Consumer Privacy Implications of Bill C-22: Proceeds of Crime (Money Laundering) Act
Report to the Office of Consumer Affairs, Industry Canada
Public Interest Advocacy Centre
#1204 – 1 Nicholas St.
Ottawa, Ontario K1N 7B7
TABLE OF CONTENTS
I. INTRODUCTION II. PURPOSE, CONTEXT AND HISTORY OF BILL C-22
Objective of the Bill
The Problem of Money Laundering
Existing Anti-Money Laundering Legislation in Canada
The International Context of Bill C-22
III. STRUCTURE AND KEY PROVISIONS OF BILL C-22 IV. IMPACT OF BILL C-22 ON CONSUMER PRIVACY
General Criticisms of Bill C-22
Privacy Protective Features of Bill C-22
Specific Privacy Concerns:
Collection of Personal Information by FTRAC
Disclosure of Personal Information by FTRAC
Accuracy, Access and Transparency
V. RELATIONSHIP OF BILL C-22 WITH BILL C-6 VI. CONCLUSION 14
The following report examines the proposed federal legislation to combat money laundering, Bill C-22: Proceeds of Crime (Money Laundering) Act, from a consumer privacy perspective. It reviews the objectives of the Act, its structure, obligations, and mode of operation, and its effect on consumer privacy, with reference to another proposed federal Bill: the Protection of Personal Information and Electronic Documents Act (Bill C-6).
II. PURPOSE, CONTEXT AND HISTORY OF BILL C-22
Objective of the Bill
The broad purpose of Bill C-22 is to better prevent and detect money laundering. More specifically, the objects of Bill C-22 are, as stated as follows in s.3 of the Act,
(a) to implement specific measures to detect and deter money laundering and to facilitate the investigation and prosecution of money laundering offences, including:
(i) establishing record keeping and client identification requirements for financial services providers and other persons that engage in businesses, professions or activities that are susceptible to being used for money laundering,
(ii) requiring the reporting of suspicious financial transactions and of cross-border movements of currency and monetary instruments, and
(iii) establishing an agency that is responsible for dealing with reported and other information;
(b) to respond to the threat posed by organized crime by providing law enforcement officials with the information they need to deprive criminals of the proceeds of their criminal activities, while ensuring that appropriate safeguards are put in place to protect the privacy of persons with respect to personal information about themselves; and
(c) to assist in fulfilling Canada’s international commitments to participate in the fight against transnational crime, particularly money laundering.
The Problem of Money Laundering
Money laundering is “the process by which ‘dirty money’ generated by criminal activities is converted into assets that cannot be easily traced back to their illegal origins.”(1) According to Finance Canada, a significant proportion of this money is linked to illicit drug trade, but other crimes such as burglaries and cigarette smuggling, are also involved. The magnitude of money laundering in Canada is estimated by Finance Canada at between $5 billion and $17 billion annually, although some have questioned the authenticity of these figures.(2) Internationally, it is estimated that $600 billion is ‘laundered’ for criminal purposes, producing “a host of deleterious effects”, including economic instability, organized crime, and undermining of the rule of law.(3) In any case, no one disputes that money laundering, like all crimes, needs to be deterred, detected and prosecuted where it occurs. What is disputed is whether any new legislation is needed to deal with this problem, and if so, whether Bill C-22 is the right legislation for that purpose.
Existing Anti-Money Laundering Legislation in Canada
Money laundering is already a criminal offence in Canada. Under s.462.31(1) of the Criminal Code, dealing with property or proceeds of property with the intent of concealing or converting them, while knowing or believing that all or part are derived, directly or indirectly, from the commission of certain offences, is an offence punishable by up to ten years of jail. Money laundering offences are also found in the Controlled Drugs and Substances Act, and the Corruption of Foreign Public Officials Act.
Moreover, Canada already has legislation which, like Bill C-22, is designed to detect money laundering offences – the 1991 Proceeds of Crime (Money Laundering) Act. Under the existing rules, financial institutions and others engaged in a business or profession where cash is received for payment or transfer to a third party are required to keep records of transactions in which they receive cash of $10,000 or more, and a register of “suspicious transactions”. The identity of customers must be verified in certain circumstances. Failure to comply carries a penalty of up to $500,000 and/or up to five years prison. However, there is no requirement to report suspicious transactions to authorities; such reporting is purely voluntary.
