Teresa Scassa - Blog

Displaying items by tag: open banking
Friday, 19 July 2019 09:15

Open Banking in Canada - A Primer

I wrote a short paper on Open Banking in Canada for a presentation I gave to the Digital Strategy Committee of the Board of Directors of Vancity, a Vancouver-based credit union.  The text of this paper is available by clicking on "read more" and/or downloading the PDF attachment below.

In June 2019, the Standing Senate Committee on Banking, Trade and Commerce (BANC) released its report on open banking following hearings it held in the spring of 2019. The federal government, which has been conducting its own consultation into open banking, has yet to issue a report.

For those who have not been following discussions around this issue, ‘open banking’ refers to a framework that enables consumers to share their personal financial data with financial services providers in a secure manner. The anticipated benefits of open banking include providing consumers of financial services (both individuals and small businesses) with more and better financial planning and payment options, and stimulating innovation in the fintech sector. Open banking is no small undertaking. To work, it will require major financial institutions to adopt standardized formats for data. It will also require the adoption of appropriate security measures. A regulator will have to create a list of approved open banking fintech providers. There will also need to be oversight from competition and privacy commissioners. For consumer privacy to be adequately protected there will have to be an overhaul of Canada’s Personal Information Protection and Electronic Documents Act.

The BANC committee report reviews the testimony it heard and makes a number of recommendations. It begins by noting that approximately 4 million Canadians already make use of fintech apps to obtain financial services not otherwise available. These apps require users to provide their banking usernames and passwords in order to enable them to repeatedly access and screen-scrape financial data. It is a risky practice and one that may violate the terms of service for those customer accounts, leaving consumers vulnerable and unprotected. The Senate report notes that the legal and regulatory changes needed to implement open banking in Canada – as well as the necessary work on standards and interoperability – will take time. As a result, the first part of the report makes a number of recommendations to address, in the short term, the protection of Canadians who engage in screen-scraping.

The BANC committee notes that other countries – including Australia and the UK – are already further ahead than Canada in launching open banking initiatives. It expresses concern that Canada may be falling behind what is an international shift towards open banking, noting that “without swift action, Canada may become an importer financial technology rather than an exporter” (at pr. 14). The report makes a number of recommendations to facilitate the adoption of open banking in Canada, urging a “principles-based, industry-led open banking framework that would be integrated with existing financial sector and privacy legislation” (Recommendation III). The recommendations include work on developing standards, creating a registry of accredited providers of fintech services, legislating limits on the use of standardized and interoperable consumer financial data, creating a framework in which provincially regulated credit unions and caisses populaires can participate, improving broadband access for rural and remote communities, reforming PIPEDA, and creating appropriate regulatory oversight and enforcement mechanisms.

The BANC committee correctly links open banking to a broader data portability right. This portability right, which is present in the EU’s General Data Protection Regulation (GDPR), is one of the 10 principles articulated in the federal government’s new Digital Charter. The federal government’s recent discussion paper on PIPEDA reform also references data portability. Data portability is a mechanism by which individuals are given much greater control over their data – allowing them to ‘port’ their data from one provider to another. It also has potential to encourage competition and to stimulate innovation in the tech sector. However, for the BANC committee, consumer control is at the heart of open banking. The Committee clearly sees open banking as something that should benefit consumers. They characterize it as giving consumers more control over their personal financial information, and something that can provide them with a “more personalized, convenient digital banking experience” (at p. 37).

Indeed, the BANC committee report as a whole places consumer interests at the centre of the move towards open banking. As noted earlier, its first recommendations are oriented towards taking action to protect consumers who are engaging in screen-scraping to obtain the fintech services they want. It is also sharply critical of the federal government for not appointing a consumer advocate to its Advisory Committee on Open Banking, even though the Department of Finance indicates that it has consulted widely to obtain consumer and civil society input. The BANC committee expressed concern that not enough is known about the potential impacts on consumers of open banking, and recommends that more research be carried out as soon as possible on these issues, funded by the federal government.

 

Published in Privacy
Thursday, 04 April 2019 12:54

Open Banking & Data Ownership

On April 4, 2019 I appeared before the Senate Standing Committee on Banking, Trade and Commerce (BANC) which has been holding hearings on Open Banking, following the launch of a public consultation on Open Banking by the federal government. Open banking is an interesting digital innovation initiative with both potential and risks. I wrote earlier about open banking and some of the privacy issues it raises here. I was invited by the BANC Committee to discuss ‘data ownership’ in relation to open banking. The text of my open remarks to the committee is below. My longer paper on Data Ownership is here.

_______________

Thank you for this invitation and opportunity to meet with you on the very interesting subject of Open Banking, and in particular on data ownership questions in relation to open banking.

I think it is important to think about open banking as the tip of a data iceberg. In other words, if Canada moves forward with open banking, this will become a test case for rendering standardized data portable in the hands of consumers with the goal of providing them with more opportunities and choices while at the same time stimulating innovation.

The question of data ownership is an interesting one, and it is one that has become of growing importance in an economy that is increasingly dependent upon vast quantities of data. However, the legal concept of ‘ownership’ is not a good fit with data. There is no data ownership right per se in Canadian law (or in law elsewhere in comparable jurisdictions, although in the EU the idea has recently been mooted). Instead, we have a patchwork of laws that protect certain interests in data. I will give you a very brief overview before circling back to data portability and open banking.

