Click here to watch the video
Privacy is a leading topic in fintech, with both startups, FIs and regulators placing it at the forefront of innovation and negotiation discussions.
- What’s next for data and AI regulation?
- Legal considerations
- How to create privacy policies for both Canada and the US
Click here to view other videos and webinars in this series
Video printing
Konata Lake (00:06): Today we are going to talk to you about privacy. Molly, maybe to start, why don’t you talk to us about privacy regulations, in general and specifically how they affect fintech and what you’re seeing?
Molly Reynolds (00:22): So we’re already dealing with a pretty big patchwork of privacy regulation in Canada. We have federal privacy legislation that applies to private sector organizations, and we have provincial privacy legislation in several provinces. And all of these are undergoing a lot of reform over the next two years. And we see a big focus in these legislative reforms on more transparency for consumers about how their data is used and why. And much more focus on meaningful consent and real choices for consumers about how their data is used. Increased focus on data deletion to actually minimize the risk of breach and an improvement in consumer rights, including access to their information and data portability. And all of that will be wrapped up if the reforms go ahead with significant new penalties and fines under these federal and provincial regimes. In addition to that, Konata, we also have sector-specific regulatory rules that can apply either directly or indirectly to fintechs in the financial area. For example, the Mutual Fund Dealers Association and OSFI requirements to report cyber security breaches. So we’re already dealing with quite a bit of consumer-friendly privacy legislation in the financial realm. And we’re only going to see it get more complex and a little more burdensome in the years to come.
Konata Lake (01:56): You mentioned that the regulation now requires or requires the deletion of data. Certainly fintech companies, one of the main reasons they get into the field is data—collection of data, use of data. So maybe you can talk a little bit about the policy behind driving that, the requirements to delete data and also how that is balanced against companies’ needs to use and manipulate data and how the rules will thread that needle.
Molly Reynolds (02:25): I think two key strategies here to balance these needs. The first is transparency. So we need to explain to consumers why we keep their data. We can’t just say in a privacy policy that we keep it for as long as we need it. Let’s explain why we can keep it to improve the service we provide them by designing better models, you know, like improving products or decision engines. And then secondly to think about the anonymisation of data. So under what circumstances can we use completely anonymous data? Under what circumstances can we de-identify data? So at least it’s harder to identify someone from it. That way, we minimize the risk to consumers, we minimize the risk to the company related to data breaches, but still try to maintain that competitive advantage of gathering enough data to learn a model or improve an algorithm.
Konata Lake (03:24): And maybe talk a little about what we see when it comes to legal cases in relation to privacy.
Molly Reynolds (03:31): So across Canada, we continue to see a huge surge of privacy-related litigation, particularly class actions. And that’s both in the wake of a data breach and in circumstances where consumers say the company’s intentional business practices violated their privacy rights, went too far, or were too scary. With upcoming legislation and law reforms, we are likely to see an even greater increase in privacy lawsuits. And you know, these cases seek tens or hundreds of millions of dollars in damages. They may settle for a little less, but in many cases, the more successful you are as a company, the greater the risk in this context of litigation, because the compensation could be, say, $100 per person. And if you have 100,000 or 500,000 consumers that are affected, that will add up pretty quickly. In addition, it is important to note, and especially in Québec, that there is a very clear path towards punitive damages for privacy violations. So what that means is that the court is really punishing the company because they should have known better in their compliance practices, even though individuals didn’t really suffer any loss or really face any harm as a result of the data practices. And under the new privacy law in Quebec, individuals can seek at least $1,000 per person in punitive damages, which is really going to increase, I think, the risk and the price of this litigation.
Konata Lake (05:07): That’s a really important point to note because I think fintech companies, especially if they’re a startup, can see this in their risk assessment and say, “I know I might not be compliant, but what I’m doing is actually not causing any harm . So I’ll take my chances and deal with a potential lawsuit.” But the point you’re making is that it’s not just about the actual harm that’s done. There’s also the potential for punitive damages. And so I think that’s a very important point for fintechs to know when they’re sort of calibrating the risk and deciding whether ways forward.
Konata Lake (05:45): And what about our friends to the south in terms of differences between the US and Canada that participants in the sector should be aware of?
Molly Reynolds (05:54): Well, I think it’s very important, whether you start in Canada and then move into the US or vice versa. Knowing that while the regimes are largely compatible and you can create a harmonized compliance process for your privacy program, they are not the same. And so it’s very important to do something ahead of time, understand all the federal, state and provincial privacy laws that apply and find out what those differences are. Once we really understand the landscape of what we’re dealing with, including where you might want to go in growth plans in the near future, we can create North American privacy policies, internal compliance programs that meet all of those requirements. They are rarely in conflict, the risk is really just that sometimes we focus too much on one country and risk being offside, accidentally, of the other country’s demands.
Konata Lake (06:49): Perhaps talk a bit about what we see of privacy rules and regulations, and regulation of AI in general that participants in the fintech sector should be aware of.
Molly Reynolds (06:59): Yeah, so up until now we’ve had really indirect AI regulation. There may be privacy laws that are linked to personal data in that context, for example there may be competition regulations. However, in June 2022, the federal government introduced the AI and Data Act, and it is the first technology-specific AI regulation in Canada. It has not passed yet, but if it is finalised, there will be some significant requirements relating to the legislation. The biggest from a data perspective is that data used in AI technology must be anonymised. It cannot be partially de-identified, it cannot be personal information. It must actually meet the requirement to be anonymised. In addition to that, any company developing, designing or deploying an AI technology will need to conduct a risk and impact assessment and identify and publish risk mitigation measures that they have taken in response to this assessment.
Konata Lake (08:04): Definitely seems like a theme here for attendees in the room. Understand the regulation because, you know, there’s an increased kind of compliance obligation and potential compliance costs. And certainly something for the participants to be aware of and to watch.
Molly Reynolds (08:18): Absolutely.
