Issue Sheets on Bill C-69

Appearance before the Standing Senate Committee on Banking, Commerce and the Economy (BANC)

---

Safe-harbour regimes in other jurisdictions

Speaking points

• Bill C-69 would facilitate voluntary information sharing between certain private sector entities (such as banks) for anti-money laundering, terrorist financing, or sanctions evasions purposes. It would also extend criminal and civil immunity (or “safe harbour”) to entities that engage in such information sharing in good faith.
• Many jurisdictions, (such as the US, UK, Estonia, and Singapore) have “private-to-private” information sharing and a safe harbour.
• Jurisdictions with particularly well-developed laws tend to include a range of privacy-protective measures including:
  • accountability measures (such as recordkeeping requirements, comprehensive risk assessments, and thresholds of information-sharing); and,
  • oversight (such as audits and supervision by financial and privacy regulators).

Background

• Examples of accountability measures in laws from other jurisdictions:
  • recordkeeping: Estonia’s Money Laundering and Terrorist Financing Prevention Act has a 5-year recordkeeping requirement for mandatory and voluntary information sharing;
  • risk assessments: Singapore’s Financial Services and Markets Act 2022 requires the regulator to set out “high-risk indicators” for regulated parties; and,
  • thresholds for information-sharing: the UK’s Proceeds of Crime Act 2002 requires suspicion of money laundering for private-to-private information sharing to be authorized.
• Examples of oversight features of laws from other jurisdictions:
  • audits: Estonia’s financial regulator can request information from regulated parties;
  • supervision: under the UK’s law, the financial regulator can operate as an intermediary for private-to-private information sharing. By contrast, the US Code of Federal Regulations, makes notifying the regulator a condition of participating in private-to-private information sharing.

Lead: LEGAL

---

FINTRAC disclosures to Civil Asset Forfeiture Offices

Speaking points

• Bill C-69 would expand FINTRAC’s mandatory disclosure requirements to include agencies or bodies that administer provincial civil asset forfeiture legislation.
• As noted in our submission to Finance Canada, information sharing by FINTRAC with other public bodies is done without the knowledge of the individual to whom the information relates.
• This makes effective regulatory oversight by entities such as the OPC critical.

Background

• Subsection 55(1) of the PCMLTFA contains a prohibition on disclosure of certain information. Subsection 55(3) lists exceptions. FINTRAC must disclose information to listed entities where it has reasonable grounds to suspect the information would be relevant to investigating or prosecuting a money laundering or a terrorist activity financing offence, when certain additional context-specific conditions are met.
• Clause 342 of Bill C-69 would add provincial civil asset forfeiture bodies or agencies to the list of FINTRAC’s mandatory disclosures under s. 55(3), where FINTRAC has reasonable grounds to suspect that disclosure would be relevant to proceedings under provincial civil asset forfeiture legislation.
• Provincial civil asset forfeiture legislation provides for a range of proceedings. Illustrative examples include forfeiture of property as proceeds of an “unlawful activity” under British Columbia’s Civil Forfeiture Act (s. 5), and a property restraint order under Alberta’s Civil Forfeiture Act (s. 5).
• OPC’s August 10, 2023, submission to Finance Canada noted that complaint-based oversight is not well-suited to addressing low visibility FINTRAC disclosures. As such, the submission suggested that “any expansion of information-sharing between FINTRAC and other federal public sector departments and organizations will necessitate regular, robust, and comprehensive review…”

Lead: LEGAL

---

FINTRAC disclosures to the Department of Citizenship and Immigration (CIC)

Speaking points

• Bill C-69 would expand FINTRAC’s mandatory disclosure requirements to include the CIC.
• As noted in my Office’s August 2023 submission to Finance Canada, information sharing between FINTRAC and other public bodies is done without the knowledge of the individual to whom the information relates. This makes effective regulatory oversight by entities such as the OPC critical.
• Given that complaint-based oversight is not well-suited to addressing low visibility FINTRAC disclosures, the submission suggested that “any expansion of information-sharing between FINTRAC and other federal public sector departments and organizations will necessitate regular, robust, and comprehensive review.”

Background

• Subsection 55(1) of the PCMLTFA contains a prohibition on disclosure of certain information. Subsections 55(3) and 55.1 list exceptions to this prohibition. FINTRAC must disclose information to listed entities where it has reasonable grounds to suspect that the information would be relevant to (1) investigating or prosecuting a money laundering or a terrorist activity financing offence, when certain additional context-specific conditions are present (ss.55(3)) or (2) threats to the security of Canada (s.55.1).
• Clauses 342 and 343 of Bill 69 would add the Department of Citizenship and Immigration to the list of FINTRAC’s mandatory disclosures under both ss.55(3) and s.55.1, where FINTRAC determines the information to be relevant to making certain decisions under the Citizenship Act.