Bill C-22 is intended to create a regime under which money laundering offences can be more easily detected. It would significantly strengthen the provisions of the existing Act by:
- requiring financial institutions and others to report certain types of transactions (to be determined by regulation), as well as any transactions “in respect of which there are reasonable grounds to suspect that the transaction is related to the commission of a money laundering offence;
- establishing a centralized agency, the Financial Transactions Reporting and Analysis Centre (FTRAC) to which all such information must be reported;
- authorizing the release of information to both domestic and foreign law enforcement agencies (subject to certain restrictions);
- establishing a system of reporting large cross-border transactions.
This proposed new regime would result in significantly more reporting of personal financial transactions to government, and would make significantly more personal financial information available to government and law enforcement agencies in their efforts to detect and investigate criminal activities. It is important to note, however, that Parliament considered and rejected a system of compulsory reporting in the 1980s, after concluding that the US experience with such requirements did not appear to have produced significant improvements in detection of money laundering crimes.(4) The USA has since created a special agency, the Financial Crimes Enforcement Network (FinCEN) to review and analyze transaction reports, and provide relevant information to law enforcement agencies.(5)
The International Context of Bill C-22
The impetus for Bill C-22 is most definitely international: in 1989, the G-7 leaders set up an inter-governmental body known as the Financial Action Task Force on Money Laundering (FATF), of which 26 states, including Canada, are members. In 1990, the FATF issued forty recommendations aimed at enhancing and coordinating international efforts to counter money laundering.(6) These recommendations, revised in 1996, encouraged countries to:
- criminalize money laundering itself, and to provide for sufficiently serious penalties;
- enable competent authorities to identify, trace, freeze, seize, and confiscate criminally derived proceeds;
- ensure that financial institutions take necessary steps to ascertain, and keep records on, their clients” identities and transactions;
- require that financial institutions promptly report to competent authorities any funds suspected to stem from criminal activity;
- consider implementing measures to monitor the cross-border transportation of cash and bearer negotiable instruments, without impeding the free movement of capital;
- consider adopting a system where financial institutions and intermediaries are required to report all currency transactions above a certain amount to a central agency, whose information would be available to the appropriate authorities, subject to strict safeguards to ensure proper use of the information; and
- promote maximum inter-state cooperation by exchanging information on international cash flows and suspicious transactions, and by facilitating mutual legal assistance and extradition with respect to money laundering activities.(7)
Most European countries comply with the recommendations, as do the USA, Hong Kong, Australia, Iceland and Turkey. Canada, Austria, and Japan are among the countries that do not comply. In June 1998, the FATF noted a number of shortcomings of the Canadian anti-money laundering regime, including:
1. Canada”s inability to enforce forfeiture orders directly with respect to foreign criminal proceeds;
2. Canada’s need to establish a system for the mandatory reporting of suspicious transactions and to create a new financial intelligence unit to deal with the collection, management, analysis, and dissemination of transaction reports and other relevant data;
3. the need to provide for reporting of significant cross border transportation of cash and monetary instruments;
4. the need for greater customer identification measures, particularly in relation to corporations and beneficial owners of accounts; and
5. the need to extend record-keeping and customer identification requirements to businesses such as money remitters, cheque cashers and casinos.(8)
The FATF concluded that Canada’s voluntary reporting regime does not appear to be working effectively, and that the internal review process used since 1993 urgently needs revision, in part through the establishment of an centralized agency to handle money laundering information. Just one month earlier, in May 1998, at the G-8 summit in England, the Prime Minister committed Canada to adopting strong national arrangements to combat money laundering.
The Proceedings of Crime (Money Laundering) Regulations were revised later that year in response to points 4 and 5, but points 1-3 remained unaddressed. Bill C-22 is designed to fill that gap, by providing for mandatory reporting of suspicious financial transactions by a wide range of financial institutions and professionals; the reporting of large cross-border financial movements; and the creation of the new FTRAC.
There is thus strong international pressure on Canada to bring its legislative regime into line with the FATF recommendations. Bill C-22 is meant to meet Canada’s international commitments in the context of the G-8 and the FATF.
