OPC Submission on proposed amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

January 15th, 2025

Erin Hunt
Director General
Financial Crimes and Security Division, Financial Sector Policy Branch
Department of Finance Canada
90 Elgin Street
Ottawa, Ontario  K1A 0G5
email: fcs-scf@fin.gc.ca

Dear Erin Hunt,

Subject: OPC Submission on proposed amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations

1. The Office of the Privacy Commissioner of Canada (OPC) would like to thank Finance Canada for the opportunity to provide comments on proposed amendments to the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations (the proposed Amendments), as published in the Canada Gazette on November 30, 2024.^{Footnote 1}
2. The OPC oversees compliance with both the Privacy Act, which covers the personal information handling practices of federal government institutions, and the Personal Information Protection and Electronic Documents Act (PIPEDA), which is Canada’s federal private-sector privacy law.
3. The OPC supports the information sharing measures proposed in the November 30, 2024, Canada Gazette publication to the extent that they will help to facilitate the effective exchange of information to address the crucial public interest of combatting money laundering and terrorist financing.
4. Legislative measures underpinning this initiative were introduced in Bill C-69, the Budget Implementation Act, 2024, No. 1. In May 2024, Privacy Commissioner Philippe Dufresne appeared before the Senate Standing Committee on Banking, Commerce and the Economy on Bill C-69, during which he highlighted the importance of consulting with the OPC in the development of the associated Regulations and recommended that the Regulations include a strong and visible approval role for the OPC with respect to the development of codes of practice.^{Footnote 2}
5. As such, we would like to extend our appreciation to the Department of Finance Canada for consulting with the OPC on the development of the proposed amendments regarding information sharing under a code of practice and for including an approval role for the OPC. Our submission will focus on this particular initiative in the proposed Amendments.

Information Sharing

6. When privacy impactful measures are put in place in the public interest, there must be accompanying measures to ensure that privacy is protected. To ensure the effective operation of Canada’s anti-money laundering and anti-terrorist financing (AML/ATF) regime, while protecting the right to privacy, we would like to make the following recommendations:
   1. Scope of Complaints: Section 160 provides that any person or entity who believes that a person or entity has not complied with an approved code of practice in the disclosure, collection or use of personal information may file a complaint with the Commissioner under Division 2 of Part 1 of PIPEDA. In contrast, complaints under Division 2 of Part 1 of PIPEDA may be filed with the Commissioner for a broader range of alleged contraventions, including any provision of Division 1 or 1.1 or any recommendation set out in Schedule 1 of PIPEDA. These include, for example, complaints related to breach and safeguarding requirements and retention of personal information.
      
      As we understand that the policy intent for the complaints process for this initiative is to address all complaints under Division 2 of Part 1 of PIPEDA, we recommend that section 160 be amended for clarity as follows:
      
      
      160. Any person or entity who believes that a person or entity referred to in section 5 of the Act has not complied with an approved code of practice in the disclosure, collection or use of personal information may file a complaint with the Commissioner under Division 2 of Part 1 of the Personal Information Protection and Electronic Documents Act.
   2. Timelines for Commissioner Approval: The proposed Amendments would allow the Commissioner 90 days to review a code of practice, with the ability to extend that period up to an additional 15 days. In consultation with other data protection and privacy authorities (DPAs), we have learned that it can take a DPA up to a year to review and approve a code of practice. As such, we recommend that subsections 163(1) - (2) be amended to provide the Commissioner with the possibility of extending the review period to up to 135 working days.
   3. Code Requirements: To mitigate the risk of the overcollection of personal information under a code of practice, we recommend that paragraph 161(b) be amended to be explicitly limited to information that is required to be collected under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act and its Regulations.
      