Lead: LEGAL

---

OPC oversight

Speaking points

• As the federal privacy regulator in the public and private sectors, my office conducts audits, investigates complaints, and reviews breach notices. Every two years, we also review how FINTRAC protects the information it receives or collects under the PCMLTFA.
• My office often becomes aware of privacy issues through the complaints, audits, and breach notices we receive. This model is ill-suited to disclosures under the PCMLTFA, which typically occur without the knowledge of the individual.
• Bill C-69 allows for the possibility of an additional oversight role for my office related to codes of practice for private-to-private information sharing, which could be defined in regulations. Likewise, codes of practice would not be automatically required, unless regulations were made to that effect. For greater clarity and certainty, I would recommend that the requirement for codes – and the OPC’s role in relation to them – be defined in legislation.

Background

• OPC investigates Privacy Act and PIPEDA complaints it receives or initiates (s. 29, PA; s. 12, PIPEDA) and has audit powers under both laws, (s. 37, PA; s. 18 PIPEDA). OPC is required by s. 72(2) of the PCMLTFA to do a biennial review of “the measures taken by [FINTRAC] to protect information it receives.” OPC receives breach notices under TBS’s Policy on Privacy Protection, and s. 10.1 of PIPEDA.
• FINTRAC’s activities also fall under the National Security and Intelligence Review Agency, whose mandate includes reviewing activities carried out by government departments related to national security or intelligence.
• Bill C-69 would amend the PCMLTFA regulation-making authority (s. 73) to authorize regulations respecting the proposed private-to-private information sharing authority, including the OPC’s and FINTRAC’s roles in relation to codes of practice for regulated parties. This oversight role appears to be triggered only if regulatory requirements concerning codes are promulgated under s. 73.

Lead: LEGAL

---

Sections 7(1)(b.01), 7(2)(d), and 7(3)(d.21)) of PIPEDA

Speaking points

• I support the purpose of the corresponding amendments to PIPEDA to allow for expanded information sharing under the PCMLTFA.
• Sections 7(1) - (3) of PIPEDA outline circumstances in which an organization may collect, use or disclose personal information without the knowledge or consent of the individual, so this would be adding to the current lists provided for in the Act.
• Sections 7(3)(d.1) and (d.2) of PIPEDA allow for disclosures without knowledge and consent for the purposes of investigating a breach of an agreement or contravention of the laws of Canada and detecting or suppressing fraud.
• These exceptions in PIPEDA could include, but are not specific to, anti-money laundering/anti-terrorist financing.

Background

• Clause 341 of Bill C-69 adds a new section 11.01(1) to the PCMLTFA allowing reporting entities to disclose, collect and use personal information under a safe harbour protection without the knowledge or consent of the individual if:
  • The disclosure, collection, and use is done in the course of their activities;
  • The disclosure is reasonable for the purposes of detecting or deterring money laundering/terrorist financing/sanctions evasion;
  • Dislosing with knowledge or consent would risk compromising the ability to detect or deter money laundering/terrorist financing/sanctions evasion; and,
  • The disclosure is made in accordance with regulations.
• Clause 347 amends 7(3) of PIPEDA (disclosure without knowledge and consent) to add a new paragraph (d.21) permitting disclosures without knowledge/consent if done under section 11.01 of the PCMLTFA.
• Additionally, ss. 7(1)(b.01) would be added and 7(2)(d) of PIPEDA would be amended to permit the related collection and use of this information.
• Collections, uses and disclosures without knowledge or consent under PIPEDA do not include an immunity provision, or safe harbour, as is provided for in Bill C-69.

Lead: PRPA

---

OPC consultation

Speaking points

• My Office has participated in numerous consultation meetings with the Departments of Finance, Innovation, Science and Economic Development and FINTRAC on potential measures for increased private to private information sharing.
• I indicated in those meetings that I would not be opposed to legislation allowing for expanded sharing of information without consent, provided that it was done under a rigorous and privacy protective framework and that there was meaningful involvement of the OPC.
• While the measures in Bill C-69 generally reflect the proposals we had previously been presented by Government officials, some details regarding the implementation of the private-to-private information sharing remain unclear as they are to be established by regulation.