III. STRUCTURE AND KEY PROVISIONS OF BILL C-22
As set out in Finance Canada’s Backgrounder,(9) Bill C-22 has three main components:
1. Mandatory suspicious transactions reporting
Regulated financial institutions, casinos, currency exchange businesses, as well as other entities and individuals acting as financial intermediaries (such as lawyers and accountants) [clause 5], will be required to report any financial transactions that they have reasonable grounds to suspect are related to a money laundering offence [clause 7]. As well, these institutions and individuals will be required to report information regarding particular types of transactions (for example, very large amounts of cash in small denominations being exchanged for larger denominations) to be specified in regulations [clause 9].
The maximum penalties for failing to report suspicious financial transactions under the Bill include fines of up to $2 million and imprisonment for up to five years.
2. Reporting of large cross-border movements of currency
Individuals and entities that import, export or transport large amounts of currency or monetary instruments (such as traveller’s cheques) across the Canadian border will be required to report such activities to a Canada Customs officer. Failure to report may result in the seizure of the cash or monetary instruments being transported. However, any seized currency or monetary instruments will be returned upon payment of a monetary penalty unless Canada Customs has reason to suspect that the currency represents proceeds of crime. The measures dealing with cross-border movements also include review and appeal mechanisms in relation to all seizures and penalties paid.
3. New Financial Transactions and Reports Analysis Centre of Canada
The proposed legislation will establish an independent government body to receive and analyze reported information about the suspicious transactions and cross-border currency movements described above. This new body, to be known as the Financial Transactions and Reports Analysis Centre of Canada, will be a central repository for information about money laundering activities across Canada. The Centre will analyze and assess the reports, together with other information available to it, and provide leads to law enforcement agencies.
The Centre will operate independently from law enforcement agencies, and the disclosure of information by the Centre will be strictly controlled. The proposed legislation authorizes the Centre to provide key identifying information of suspicious transactions (e.g. name, date, account number, value of the transaction) to the appropriate police force if it has reasonable grounds to suspect that the information would be relevant to investigating or prosecuting a money laundering offence. The same identifying information may be provided to Revenue Canada, the Canadian Security Intelligence Service, and Citizenship and Immigration Canada if the information would also be relevant to, for example, a tax evasion offence or a threat to national security. For the police to have access to additional information from the Centre, they would first have to obtain a court order for disclosure and meet the standard of reasonable and probable grounds to believe that a money laundering offence has been committed.
The Centre will also have primary responsibility for monitoring the compliance of financial intermediaries with the record-keeping, know-your-client, and mandatory suspicious transactions reporting requirements of the proposed legislation.”
Clearly, important details of the reporting regime (e.g., what kind of transactions will have to be reported regardless of whether there are grounds for suspicion) remain to be settled via regulations. Indeed, the regulations under this legislation will be as significant as the statutory provisions, if not more so, from the perspective of consumer privacy.
The establishment of an arm’s length agency, subject to the Privacy Act and to limits on permitted disclosures, for the purpose of collecting, analyzing, and disclosing personal financial information with a view to detecting and preventing money laundering is certainly preferable to a regime under which entities report directly to law enforcement agencies. The privacy of personal information collected can be better protected in this manner.
However, the meaningfulness of FTRAC’s accountability to the Privacy Commissioner is diluted by weaknesses in the Privacy Act itself, legislation which has long been due for overhaul. For instance, the Privacy Commissioner has no binding powers, and individuals whose privacy rights under the Privacy Act have been violated have no statutory rights to redress.
In Part V, the Act establishes offences for contravention of various sections. Most importantly, failure to report suspicious transactions may result in a fine of up to $500,000 and/or imprisonment of up to six months.
IV. IMPACT OF BILL C-22 ON CONSUMER PRIVACY
General Criticisms of Bill C-22
Some commentators have strongly criticized Bill C-22 for the new privacy invasive powers that it would grant government. In a recent editorial for The Financial Post, Terence Corcoran wrote:
“If passed, Bill C-22 would give Ottawa fresh authority to trap the innocent, infringe on privacy, collect mountains of information on citizens and put routine money transactions under suspicion. It would also conscript lawyers, banks, accountants and others into a national subculture of informants and snitches…..
Bill C-22 proposes a new legal regime to investigate private activities of Canadians. The information collected through the national snitch network, a massive volume of stats and data on thousands of Canadians and transactions, would in fact be a giant fishing pool for government investigators, prosecutors and even tax collectors.”(10)
The Canadian Bar Association has expressed strong misgivings about the mandatory reporting of confidential information, and the “gross intrusion into a previously protected sphere” that the Bill represents.(11) Even with the exemption for information subject to solicitor-client privilege, the Bar Association notes that the Bill would require lawyers “to act in a manner inconsistent with both their professional and lawful duty of preserving solicitor-client confidentiality”, with the result that clients will turn elsewhere for legal assistance.