The law of confidential information exists to protect interests in information/data that is kept confidential. Individuals or corporations are often said to ‘own’ confidential information. But the value of this information lies in its confidentiality, and this is what the law protects. Once confidentiality is lost, so is exclusivity – the information is in the public domain.

The Supreme Court of Canada in 1988 also weighed in on the issue of data ownership – albeit in the criminal law context. They ruled in R. v. Stewart that information could not be stolen for the purposes of the crime of theft, largely because of its intangible nature. Someone could memorize a confidential list of names without removing the list from the possession of its ‘owner’. The owner would be deprived of nothing but the confidentiality of and control over the information.

It is a basic principle of copyright law that facts are in the public domain. There is good reason for this. Facts are seen as the building blocks of expression, and no one should have a monopoly over them. Copyright protects only the original expression of facts. Under copyright law, it is possible to have protection for a compilation of facts – the original expression will lie in the way in which the facts are selected or arranged. It is only that selection or arrangement that is protected – not the underlying facts. This means that those who create compilations of fact may face some uncertainty as to their existence and scope of any copyright. The Federal Court of Appeal, for example, recently ruled that there was no copyright in the Ontario Real Estate Board’s real estate listing data.

Of course, the growing value of data is driving some interesting arguments – and decisions – in copyright law. A recent Canadian case raises the possibility that facts are not the same as data under copyright law. This issue has also arisen in the US. Some data are arguably ‘authored’, in the sense that they would not exist without efforts to create them. Predictive data generated by algorithms are an example, or data that require skill, judgment and interpretation to generate. Not that many years ago, Canada Post advanced the argument that they had copyright in a postal code. In the US, a handful of cases have recognized certain data as being ‘authored’, but even in those cases, copyright protection has been denied on other grounds. According ownership rights over data – and copyright law provides a very extended period of protection – would create significant issues for expression, creation and innovation.

The other context in which the concept of data ownership arises is in relation to personal information. Increasingly we hear broad statements about how individuals ‘own’ their personal information. These are not statements grounded in law. There is no legal basis for individuals to be owners of their personal information. Individuals do have interests in their personal information. These interests are defined and protected by privacy and data protection laws (as well as by other laws relating to confidentiality, fiduciary duties, and so on). The GDPR in Europe was a significant expansion/enhancement of these interests, and reform of PIPEDA in Canada – if it ever happens – could similarly enhance the interests that individuals have in their personal data.

Before I speak more directly of these interests – and in particular of data portability – I want to just mention why it is that it is difficult to conceive of interests in personal data in terms of ownership.

What personal data could you be said to own, and what would it mean? Some personal data is observable in public contexts. Do you own your name and address? Can you prevent someone from observing you at work every day and deciding you are regularly late and have no dress sense? Is that conclusion your personal information or their opinion? Or both? If your parents’ DNA might reveal your own susceptibility to particular diseases, is their DNA your personal information? If an online bookstore profiles you as someone who likes to read Young Adult Literature – particularly vampire themed – is that your personal information or is it the bookstore’s? Or is it both? Data is complex and there may be multiple interests implicated in the creation, retention and use of various types of data – whether it is personal or otherwise. Ownership – a right to exclusive possession – is a poor fit in this context. And the determination of ownership on the basis of the ‘personal’ nature of the data will overlook the fact that there may be multiple interests entangled in any single datum.

What data protection laws do is define the nature and scope of a person’s interest in their personal information in particular contexts. In Canada, we have data protection laws that apply with respect to the public sector, the private sector, and the health sector. In all cases, individuals have an interest in their personal information which is accompanied by a number of rights. One of these is consent – individuals generally have a right to consent to the collection, use or disclosure of their personal information. But consent for collection is not required in the public sector context. And PIPEDA has an ever-growing list of exceptions to the requirements for consent to collection, use or disclosure. This shows how the interest is a qualified one. Fair information principles reflected in our data protection laws place a limit on the retention of personal information – when an organization that has collected personal information that is now no longer required for the purpose for which it is collected, their obligation is to securely dispose of it – not to return it to the individual. The individual has an interest in their personal information, but they do not own it. And, as data protection laws make clear, the organizations that collect, use and disclose personal information also have an interest in it – and they may also assert some form of ownership rights over their stores of personal information.

As I mentioned earlier, the GDPR has raised the bar for data protection world-wide. One of the features of the GDPR is that it greatly enhances the nature and quality of the data subject’s interest in their personal information. The right to erasure, for example, limited though it might be, gives individuals control over personal information that they may have, at one time, shared publicly. The right of data portability – a right that is reflected to some degree in the concept of open banking – is another enhancement of the control exercised by individuals over their personal information.

What portability means in the open banking context is that individuals will have the right to provide access to their personal financial data to a third party of their choice (presumably from an approved list). While technically they can do that now, it is complicated and not without risk. In open banking, the standard data formats will make portability simple, and will enhance the ability to bring the data together for analysis and to provide new tools and services. Although individuals will still not own their data, they will have a further degree of control over it. Thus, open banking will enhance the interest that individuals have in their personal financial information. This is not to say that it is not without risks or challenges.

 

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law