      Additionally, we recommend that paragraph 161(b) be amended by removing “types of personal information” and replacing it with “personal information to be exchanged.” Per paragraph 161(f) of the proposed amendments, the OPC will need to assess whether a code of practice provides for substantially the same or greater protection of personal information as that provided under PIPEDA. PIPEDA requires organizations to limit the collection of personal information to that which is necessary for purposes identified by the organization (Schedule 1, Principle 4) and to limit the use and disclosure of personal information to the purposes for which it was collected, except in certain circumstances (Schedule 1, Principle 5). Knowing the specific personal information to be exchanged would allow the OPC to assess whether the information listed in paragraph 161(b) is limited to that which is necessary for the purposes described in paragraph 161(c).
      
      Furthermore, subsection 5(3) of PIPEDA allows an organization to collect, use or disclose personal information only for purposes that a reasonable person would consider appropriate in the circumstances. The evaluation of subsection 5(3) requires an examination of whether the purposes are appropriate “in the circumstances”. As such, the analysis must be conducted “in a contextual manner” and look at the particular facts surrounding the collection, use and disclosure, “all of which suggests flexibility and variability in accordance with the circumstances”.^{Footnote 3}
   4. Transparency: Transparency is a key principle in privacy law, as it helps individuals exercise control over their personal information. The OPC appreciates that, as we understand, obligations in PIPEDA would continue to apply to entities participating in information sharing under a code of practices, including the Openness principle.
      
      We understand that there is a policy rationale for information sharing under a code of practice to take place without an individual’s knowledge and consent, given the information sharing is meant to combat money laundering and terrorist financing. However, as a result, individuals will not be aware if their personal information is being shared, and therefore they are unlikely to file a complaint with the OPC. Moreover, the OPC would only be able to audit entities’ information sharing practices under a code of practice as per subsection 18(1) of PIPEDA, where there are “reasonable grounds” to believe an organization has contravened PIPEDA.
      
      As such, we recommend that the proposed amendments be amended to include a transparency mechanism that would support privacy and provide a measure of reassurance to Canadians. For example, models similar to those below could be considered for entities participating in information sharing under a code of practice under the PCMLTFA:
      1. Publishing of a Privacy Impact Assessment Summary: The Treasury Board Secretariat Directive on Privacy Practices requires the publishing of a summary of a Privacy Impact Assessment (PIA) that respects security, confidentiality and legal requirements.^{Footnote 4}
      2. Public Reporting: The OPC’s guidance on sharing personal information without knowledge or consent under paragraphs 7(3)(d.1) and 7(3)(d.2) of PIPEDA for the purposes of investigating a contravention of the laws of Canada and preventing, detecting or suppressing fraud,^{Footnote 5} notes that to address transparency organizations could:
         • Consider reporting publicly on the number and types of disclosures made on an annual or semi-annual basis, using aggregate and anonymized data.
         • Consider making available a summary of their frameworks and information sharing practices.
      In the alternative, code participants should be required to submit transparency reports to the OPC and/or to the Financial Transactions and Reports Analysis Centre of Canada (FINTRAC).
   5. Provide the OPC With Greater Remedial Powers: While the OPC appreciates having a role in approving codes of practice under the proposed amendments, in order to promote more meaningful oversight, the OPC would need to be able to respond to non-compliance with codes of practice, as well as requirements under PIPEDA. Examples of such powers were proposed in Bill C-27, the Digital Charter Implementation Act, 2022, which would have provided the OPC with a range of compliance tools regarding codes of practice and certification programs, including the authority to recommend that an organization be withdrawn from a certification program and to revoke the approval of a certification program. Under Bill C-27, the Government would have also had the authority to make regulations to allow the Commissioner to reconsider a determination made for a code of practice. We recommend that similar powers be provided to the Commissioner under the proposed amendments, including, at a minimum, that the Commissioner have the authority to reconsider a determination made for a code of practice in appropriate circumstances.

Conclusion

7. We appreciate the opportunity to share our views and would be pleased to engage with your Officials on any of the issues raised in this submission.

Sincerely,