information custodians must be notified in such circumstances.

Penalties for offences double

Finally, penalties for offences under the Act have doubled with the new amendments, increasing to $100,000 from $50,000 for individuals and to $500,000 from $250,000 for organizations. There is no longer a limitations period for prosecution under the Act. Formerly, prosecutions must have been commenced within six months of when the alleged offence occurred.

QCIPA repealed and replaced

The second legislative change brought by Bill 119 is the repealing and replacement of QCIPA, which governs “quality of care information” gathered by a permitted committee.

QCIPA generally prohibits the disclosure of “quality of care information.” However, the purpose of the Act is to permit confidential discussions among health facilities to learn from incidents and improve health care systems. A person may disclose any information to a quality of care committee for the purposes of carrying out quality of care functions. However, no more personal health information may be disclosed than is reasonably necessary.

This type of information is excluded from provincial access and privacy laws. When Bill 119 was before the legislature, the Privacy Commissioner submitted that it was concerned the new legislation would result in the disclosure of less information to individuals and their representatives. Under the previous version of QCIPA, quality of care information did not include “facts contained in a record of an incident involving the provision of health care to an individual […]”. This exclusion has been narrowed to only exclude facts in relation to a critical incident. “Critical incident” means “any unintended event that occurs when a patient receives health care from a health facility that, (a) results in death, or serious disability, injury or harm to the patient, and (b) does not result primarily from the patient’s underlying medical condition or from a known risk inherent in providing the health care.”

As such, only facts related to critical incidents can be disclosed otherwise information considered quality of care information is not disclosable.

Like PHIPA, unauthorized use or disclosure of quality of care information is an offence under QCIPA.

[1] An Act to amend the Personal Health Information Protection Act, 2004, to make certain related amendments and to repeal and replace the Quality of Care Information Protection Act, 2004.

Mutual Fund Dealers Association of Canada releases Cyber Risk Management Guidance

Posted in Cybersecurity, Financial, Regulatory Compliance
Eriq Yu

Earlier last month, the Mutual Fund Dealers Association of Canada (MFDA) released a bulletin providing guidance on cybersecurity and cyber risk management for mutual fund distributors. The goal of the bulletin is to increase awareness for cyber vulnerabilities and to provide guidance for developing and implementing internal cybersecurity policies.

The bulletin emphasizes the importance of cybersecurity to prevent major disruptions to critical business operations and to mitigate the potential for monetary and reputational harm resulting from data breaches. Citing the US Financial Industry Regulatory Authority (FINRA)’s cybersecurity findings, three cybersecurity threats are identified the order of salience: outside hackers penetrating the company system, insiders compromising firm or client data, and the operational risks of information technology use.

While cautioning against one-size-fits-all cyber risk management solutions, the bulletin provides five cybersecurity objectives the MFDA views as common to all solutions. The five cybersecurity objectives, to be implemented by a synergy of people and processes within each organization, are to:

  1. Identify assets in need of protection, including the threats and risks to them;
  2. Protect such assets with the appropriate safeguards;
  3. Detect intrusions, breaches, and unauthorized access;
  4. Respond to a potential cybersecurity event;
  5. Recover from a cybersecurity incident by assessing the incident, restoring normal operations and services, and applying enhanced safeguards that are specific to the nature of the incident.

To achieve these cybersecurity objectives, the bulletin offers a host of security policy and control recommendations, including, among others:

  • Setting up a governance and risk management framework including the involvement and buy-in of the Board of Directors and senior management
  • Cybersecurity incident response procedures, including an incident response team
  • Information sharing and incident/breach reporting, such as the requirement to notify the Privacy Commissioner of specified breaches
  • Managing threats posed by vendors, ensuring the level of risk posed by each third party vendor is appropriately assessed and mitigated
  • Obtaining cyber insurance coverage

While these recommendations are not exhaustive, they present important steps in the management of cybersecurity threats. Ensuring that a cyber risk management plan exists and having security policies and procedures in place is increasingly important to manage the liabilities that arise from privacy and data breaches.