Background

• In October 24, 2023, the OPC met with ISED and Finance Canada who indicated that they were contemplating legislative amendments for mandatory codes of practice to allow participating organizations to share certain information without consent between each other under and be provided with a “safe harbour” from criminal and civil liability.
• (redacted)
• (redacted)

Lead: PRPA

---

Canada Financial Crimes Agency

Speaking points

• My office was consulted by Public Safety Canada’s Financial Crimes Coordination Centre in February 2020 on the development of a model for the Canada Financial Crimes Agency and provided preliminary advice and recommendations.
• Given the sharing of personal information is central to this initiative, it must be done with careful consideration of privacy.
  • We stressed the importance of Information Sharing Agreements in managing complex inter-departmental sharing relationships and handling information in a privacy-protective manner.
  • We also emphasized the need for clear legal authority to share, on the part of the disclosing institution, and to receive, on the part of the receiving institution.

Background

• The Government Advisory Directorate was consulted by Public Safety on the “Action, Coordination and Enforcement Initiative”, which included discussion of an entity to increase cooperation and information sharing on money laundering and financial crimes across intelligence and law enforcement agencies.
• We were consulted again in July 2021 when the Financial Crimes Coordination Centre evolved out of the Action, Coordination and Enforcement initiative.
• We have not received a Privacy Impact Assessment for the proposed Canada Financial Crimes Centre but would expect to consult further on its development and to receive a PIA on planned programs and activities of the Centre, including Informaion Sharing Agreements.
• Budget 2024 proposed to provide $1.7 million over two years, starting in 2024-25, to the Department of Finance to finalize the design and legal framework for the Canadian Financial Crimes Agency.

Lead: GA

---

OPC submission to Finance Canada on anti-money laundering

Speaking points

• In June 2023, Finance Canada published a paper entitled “Consultation on Strengthening Canada’s Anti-Money Laundering and Anti-Terrorist Financing Regime” proposing improvements to Canada’s anti-money laundering regime in advance of the 5-year legislative review of the PCMLTFA.
  • The Paper identified privacy protection as a foundational aspect of Canada’s anti money laundering and terrorist financing regime.
• Our response emphasized the privacy concerns associated with, among other things, expanded information sharing among both private sector organizations and between federal agencies.
• We also noted potential privacy issues inherent in broadening the scope of Canada’s anti money laundering and terrorist financing regime.
  • We recommended this be carefully circumscribed by necessity and proportionality, supplemented by robust oversight mechanisms, including regular audits.

Background

• Additional recommendations we made in our submission to the consultation:
  • That FINTRAC consider a model for public-to-public and public-to-private information sharing that is as privacy-sensitive as possible;
  • That the use of new investigative powers should be carefully tailored to the specific investigative context for which they are intended;
  • That FINTRAC address over-reporting by increasing two-way communication with reporting entities to provide clearer direction and assistance with reporting obligations;
  • That the government take a cautious approach before expanding FINTRAC’s ability to collect and use publicly available personal information, particularly when this information raises a reasonable expectation of privacy.

Lead: PRPA

---

Financial Action Task Force 2021 evaluation of Canada

Speaking points

• The FATF is an international body that develops and promotes policies to protect the global financial system against money laundering and terrorist financing.
• Compliance with its recommendations can ensure that Canada addresses emerging risks.
• It is my understanding that in the 2021 FATF review of Canada, the FATF found that Canada has a strong anti-money laundering framework and had made progress in addressing most of the technical compliance deficiencies identified in the FATF 2016 Mutual Evaluation Report.
• I am pleased to see that the FATF has recognized the important role that can be played by data protection authorities in information sharing regimes, and have noted that our involvement can be critical and beneficial to their success.

Background

• The 2016 FATF report for Canada found that Canada had a “strong framework”, and was “largely complaint” in meeting the majority of the FATF’s 40 recommendations, but cited priority actions to address including:
  • adding the legal profession to the AML framework;
  • timely access to beneficial ownership information;
  • authorize FINTRAC to request information from reporting entities;
  • better pursue AML offences before courts; and
  • include Politically Exposed Persons.
• A follow-up report was issued in 2021 that found that Canada had largely made progress in addressing these deficiencies.
• The FATF has discussed the key role to be played by data protection authorities in documents such as its 2022 publication Partnering in the Fight Against Financial Crime: Data Protection, Technology and Private Sector Information Sharing.

