Technology security concept. Modern safety digital background. Protection system
vska/123RF

The securities industry says proposed guidance on data protection would place needless burden on investment firms without enhancing investor protection.

In a submission to the federal Office of the Privacy Commissioner of Canada (OPC), the Investment Industry Association of Canada (IIAC) argued that proposed requirements for disclosure and client consent for firms when transferring client data for processing, which were published in the spring for consultation, are inconsistent with existing provincial regulatory regimes and the approach in other jurisdictions, such as Europe.

It also said investment firms already appropriately safeguard client data.

“Given that firms are accountable for the use of client information, requiring additional consents does not advance the objective of protection of client data or give clients additional options for data handling,” the IIAC submission said. “Where clients provide additional express consent, it may, in fact, shift some of the responsibility to clients, which could erode the concept of accountability for data that is currently at the heart of our privacy regime.”

The group also warned that excessive demands for client consent could lead to clients ignoring these requests, or to exposing them to cyber criminals that “use the proliferation of consent requests to plant malware and perpetrate cyber-crime.”

“Ultimately, ongoing disclosure and consent is unnecessary, as in the course of using third party processors, firms have obligations under PIPEDA and financial regulations to ensure client data is subject to appropriate data protection. The principle of accountability is much more effective in ensuring clients’ data is protected than obtaining consent,” the submission said.

The IIAC also noted that data protection involves balancing the inherent risks of processing client data with the benefits of enabling firms to provide services at a reasonable cost.

“We believe the proposals do not strike an appropriate balance, with the consent provisions not affording additional investor protection, while imposing a significant burden on firms and clients,” it said.

“The proposals represent an adverse material change, not only to how firms deal with transborder data flows, but with any information processing that is not carried out in-house,” the submission added.