*Eriq Yu is summer student in McCarthy Tetrault’s Toronto office. 

U.S. Treasury Issues Marketplace Lending White Paper

Posted in Big Data, FinTech, Payments
Ana BadourKirsten ThompsonD.J. LyndeEtienne Ravilet Guzman

In response to the U.S. Department of the Treasury’s (“Treasury”) July 20, 2015 request for information on online marketplace lending (the “RFI”), Treasury issued its white paper on marketplace lending “Opportunities and Challenges in Online Marketplace Lending” (the “White Paper”) on May 10, 2016. The White Paper outlines the risks and potential of this emerging form of credit, makes specific policy recommendations and identifies certain trends for future monitoring.

The White Paper defines marketplace lending as financial services that use “investment capital and data-driven online platforms to lend either directly or indirectly to consumers and small businesses”. While less developed than in the U.S., Canada also has a nascent marketplace lending industry, composed both of domestic and foreign-based marketplace lenders.  The White Paper identifies a number of considerations that will also be relevant to the Canadian market and Canadian regulators.

Findings from Stakeholder’s Responses to RFI

The White Paper identifies the following broad themes from the submissions received from consumer and small business advocates, investors, financial institutions, academics, online marketplace lenders and trade associations:

  • marketplace lending is expanding access to credit for small businesses and borrowers who may not have access to other credit sources;
  • the use of algorithms to process credit applications constitutes an innovation that may expedite credit assessment, but which may also carry the risk of disparate credit outcomes that violate fair lending;
  • the online credit model is untested, since it has not operated through a complete credit cycle, and has developed in a context of favourable economic conditions;
  • small business borrowers engaging in marketplace lending may require additional regulatory protection;
  • borrowers and investors would benefit from greater transparency in the terms set by online lending services;
  • the secondary market for loans remains under-developed due to the low number of issuances and lack of transparency, which increases risk for lenders and escalates borrowing costs; and
  • marketplace lending requires regulatory clarity regarding the roles and requirements of market participants and regulators.

Recommendations

The White Paper recommends:

  1. More robust small business borrower protections and effective oversight. While small business loans are in many respects similar to consumer loans, small business borrowers are not afforded the same protections as consumer borrowers. Treasury recommended that the U.S. federal government should provide more robust small business borrower protections and effective oversight. This distinction exists in Canada as well, in that small business borrowers generally do not benefit from the same protections as consumer borrowers (with some very limited exceptions in some provinces for loans extended for farming or fishing purposes, or in Quebec, loans extended to professionals, artisans, farmers and sole proprietors in certain circumstances). It will be interesting to see whether Canadian legislators will similarly consider expanding protections for small business borrowers, although given the splintered nature of the federal/ provincial regulatory framework, common initiatives in this area seem unlikely.
  2. Sound borrower experience and back-end operations. The marketplace lending industry should ensure sound borrower experience and back-up servicing operations by adopting standards that address the whole lending process, from customer acquisition to delinquency or default. Most marketplace lending platforms service loans only until the loans become delinquent and then outsource the servicing to collection agencies. The White Paper suggests that a robust industry-driven regulatory framework is key to ensure the stability of marketplace lending in credit climates that are less favourable than the current one.
  3. Transparent marketplace for investors and borrowers. Online lending platforms require greater transparency in order to grow into a well-developed lending market. This could be achieved through standardization of loan products (including representations, warranties and enforcement mechanisms), consistent reporting standards for loan origination data and ongoing portfolio performance, loan securitization performance transparency and consistent market-driven pricing methodology standards. The White Paper encourages financial services industry groups to independently establish loan-and-pool level disclosures and reporting standards. The White Paper also recommends the creation of a publically available private registry tracking data on transactions, which would include data on the issuance of notes and securitizations, and loan-level performance.
  4. Partnerships between marketplace lenders and financial institutions. The White Paper recommends expanding access to credit for underserved segments of the market through the partnership between online platforms and financial institutions, in particular community banks.  Community banks have a strong understanding of local credit markets, and could increase their efficiency and lower costs by partnering with online platforms to make use of online platforms’ underwriting technology and back-end operations.  While Canada does not have the same model of community banking as found in the U.S., a somewhat similar role is played by credit unions in Canada and we have already seen examples of partnerships between credit unions and online lenders, such as the partnerships between Grow Financial and B.C. credit union First West and Saskatchewan credit union Conexus.
  5. Greater access to government held data. Better access to government held data could lead to better consumer access to affordable credit by allowing investors and entrepreneurs to develop innovative products and services. The White Paper mentions two particular forms of data that could assist marketplace lending: “smart disclosure” (the release of government data in formats that can be easily processed by third party software) and “data verification” (the capacity to scrutinize government data, allowing for more accurate assessments of the material provided by consumers in their credit applications).  In particular, the White Paper suggests the U.S. Internal Revenue Service offer an application programming interface (API) to automate income verification express services to lenders to automate the sharing of borrower tax data in a simple, fast, secure way. Canada has embraced open data principles and participates in the international Open Data Working Group through its involvement in the Open Government Partnership and is a signatory to the G8 Open Data Charter. The Canadian Open Data Portal currently contains data sets from Industry Canada and Customs and Revenue Canada on things as diverse as insolvency statistics, survey results on financing and growth of small and medium enterprises and credit conditions. The Open Data Portal contains information on working with the data and APIs.
  6. Creation of a standing working group for online marketplace lending. The White Paper recommends the creation of a standing working group on online marketing place lending bringing together federal and state agencies, to ensure interagency coordination.  Such an approach may also be worth considering in Canada, where, similar to the U.S., marketplace lending could fall under the jurisdiction of multiple regulators and legislators.

Trends to Monitor

The White Paper also notes several trends that should be closely monitored to understand how the marketplace lending industry evolves in the context of a potentially less favourable credit environment. These include the following:

  • the evolution of credit scoring;
  • the impact of changing interest rates;
  • potential liquidity risk;
  • increases in the volume of mortgage and auto loans originated by marketplace lenders;
  • cybersecurity threats; and
  • compliance with anti-money laundering requirements.

Conclusion

As can be seen from the White Paper, even in the U.S. where marketplace lending is much more established than in Canada, regulators are still grappling with how best to regulate and where the risks lie.  The White Paper suggests some specific recommendations to address potential risks, while still noting that certain areas should be closely monitored in the future.  It is clear that potential regulation of this space will continue to evolve in the future and should be closely monitored by relevant stakeholders.

Competition Bureau to Increase Scrutiny of Data-Driven Businesses

Posted in Big Data
Kirsten Thompson

In a May 25, 2016 speech given at the offices of McCarthy Tetrault, the Commissioner of Competitor John Pecman signalled that the Competition Bureau will be heightening its scrutiny of data-driven businesses, particularly those using Big Data techniques analytics.

While supporting “ the emergence of innovative business models in the digital economy”, Pecman noted that the increased role of data in business and the larger marketplace meant that anticompetitive practices could impede new entrants

Referencing the Bureaus’ investigation into allegations of anticompetitive conduct on the part of Google in relation to its online search, search advertising and display advertising services, Pecman specifically focused on Big Data as an area of concern for the Bureau:

While that investigation has concluded, the Bureau recognizes that datadriven companies play an important and growing role in Canada’s economy. The emergence of “Big Data” and its effects on competition is also a prevalent concern on the international stage. As the OECD Competition Committee recently observed, some are referring to data as the “new oil”, or the currency of the digital economy. On May 10th, the German and French competition authorities released a joint study on “Competition Law and Data” to further feed the debate on assessing data as a factor to establishing market power.