Lead: PRPA

---

Cullen Commission final report

Speaking points

• In May 2019, the BC Government established the Commission of Inquiry into Money Laundering in British Columbia (the Cullen Commission), which concluded that federal anti-money laundering measures are not effective in that province.
• The Commission’s June 2022 final report set out a wide range of recommendations for BC. The Department of Finance subsequently took up some of these proposals in its own 2023 consultation on strengthening the Canada’s AML/ATF regime.
• In our submission to the Department of Finance, we signalled a number of privacy considerations related to these proposals and emphasized the need for suitable oversight and accountability.

Background

• The Cullen Commission’s June 2022 final report found that, despite increasingly complex legislation to address money-laundering activity, the federal AML/ATF regime is “not effective” in BC, where it has led to high-volume, low-value reporting that yields only modest intelligence for law enforcement.
• A number of the Commission’s findings and recommendations figured in Finance’s 2023 consultation, including enhanced private-to-private information-sharing (recommendation #48), establishing a federal database of politically exposed persons (endorsed on p.107), and broadening the scope and obligations of the AML/ATF regime (e.g., recommendation #70 on unregulated accountants).
• The BC Civil Liberties Association (BCCLA) was highly critical of the report, arguing that the sweeping changes and “invasive measures” it proposed as part of a “tough-on-crime approach” threaten the human rights and civil liberties of people across the province.
• The BCCLA also maintained that many of the report’s proposals to increase information collection and sharing would unnecessarily undermine privacy rights. For example, it argued that the Commission’s recommended adoption of safe-harbour provisions in PIPEDA would unduly erode privacy protections by encouraging further information-sharing and providing blanket protections against liability (recommendation #48).

Lead: PRPA

---

Open banking

Speaking points

• Division 16 of Part 4 of Bill C-69 would enact the Consumer-Driven Banking Act, enabling open banking in Canada. This would allow consumers and small businesses to securely transfer their financial data between institutions.
• I understand that many elements related to how open banking will operate and be implemented, including rules concerning privacy and security, are expected in additional legislation this Fall.
• I was pleased to see in the Consumer-Driven Banking Framework released in advance of the Budget this past April that express consent will be required to access and share data.
• I also note, and support, the Framework’s characterization of financial data as “highly sensitive”, requiring baseline security requirements to ensure the protection of consumer information.

Background

• This first legislative phase sets out the broad strokes of open banking in Canada but leaves many important details for the second phase. Among these will be common rules, which will include rules concerning privacy and security.
• The Minister of Finance has a key role with regards to the development and oversight of the open banking framework, including designating a technical standards body responsible for establishing technical standards to govern data sharing, and establishing regulations on matters such as eligible types of data, eligible categories of products and services and principles relevant to the designation of the technical standards body.
• Day-to-day oversight of the regime will be undertaken by the Financial Consumer Agency of Canada, specifically by a new Senior Deputy Commissioner for Consumer-Driven Banking who will be appointed by the Commissioner with the agreement of the Minister.
• A Consumer-Driven Banking Framework published in April indicates that open banking will require express consent, and that additional privacy rules will be developed to address issues such as security safeguards and authentication.

Lead: PRPA

---

FINTRAC audits

Speaking points

• Section 72(2) of the PCMLTFA requires me to review, every two years, the measures taken by FINTRAC to protect the information it receives or collects. The Act also requires that the reports for these reviews be submitted to Parliament within three months after they are completed.
• My Office has conducted reviews of FINTRAC’s measures to protect personal information since the requirement came into force in 2007.
• FINTRAC has resolved several issues identified in past reviews. However, two significant areas of concern persist: FINTRAC’s over-collection of personal information from reporting entities and its retention of information.
• The latest review is ongoing. Therefore, I cannot comment on the conclusions, but I can say that I am pleased with the level of cooperation FINTRAC has shown my Office during the process.

Background

• (redacted)
• FINTRAC has responded fully to our requests for information, and has facilitated access to documents (redacted). Overall, the engagement has been positive and they have been cooperative.
• My officials also engaged Shared Services Canada (SSC) to facilitate our assessment of how FINTRAC safeguards the personal information on its networks, given that SSC houses FINTRAC’s information technology infrastructure.
• (redacted)

Lead: COMPLIANCE

---

FINTRAC data breach

Speaking points

• On March 5, 2024, FINTRAC reported a breach of its data environments to my Office. They indicated it was caused by a “cyber-incident.”
• As my Office’s review of the incident is ongoing, I am unable to provide further details.
• We remain closely engaged with FINTRAC to assess the severity of the incident and their proposed mitigation measures.
• FINTRAC’s engagement with my Office regarding the breach has been extremely positive. FINTRAC has been proactively sharing information since the breach to assist my Office in its assessment.

Background

• (redacted)

Lead: COMPLIANCE

---