Bill C-59 (Historical)

We can do that.

However, as a practical matter, if you let Bill C-59 pursue its course—and perhaps, I would suggest, be inspired by some of what is found in part 4—and then translate it to any recommendations you would make to amend the act you are reviewing. I think that would be good.

There are two things I'm saying about Bill C-59. First, there are a number of oversight bodies overseeing FINTRAC. We, as one of the bodies, cannot legally share information that we collect in the course of our review with other review bodies. We're saying that it would be very helpful to having fully informed reviews by us and other review bodies if we were able to share our work and come up with more informed conclusions. That's one point.

The other point is the analogy with collection and retention rules by CSIS, which are in part 4 of Bill C-59. There is some analogy to FINTRAC and the PCMLTFA. Under part 4 of Bill C-59, CSIS can collect considerable information, much of which is about law-abiding citizens, as FINTRAC collects a lot of financial transaction information about law-abiding citizens. However, under part 4 of Bill C-59, there are mechanisms to ensure that the collected data is reviewed fairly promptly to determine whether it is of probative or investigative value, and that if it is not of investigative value, it must be discarded.

I think that's an interesting compromise. You have broad collection but screen it fairly promptly, leading to not unduly long retention of information regarding law-abiding citizens.

We aren't necessarily suggesting that the documents be destroyed within a short time frame. We are recommending a risk-based approach. A great deal of information is collected on a huge number of transactions, the vast majority of which relates to the financial transactions of law-abiding Canadians. That is the basis of the approach used to detect criminals or terrorists and is very similar to the procedure proposed in Bill C-51 and Bill C-59. It has merit, but the information has to be screened using numerous pieces of data to uncover threats and individuals who are security threats or criminals.

I am not calling the process into question, but it's helpful to keep some figures in mind. Over the past few years, the ratio of actionable disclosures to law enforcement or other organizations has been one for every 10,000 reports received. For every 10,000 reports received, only one disclosure is made to police, the Canada Revenue Agency, or security agencies. We found that a significant amount of information is collected but that people pose a security threat in a very small number of cases.

I'm not saying that the information should no longer be collected, but I am recommending that a risk-based approach be adopted, as the Canada Revenue Agency officials more or less suggested. A considerable amount of information can be gathered initially, but a risk-based approach—one that takes into account the usefulness of the information for forensic evidence purposes—can be applied. That could be one of the factors given consideration. However, a risk analysis should be conducted fairly early on to determine whether the information needs to be retained or not. It is possible that, for a variety of reasons, a certain number of reports would need to be retained for a long period of time. On the flip side, I think many other reports would need to be destroyed rather quickly, as proposed in Bill C-59.

Personally, I see similarities between the approach set out in Bill C-59, which proposes extensive data collection in order to identify the small number of people who pose a threat, and the collection of financial transaction information under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, in order to identify a small number of criminals who are laundering money or contributing to terrorist financing.

In terms of review and oversight of this regime, there are some review mechanisms in place and others proposed in Bill C-59, but I would argue that there are still some gaps in terms of comprehensive oversight.

While some decisions are subject to statutory or judicial review by the federal courts, which is one form of oversight, by the courts, a decision by FINTRAC to disclose information is more likely to be challenged in the context of a proceeding involving a disclosure to an investigative body such as a law enforcement agency. In many cases, however, an individual whose information is disclosed by FINTRAC might never know the disclosure took place.

Bill C-59, if passed, would create a new expert review body, the national security and intelligence review agency, with broad jurisdiction to examine the activities of all departments and agencies involved in national security, which includes FINTRAC. In addition, the new National Security and Intelligence Committee of Parliamentarians will also have a role to produce well-informed and comprehensive reviews of the work of these agencies.

However, the NSIRA will not review all of FINTRAC's activities, given the latter's mandate to identify criminality related to money laundering, and the NSIRA's national security mandate. Its national security review might also be limited given that not all of FINTRAC's disclosures are within the federal family.

The OPC is another oversight mechanism. We have an important mandated role, as already examined, and insight on the privacy aspects, including 10 years of audit experience in this area. However, as we've said in the context of Bill C-59, we currently would not have the legal authority to work with other national security review bodies, such as the NSIRA, to co-operate and provide effective oversight in this area.

To summarize, I would recommend the following: one, that the purpose of our reviews under the PCMLTFA be modified to include advice or recommendations on proportionality; two, that they begin at least one year before every anticipated five-year review that Parliament must undertake; and three, with respect to any contemplated changes to the regulations, Finance Canada should be legally required to consult with my office on draft legislation and regulations with privacy implications, before they are tabled.

Thank you very much, and I look forward to your questions.

Thank you, Mr. Chair.

I’d like to thank the members of the committee for the opportunity to appear before you today as part of your statutory review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, or PCMLTFA.

We, of course, support Canada's efforts to combat money laundering and terrorist financing. However, the manner in which these efforts are undertaken must strike an appropriate balance between the need to combat such activities and respecting privacy rights of Canadians.