As the collection, analysis, and use of data is increasingly becoming an important source of competitive advantage, driving innovation and product improvement, the Bureau will continue to actively monitor developments in this area.

Pecman also referenced the  recent ruling from the Competition Tribunal against the Toronto Real Estate Board (TREB). The Tribunal supported the Bureau’s view and ruled that the restrictions TREB imposes on its members’ use and display of the data in the Toronto Multiple Listing Service system are anticompetitive, and found them to have had “a considerable adverse impact on innovation, quality, and the range of residential real estate brokerage services” available in the Greater Toronto Area.

Most recently, the Competition Bureau announced that it was launching a FinTech market study (see our previous post here), focusing on innovations that impact how consumers and small and mediumsized businesses interact with financial services and products such as peertopeer banking, mobile wallets and payments, crowdfunding, and onlinebased financial advisory services (or “roboadvisors”).

Privacy injunctions in the age of the Internet and social media: PJS v News Group Newspapers

Posted in Privacy, Social Media
Barry Sookman

You’re a celebrity and had a threesome. Your partner wasn’t one of them. You want the affair to remain private. You go to a court in England where your family resides and get an interim injunction. It prevents the English press from publishing the tawdry details to protect your privacy and the privacy of your family. The affair becomes widely known in other countries including the US, Canada, and Scotland. The English public finds out about it through foreign web sites. They also find the story when using search engines, even when not looking for it. The English public is incited to access websites where details about the encounter can be found by the tabloids which thrive on selling papers filled with salacious details of sexual encounters. The tabloids create a frenzy working up the public claiming they are being censored when their foreign counterparts are not, then move to set aside the injunction.

After scuffles before the lower courts the case gets to England’s highest court. Upholding the rule of law and demonstrating it takes privacy rights seriously, last week the UK Supreme Court ordered the interim injunction continued until trial, stating also that search engines should geo-block links to foreign websites from which the story can be accessed to protect the applicant’s privacy rights.

The reasons of the Supreme Court in PJS v News Group Newspapers Ltd [2016] UKSC 26 (19 May 2016) to maintain the injunction in place despite the tsunami of public pressure to rescind it were delivered in 4 sets of reasons, each of which (except for the dissent) was concurred in by the three other judges making up the 4:1 majority. Central to the decision were the following reasons concurred in by all of the justices writing to maintain the injunction.

  • The ground on which the court acted was to preserve the privacy interests at stake in the case. (In this case, that of the appellant, his partner and their young children in England and Wales.)
  • Unlike causes of action based on breach of confidence, claims to protect privacy can be maintained even when private information is already widely known. Even the repetition of known facts about an individual may amount to an unjustified interference with the private lives not only of that person but also of those who are involved with him.
  • Claims based on respect for privacy and family life (under English law) are based on the two core components of the rights to privacy: unwanted access to private information and unwanted access to or intrusion into one’s personal space.
  • The English/EU courts give very little weight to claims for “free expression” when the expression purely concerns private sexual encounters. Any such disclosure or publication will on the face of it constitute the tort of invasion of privacy, the repetition of which is capable of constituting a further tort of invasion of privacy, even in relation to persons to whom disclosure or publication was previously made – especially if it occurs in a different medium.
  • Injunctive relief to protect privacy can be granted to protect privacy interests even if the information is widely known (including significant internet and social media coverage) if the injunction can prevent extensive and qualitatively different privacy breaches. (That was the situation in the PJS case.)
  • Exemplary or punitive damages and an account of profits may be recoverable at common law for misuse of private information in order to deter flagrant breaches of privacy and to provide adequate protection for the person concerned. (The court left this question open.)