The Criminal Lawyers’ Association goes further, suggesting that the mandatory reporting regime proposed in an earlier version of the Bill may violate the Charter of Rights and Freedoms guarantee of reasonable search and seizure, that it threatened to “regularly and constitutionally invade the privacy of all citizens”, and that it would create “a countrywide network of spies and informers”.(12)
Privacy Protective Features of Bill C-22
In response to concerns such as those expressed above, the drafters of Bill C-22 have included a number of measures designed to limit the otherwise enormous systemic individual privacy invasions it authorizes. In particular, the Bill now:
- does not require lawyers to disclose any communication that is subject to solicitor-client privilege (s.11);
- strictly limits the use and disclosure of information collected under Part 2 (reporting of large cross-border movements of currency) (ss.36, 37);
- prohibits the disclosure of information by FTRAC that would identify an individual who prepared a report or provided information to the FTRAC, or a person or entity about whom a report or information was provided (ss.53 and 58(2));
- limits the permitted disclosure of information by FTRAC to certain kinds of information and certain circumstances (s.55, s.58(1));
- requires the police to obtain a judicial warrant in order to obtain detailed information from FTRAC regarding any particular transaction (s.60);
- limits the use of information collected from or provided to foreign agencies to “purposes relevant to investigating or prosecuting a money laundering offence or a substantially similar offence” (s.56(3));
- limits the use of information by FTRAC or other officials under s.55 to purposes of exercising powers or performing duties and functions under the Act (s.57);
- where information is collected by FTRAC from other government databases, it must be done under an agreement which specifies the nature of and limits with respect to the information collected (ss.54(b) and 66); and
- makes a punishable offence the improper disclosure of information (s.74).
In addition, s.90 of the Bill explicitly makes the FTRAC subject to the federal Privacy Act, which sets out certain requirements in respect of the collection, use and disclosure of personal information held by the Centre, and which gives the Privacy Commissioner oversight powers in relation to FTRAC’s handling of personal information. However, most of the protections established by the Privacy Act are either so limited in scope or subject to such broad exemptions in respect of criminal investigations that they become empty insofar as FTRAC is concerned. In particular,
- s.6(2) of the Privacy Act requires that FTRAC “take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible” (italics added). But FTRAC’s use of personal information will not be for “administrative purposes”, so this provision is of limited applicability;
- s.8(2)(b) of the Privacy Act permits non-consensual disclosure of personal information by FTRAC to third parties “for any purpose in accordance with any Act of Parliament or any regulation made thereunder that authorizes its disclosure”;
- s.7(b) of the Privacy Act permits the non-consensual use of personal information by FTRAC “for a purpose for which the information may be disclosed to the institution under subsection 8(2)”;
- s.22(1)(b) of the Privacy Act permits FTRAC to refuse to disclose any personal information requested by the individual under the individual access provision (s.12(1)), where “the disclosure of that information could reasonably be expected to be injurious to the enforcement of any law of Canada or a province or the conduct of lawful investigations…..”;
- while the Commission has broad powers to investigate complaints under s.29 of the Privacy Act, the secrecy permitted to FTRAC operations and investigations makes it unlikely that complaints will arise (since individuals will have no knowledge of the FTRAC “investigation”, they will have no basis on which to complain).
Clearly, the exemptions with respect to disclosure and individual access rights are justified in order not to defeat the purpose of FTRAC; it makes no sense to permit a person under investigation for money laundering to examine their records held by FTRAC. However, it is unclear how the vast amounts of “innocent” personal information collected and analysed by FTRAC will be treated under this regime. FTRAC may well argue that all of the information collected by it is subject to the exemption in s.22(b) of the Privacy Act and that its disclosure, even in cases where no police investigation has been initiated, could “be injurious to the enforcement of …law…. or the conduct of lawful investigations”. Yet, without any clear access rights, individuals will not even be aware of whether or not FTRAC holds files on them. As the Privacy Commissioner urged in his 1997-1998 Annual Report, “all exemptions should be subject to an injury test, meaning investigative bodies should be required to demonstrate how granted access to an individual would harm a law or their investigations”.