The most apparent privacy implication with this regime is that it casts a wide net capturing a great deal of information about law-abiding Canadians conducting financial transactions, with a view to uncovering threats to national security or incidents of money laundering.

In our previous parliamentary briefs on Bill C-51 and Bill C-59, we signalled concerns around information collection and sharing regimes in the context of national security.

Specifically, we have highlighted the need for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to the privacy of law-abiding Canadians, in part through prudent retention and destruction practices.

As you are aware, subsection 72(2) of the PCMLTFA provides my office with a mandate to conduct biennial reviews of how FINTRAC protects information it receives or collects under this act. We can also conduct reviews under section 37 of the Privacy Act.

All of our audits have identified issues with FINTRAC receiving and retaining reports that do not meet legislative thresholds for reporting.

In 2014, the PCMLTFA was amended by Bill C-31 to add subsection 54(2), which requires that FINTRAC destroy information in its holdings that was not required to be reported.

Although FINTRAC has implemented measures to validate incoming reports, a significant improvement, we continue to identify information in FINTRAC databases that did not meet thresholds and should not have been retained.

Also, we have generally found FINTRAC to have a comprehensive approach to security, including controls to safeguard personal information. Our most recent audit did identify governance issues between FINTRAC and Shared Services Canada, which FINTRAC has committed to addressing.

Beyond these issues, which we are mandated to review under the PCMLTFA, our principal concern, based on our experience reviewing FINTRAC over the past 10 years, relates to the lack of proportionality of the regime. Disclosures to law enforcement and other investigative agencies made in a given fiscal year represent a very small number when compared with the information received during that same time frame. For every 10,000 reports received, one disclosure is made.

Information received is also retained for long periods. FINTRAC's retention of undisclosed reports increased from five to 10 years in 2007.

Even if one accepts that sharing financial transaction data related to law-abiding citizens may lead to the identification of threats of money laundering or terrorist financing activities, once that information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained.

More broadly, we have noted a trend to broaden the regime over the years, and we note the Department of Finance Canada's vision of moving towards a holistic information collection scheme, which would create an environment supporting increased analytics and information sharing. We have already seen discussion about lowering existing thresholds for reporting, which could be done through regulations without parliamentary approval. In the consultation paper, the Department of Finance Canada also suggests increasing the number of reporting agencies and establishing a new model for engagement of the private sector.

While I appreciate that a holistic approach to the collection and sharing of information might be useful to identify threats, what is proposed, unless appropriate privacy safeguards are adopted, would further exacerbate our concerns with proportionality.

Instead, I would suggest that a risk-based approach be adopted in order to minimize the risk of over-collecting and retaining the financial and personal information of law-abiding citizens. Under such an approach, FINTRAC, based on a thorough risk-based analysis of its data, would develop criteria to limit collection, sharing, and retention to only situations likely to represent potential manifestations of terrorist financing or money laundering.

We realize this may be challenging, but as privacy experts, we at the OPC believe we can play a role in the assessment of these factors, which leads me to this: currently our review mandate, under the PCMLTFA and the Privacy Act, is limited to ensuring that these statutes and regulations, as enacted, including monetary thresholds for collection, are respected.

We think a more useful contribution would be to provide advice, after review, on amendments that could be made, to either the statutes or the regulations or the practices of FINTRAC, to ensure greater proportionality, including the assessment of risk factors that might govern information collection, sharing, and retention.

The government is recommending that the PCMLTFA be amended to provide that the reviews we currently undertake every two years under section 72 now occur every four years. We agree in part, but we would recommend a change of purpose for these reviews.

First, we would recommend that the purpose of our reviews under the act be modified to include advice or recommendations on proportionality, as just mentioned.

Second, they would begin at least one year before every anticipated five-year review that Parliament must undertake. The OPC would continue to conduct compliance reviews under section 37 of the Privacy Act, which would not need to be amended. As it relates to proportionality, the committee may wish to consider part 4 of Bill C-59, currently before Parliament, concerning CSIS datasets and their retention, which might be instructive.

Under that model, CSIS must clean data promptly—that is, within 90 days—and can retain Canadian datasets only if the Federal Court is satisfied that doing so is likely to assist in the performance of CSIS's mandate, including the detection of threats to the national security of Canada. In addition, with respect to any contemplated changes to reduce existing thresholds through regulations, which would also affect proportionality, I would reiterate my recommendation in the context of Privacy Act reform, that government institutions should be legally required to consult with my office on draft legislation and regulations with privacy implications before they are tabled.

My written statement now goes into questions of oversight. Do I have time?

The Office of the Privacy Commissioner looks at FINTRAC every two years. That's one.

The big issue for the Privacy Commissioner is whether the information FINTRAC is collecting is relevant. There is commentary on that.

I would look to the new national security intelligence committee of parliamentarians proposed in C-59, the integrated review body. It will get more into efficacy reviews on the impact of that kind of sharing. That's probably something more downstream.