Lord Mance (with whom Lord Neuberger, Lady Hale and Lord Reed agreed) concluded his judgement summarizing the rationale for maintaining the injunction as follows:

The circumstances of this case present the Supreme Court with a difficult choice. As in the Court of Appeal, so before the Supreme Court the case falls to be approached on the basis that the appellant is likely at trial to establish that the proposed disclosure and publication is likely to involve further tortious invasion of privacy rights of the appellant and his partner as well as of their children, who have of course no conceivable involvement in the conduct in question. The invasion would, on present evidence, be clear, serious and injurious. On the other hand, those interested in a prurient story can, if they try, probably read about the identities of those involved and in some cases about the detail of the conduct, according to where they may find it on the internet. The Court will be criticised for giving undue protection to a tawdry story by continuing the injunction to trial. There is undoubtedly also some risk of further internet, social media or other activity aimed at making the Court’s injunction seem vain, whether or not encouraged in any way by any persons prevented from publishing themselves. On the other hand, the legal position, which the Court is obliged to respect, is clear. There is on present evidence no public interest in any legal sense in the story, however much the respondents may hope that one may emerge on further investigation and/or in evidence at trial, and it would involve significant additional intrusion into the privacy of the appellant, his partner and their children.

At the end of the day, the only consideration militating in favour of discharging the injunction is the incongruity of the parallel – and in probability significantly uncontrollable – world of the internet and social media, which may make further inroads into the protection intended by the injunction. Against that, however, the media storm which discharge of the injunction would unleash would add a different and in some respects more enduring dimension to the existing invasions of privacy being perpetrated on the internet. At the risk of appearing irredentist, the Supreme Court has come to the conclusion that, on a trial in the light of the present evidence, a permanent injunction would be likely to be granted in the interests of the appellant, his partner and especially their children. The appeal should therefore be allowed, and the Court will order the continuation of the interim injunction to trial or further order accordingly.

Enjoining the tabloids from publishing the salacious details of sexual encounters would not have prevented members of the English public from accessing stories about the affair published on foreign sites. This was amply demonstrated by the privacy breaches suffered by Max Mosley who waged precedent setting legal battles against media sites and Google in several jurisdictions to get stories about his private life removed from web sites and de-indexed by Google. See, Internet justice: Mosley v Google.

The Court recognized that to protect the applicant’s privacy interests it was necessary not only to enjoin the tabloids, but also for search engines to geo-block links to the story to prevent access in England, something Google was reportedly doing. Lord Neuberger (the President of the Court with whom Lady Hale, Lord Mance and Lord Reed agreed) dealt with this issue stating the following:

It also seems to me that if there was no injunction in this case, there would be greater intrusion on the lives of PJS and YMA through the internet. There may well be room for different views as to whether the lifting of the injunction would lead to an increase or a decrease in tweets and other electronic communications relating to the story. However, if the identity of PJS and the story could be communicated within England and Wales, then it would be likely that anyone in this jurisdiction who was searching for PJS (or indeed YMA) through a search engine, for reasons wholly unconnected with the story, would find prominent links to that story. But if search engines serving England and Wales are geo-blocked from mentioning PJS, or indeed YMA, in connection with the story, as they should be so long as an injunction is in place, this would not happen. It might be said that PJS and YMA could ask the search engine operators to remove any links to the story pursuant to the decision of the Court of Justice in Google Spain SL v Agencia Española de Protección de Datos (Case C-131/12) [2014] QB 1022, but it seems unlikely that the reasoning in that case could apply to a story which has only recently become public and is being currently covered in the newspapers…

It is one thing for what should be private information to be unlawfully disseminated; it is quite another for that information to be recorded in eye-catching headlines and sensational terms in a national newspaper, or to be freely available on search engines in this jurisdiction to anyone searching for PJS or YMA, or indeed AB, by name in a different connection. If, as seems to me likely on the present state of the evidence and the current state of the law, PJS will succeed in obtaining such an injunction at trial, then it follows that he ought to be granted an injunction to restrain publication of the story in the meantime. (emphasis added)

The PJS case has been the subject of considerable commentary. A good roundup can be found here, “Free speech drowning”? – Supreme Court decision to reinstate PJS injunction, a news Round Up”.