In any case, as the exemptions set out above show, the Privacy Act offers little in the way of privacy protection to individuals under Bill C-22 given the nature of the FTRAC’s operations (related to law enforcement). However, it does establish a regime of accountability of the FTRAC to the Privacy Commissioner, weak as this regime (under the Privacy Act) is.
Consumer privacy concerns arise from the following aspects of Bill C-22:
Bill C-22 requires two kinds of reporting, each of which raises privacy concerns for consumers. Section 9 provides for mandatory reporting of certain kinds of personal financial transactions (to be detailed in regulations), even where the reporting entity has no basis on which to suspect criminal behaviour or is confident that there is no criminal behaviour involved. While this section has the benefit of providing clear, objective criteria for s.5 entities to follow, it has the disadvantage of requiring reporting even where there is no basis on which to suspect money laundering activity. Thus, it will undoubtedly result in inefficient and unnecessary reporting, contrary to the principles of fair information practice.
Section 7 provides for mandatory reporting without the individual’s knowledge of transactions “in respect of which there are reasonable grounds to suspect that the transaction is related to the commission of a money laundering offence.” While the government may provide guidelines to s.5 entities for use in making determinations under this section, it apparently does not intend to establish any regulations to define and thereby limit what constitutes a “suspicious transaction”. This provision raises two concerns: (1) the inability for individuals to find out if they have been reported on under this section, and (2) the subjective nature of the determination required to be made by s.5 entities. It places private enterprises and professionals in the role of money laundering investigators – a role which they are generally neither equipped nor prepared to play, especially with respect to their customers. There is likely to be a wide range of interpretations as to what constitutes a “suspicious” behaviour or demeanour, with one end of the spectrum resulting in over-reporting, and hence undue privacy invasions of innocent citizens.
Together with the significant penalties for failure to report, these two mandatory reporting provisions create a strong incentive for s.5 entities to over-report. There is no downside to over-reporting, while the potential cost of under-reporting is high. Where there is any doubt whatsoever, it is likely that the transaction will be reported. Hence, it can be expected that many innocent consumers will have their confidential financial information shared with FTRAC and possibly made subject to an investigation, without their knowledge. This is a clear violation of fundamental privacy.
Collection of Personal Information by FTRAC
Section 54(b) gives FTRAC broad powers to collect “information that the Centre considers relevant to money laundering activities and that is publicly available, including commercially available databases, or that is stored in databases maintained by the federal or provincial governments for purposes related to law enforcement…..”.
A fundamental principle of fair information practices is that collection of personal information be limited to that which is necessary for the legitimate and reasonable purposes identified by the organization (and, unless inappropriate, consented to by the individual).(13) While this provision appropriately restricts FTRAC’s collection rights to information which is both relevant to money laundering and publicly available, it could be even further restricted in the interests of privacy, either by specifically listing (in a regulation) the types information that could be “relevant to money laundering activities”, or by limiting collection of information to that which is necessary “to detect and deter money laundering and to facilitate the investigation and prosecution of money laundering offences”(14) (the objective of Bill C-22).
Disclosure of Personal Information by FTRAC
Under section 55(3), FTRAC is permitted to disclose personal information to law enforcement agencies, the Canada Customs and Revenue Agency (for tax law enforcement purposes), CSIS (for national security purposes), and the Department of Citizenship and Immigration (for immigration law enforcement purposes), without judicial authorization. While these additional purposes may be justified, they are not reflected in the title or description of the Bill. They significantly broaden the purposes for which information collected by FTRAC may be used and disclosed, beyond money laundering. It is important, at a minimum, that any such new purposes be clearly communicated in the title and object clause of the Bill.
Section 55(7) sets out the type of information (data elements) that may be disclosed without judicial warrant under ss.55(3) to (5). This subsection purports to limit such “designated information” to listed data elements (e.g., client name, business name and address, amount and type of currency or monetary instruments involved), but includes in part (e) “any other similar information that may be prescribed”. Thus, once again, the regulations may be used to significantly broaden the scope of warrantless searches permitted under this Bill, and thereby significantly weaken individual privacy.
Accuracy, Access, Transparency
While understandable in light of the purpose of the Bill, and the need for investigatory agencies to conceal information from those they are investigating, the lack of transparency to innocent consumers in respect of the collection, use and disclosure of their personal information by FTRAC, is troubling. In order to correct any inaccurate information about them, on which harmful decisions may be made, individuals must have access to their information held by others. In order for any access rights to be meaningful, however, individuals must first have knowledge that the information exists in the first place.
