Thank you, Mr. Chair.
I’d like to thank the members of the committee for the opportunity to appear before you today as part of your statutory review of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, or PCMLTFA.
We, of course, support Canada's efforts to combat money laundering and terrorist financing. However, the manner in which these efforts are undertaken must strike an appropriate balance between the need to combat such activities and respecting privacy rights of Canadians.
The most apparent privacy implication with this regime is that it casts a wide net capturing a great deal of information about law-abiding Canadians conducting financial transactions, with a view to uncovering threats to national security or incidents of money laundering.
In our previous parliamentary briefs on Bill C-51 and Bill C-59, we signalled concerns around information collection and sharing regimes in the context of national security.
Specifically, we have highlighted the need for rigorous legal standards around the collection and sharing of personal information, effective oversight, and minimization of risks to the privacy of law-abiding Canadians, in part through prudent retention and destruction practices.
As you are aware, subsection 72(2) of the PCMLTFA provides my office with a mandate to conduct biennial reviews of how FINTRAC protects information it receives or collects under this act. We can also conduct reviews under section 37 of the Privacy Act.
All of our audits have identified issues with FINTRAC receiving and retaining reports that do not meet legislative thresholds for reporting.
In 2014, the PCMLTFA was amended by Bill C-31 to add subsection 54(2), which requires that FINTRAC destroy information in its holdings that was not required to be reported.
Although FINTRAC has implemented measures to validate incoming reports, a significant improvement, we continue to identify information in FINTRAC databases that did not meet thresholds and should not have been retained.
Also, we have generally found FINTRAC to have a comprehensive approach to security, including controls to safeguard personal information. Our most recent audit did identify governance issues between FINTRAC and Shared Services Canada, which FINTRAC has committed to addressing.
Beyond these issues, which we are mandated to review under the PCMLTFA, our principal concern, based on our experience reviewing FINTRAC over the past 10 years, relates to the lack of proportionality of the regime. Disclosures to law enforcement and other investigative agencies made in a given fiscal year represent a very small number when compared with the information received during that same time frame. For every 10,000 reports received, one disclosure is made.
Information received is also retained for long periods. FINTRAC's retention of undisclosed reports increased from five to 10 years in 2007.
Even if one accepts that sharing financial transaction data related to law-abiding citizens may lead to the identification of threats of money laundering or terrorist financing activities, once that information is analyzed and leads to the conclusion that someone is not a threat, it should no longer be retained.
More broadly, we have noted a trend to broaden the regime over the years, and we note the Department of Finance Canada's vision of moving towards a holistic information collection scheme, which would create an environment supporting increased analytics and information sharing. We have already seen discussion about lowering existing thresholds for reporting, which could be done through regulations without parliamentary approval. In the consultation paper, the Department of Finance Canada also suggests increasing the number of reporting agencies and establishing a new model for engagement of the private sector.
While I appreciate that a holistic approach to the collection and sharing of information might be useful to identify threats, what is proposed, unless appropriate privacy safeguards are adopted, would further exacerbate our concerns with proportionality.
Instead, I would suggest that a risk-based approach be adopted in order to minimize the risk of over-collecting and retaining the financial and personal information of law-abiding citizens. Under such an approach, FINTRAC, based on a thorough risk-based analysis of its data, would develop criteria to limit collection, sharing, and retention to only situations likely to represent potential manifestations of terrorist financing or money laundering.
We realize this may be challenging, but as privacy experts, we at the OPC believe we can play a role in the assessment of these factors, which leads me to this: currently our review mandate, under the PCMLTFA and the Privacy Act, is limited to ensuring that these statutes and regulations, as enacted, including monetary thresholds for collection, are respected.
We think a more useful contribution would be to provide advice, after review, on amendments that could be made, to either the statutes or the regulations or the practices of FINTRAC, to ensure greater proportionality, including the assessment of risk factors that might govern information collection, sharing, and retention.
The government is recommending that the PCMLTFA be amended to provide that the reviews we currently undertake every two years under section 72 now occur every four years. We agree in part, but we would recommend a change of purpose for these reviews.
First, we would recommend that the purpose of our reviews under the act be modified to include advice or recommendations on proportionality, as just mentioned.
Second, they would begin at least one year before every anticipated five-year review that Parliament must undertake. The OPC would continue to conduct compliance reviews under section 37 of the Privacy Act, which would not need to be amended. As it relates to proportionality, the committee may wish to consider part 4 of Bill C-59, currently before Parliament, concerning CSIS datasets and their retention, which might be instructive.
Under that model, CSIS must clean data promptly—that is, within 90 days—and can retain Canadian datasets only if the Federal Court is satisfied that doing so is likely to assist in the performance of CSIS's mandate, including the detection of threats to the national security of Canada. In addition, with respect to any contemplated changes to reduce existing thresholds through regulations, which would also affect proportionality, I would reiterate my recommendation in the context of Privacy Act reform, that government institutions should be legally required to consult with my office on draft legislation and regulations with privacy implications before they are tabled.
My written statement now goes into questions of oversight. Do I have time?