Comments

Canadian common law courts are still struggling to develop the contours of the emerging tort of intrusion upon seclusion first recognized in Ontario in the Jones v. Tsige, 2012 ONCA 32 case. Some provinces have recognized it, British Columbia (which has a statutory tort of invasion of privacy) does not. See, Ari v. Insurance Corporation of British Columbia, 2015 BCCA 468. A Federal Court decision rendered earlier this year has suggested that the Canadian common law courts may also recognize another US privacy tort that provides a remedy against the wrongful disclosure of private information that would be highly offensive to a reasonable person and not of legitimate concern to the public. See, John Doe v. Canada, 2015 FC 916.

However, Canadian common law courts are still far behind the English courts which have developed a much more flexible tort of misuse of private information, as well as remedies for breach that include damages to compensate for the loss or diminution of a right to control private information, and now following the PJS case, perhaps also exemplary or punitive damages and an accounting of profits. See, Representative Claimants v MGN Ltd [2015] EWCA Civ 1291 (17 December 2015). The damages recoverable in England for the tort are more extensive than those recognized as being recoverable in Canada so far.

Surprisingly, Canadian courts have not had to canvass recently whether the English common law tort of misuse of private information should be adopted in Canada. The courts have also not had to tackle whether the torts that have been recognized so far would enable a claimant to obtain interim or final injunctive relief to protect disclosure of private information that is widely available in other countries.

This article was originally published http://www.barrysookman.com and is republished here with permission.

IOSCO releases “Cyber Security in Securities Market” Report

Posted in Cybersecurity, Regulatory Compliance
Diego Beltran

The Board of the International Organization of Securities Commissions (IOSCO) released last month the report on its cyber risk coordination efforts.  The goal of the report is to provide an overview of the regulatory issues and challenges faced by various segments of the securities markets, in particular reporting issuers, market intermediaries and asset managers, and of the various frameworks and practices adapted by members of the IOSCO as the threat of cyber-attacks continues to grow.

Reporting Issuers

For reporting issuers, proper and timely disclosure continues to be of concern. The report highlights a number of factors that issuers consider in for disclosure of a cyber risk, once materiality has been determined, including the:

  • reason the issuer is subject to cyber risk;
  • source and nature of the cyber risk and how the risk may materialize;
  • possible outcomes of a cyber incident;
  • adequacy of preventative measures and management’s strategy for mitigating cyber risk; and
  • whether a breach has occurred previously and how this affects the issuer’s overall cyber risk.

From a regulatory perspective, the report indicates disclosure remains subject to materiality analysis and dependent on an issuer’s specific circumstances. Regulators in the U.S. and Canada continue to issue guidance on specific disclosure obligations in connection with cybersecurity (see our previous post here).

Interestingly, the report points out that those issuers that have been affected by a cyber incident tend to provide more detailed disclosure than either other issuers that have not reported an attack or the same issuer prior to the incident.

Trading Venues

According to the participants surveyed, there has been considerable investment in the development and implementation of more sophisticated tools to detect and respond to threats.  Honey pots and other decoy options are being deployed to collect data on intruders and attempted attacks that can be used to provide advance warning.  Security Information and Event Management (SIEM) tools are being combined with threat intelligence services to allow for a more proactive response to a cyber threat.  Trading venues are increasing their vigilance on internal information and on third party providers.  Global initiatives for collaboration and information sharing, such as GLEX, are growing and are seen as valuable tools to share practices and participate in war-game like drills.  From a regulatory perspective, regulators have used examination sweeps, guidelines and frameworks to raise awareness levels on cyber security.  The report mentions Canada’s NI 21-101 (available here) as an example of required cyber security controls “systems that support order entry, order routing, execution, trade reporting, trade comparison, data feeds, market surveillance and trade clearing.”

Market Intermediaries

The report indicates that regulators of the member jurisdictions have taken various steps to strengthen cyber security efforts of market intermediaries.  In the U.S. for e.g., the SEC adopted regulation requiring certain regulated financial institutions to implement identify theft programs (see here) and Financial Industry Regulatory Authority (“FINRA”) issued eight principles and practices which include:

  • Governance;
  • Cyber security risk assessment;
  • Implementation of technical controls;
  • Establishment of policies and procedures for an incident response plan;
  • Vendor management;
  • Cyber security training for staff;
  • Cyber intelligence gathering and sharing; and
  • Cyber insurance.

While not included in the IOSCO report, Industry Regulatory Organization of Canada (“IIROC“) has published guidelines to help IIROC regulated firms protect themselves and clients against cyberattacks (see our previous post here).

Asset Managers

There is a growing concern among asset managers of the threat to data integrity “through the manipulation of data such as net asset values, trading algorithms and portfolio holdings”, which could be far more serious than attacks to the availability of systems (denial of service attacks or DDoS) and data theft.  The report highlights the following practices adopted by the asset managers surveyed:

  • identify key digital assets to allow for better allocation of resources, i.e. based on risk profile;
  • implement effective control and protection measures;
  • implement on going employee training including a culture of responsibility and accountability;
  • monitor systems and data usage to facilitate detection of abnormal patterns;
  • develop detailed and actionable incident response plans;
  • access and share actionable threat information;
  • conduct diligence reviews with third party service providers and understand if 4th party providers are used; and
  • reassess the firm’s cyber resilience, vulnerabilities and protection

The report found that 75% of firms surveyed require all employees to undergo security information training; 79% have ensured their architecture is consistent with a recognized security framework (e.g. IESO, NIST) and 40% have contracted cyber security insurance policies.

Conclusion

While there is no one size fits all approach to cyber security, there are commonalities in the approaches and practices of the different market segments that could be relevant across segments. Risk management components across the board include governance, identification, protection, detection, response and recovery.  Governance practices continue to develop and involve senior management and company boards and are a fundamental aspect of any risk management program.

The report highlights the importance of trust among participants of information sharing networks as essential for its viability and the important role regulators can play in providing the proper incentives for market participants to contribute to such networks.

 

Competition Bureau to Study Fintech Market

Posted in Mobile Payments, Payments
Ana BadourDiego Beltran

 

The Competition Bureau announced on May 19, 2016 that it will launch a market study focused on how innovation in the fintech sector is impacting consumers and businesses, with the results intended to be published in the spring of 2017, seeking to determine whether there is a need for “regulatory reform to promote greater competition while maintaining consumer confidence in the sector.”

The announcement cites a report indicating that Canada appears to be lagging other countries in adoption of fintech as one of the reasons for deciding to study the financial services industry.

The study “will examine peer to peer banking, e wallets, mobile wallets, mobile payments, crowdfunding and online based financial advisory services [or robo-advisors]” and, according to the Bureau, will help it advise regulators and other authorities on how to ensure innovation and competition in the sector is not impeded. Blockchain technology is not part of the study as it is not considered by the Bureau to be within the study’s focus on consumer facing activities. However, the Bureau indicates it is open to changing the scope of the study should stakeholder consultation reveal a need for such change.

The study will not cover insurance (property and casualty, travel, and health), currencies and crypto currencies (e.g., Bitcoin), payday loans, loyalty programs, deposit taking, accounting, auditing, and tax preparation and services, large corporate, commercial or institutional investing and banking (e.g., pension fund management, corporate mergers and acquisitions) or business to business financial services other those services noted above as being within the scope of the study.

Interested stakeholders are invited to make submissions on the study or on issues specific to the study before June 30, 2016.

More information can be found at http://www.competitionbureau.gc.ca/eic/site/cb-bc.nsf/eng/04086.html.