Yet, Bill C-22 establishes a regime of secrecy under which private entities are prohibited from disclosing both the existence and contents of “suspicious transaction” reports to individuals who request such information about themselves.(15) Moreover, individual access rights under the Privacy Act are severely curtailed by means of exemptions related to law enforcement and investigatory purposes (see above). Even the Privacy Act provision requiring FTRAC to “take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible” is strangely limited to use “for an administrative purpose”, which will clearly not apply to the bulk of FTRAC’s uses.
Thus, there remains considerable concern that innocent Canadians will not only suffer unwarranted intrusion into their private lives by state authorities, but also possibly suffer serious consequences as a result of investigations based on inaccurate or incomplete information.
The first principle of the CSA Privacy Code, now Schedule 1 of Bill C-6, is “Accountability”. Specifically, the principle states:
“An organization is responsible for personal information under its control and shall designate an individual or individuals who are accountable for the organization’s compliance with the following [data protection] principles.”
This rule recognizes the fundamental importance of internal accountability to any effective data protection regime – the need for individual responsibility and accountability within the organization, and appropriate organizational controls, such that individual rights to privacy in respect of that organization can in fact be exercised.
While FTRAC, as a government agency, will not be subject to Bill C-6, the principle of accountability is nevertheless applicable. In order that the privacy protections inherent in the Bill are effective, FTRAC should be required to designate an individual (e.g, a “privacy officer”) responsible for ensuring that the collection, use and disclosure of personal information by FTRAC is appropriately minimized. This is especially important given the likely tendency for s.5 entities to over-report, as discussed above.
Despite the fact that the Privacy Commissioner will have jurisdiction over FTRAC under the Privacy Act, concerns remain over the effectiveness of this oversight given the nonbinding powers of the Privacy Commissioner and the covert nature of the proposed regime (thus likely resulting in few complaints).
V. RELATIONSHIP OF BILL C-22 WITH BILL C-6
In direct contrast to Bill C-22, Bill C-6, the Protection of Personal Information and Electronic Documents Act, requires that non-governmental agencies refrain from collecting, using, and disclosing personal information in the context of commercial activities without the individual’s knowledge and consent. Bill C-6 is based on the CSA Model Privacy Code, now CAN/CSA-Q830-96, a formal Canadian Standard, which sets out ten principles of fair information practices, centered around the individual’s right to knowledge of and control over transmissions of personal information in the private sector. Clearly, the goal of Bill C-6 (data protection) conflicts with the goal of Bill C-22 (detection and prevention of crime).
This apparent conflict in the obligations of s.5 entities is, however, simply resolved by way of an exemption clause in Bill C-6, which permits the disclosure of personal information without the individual’s knowledge or consent where “required by law” (s.7(3)(i)).
In addition, Bill C-6 permits:
- the collection of personal information without the individual’s knowledge or consent if “it is reasonable to expect that the collection with the knowledge or consent of the individual would compromise the availability or the accuracy of the information and the collection is reasonable for purposes related to investigating … a contravention of the laws of Canada or a province” (s.7(1)(b));
- the use of personal information without the individual’s knowledge or consent if ”….it could be useful in the investigation of a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, and the information is used for that purpose of investigating that contravention” (s.7(2)(a)), or if “it was collected under paragraph 1(a) or (b)” (s.7(2)(d)).
Another area of potential confusion, involving individual access rights under clause 9, has also been addressed in Bill C-22. By invoking their access rights under clause 9 of Bill C-6, individuals can find out (a) whether a report has been made about them under Bill C-22, and (b) the personal information contained in any such report, unless the reporting organization can rely upon one of the exemptions specified in clause 9 of Bill C-6. Thus, money launderers could potentially use Bill C-6 to find out (a) whether they are under investigation, and (b) the nature of that investigation. Bill C-22 addresses this problem by adding a new section 9.1 to Bill C-6, prohibiting organizations from (a) disclosing or giving an individual access to personal information contained in a clause 7 report (suspected money laundering), and (b) disclosing that it has made a clause 7 report or giving access to such report.
However, with section 9.1 comes some further potential confusion around the applicability of procedural safeguards set out in subsection 9(3)(5) of Bill C-6. This section provides that where an organization refuses access to personal information on the grounds that such access might compromise the investigation of a criminal offence (or other illegality), the organization must notify the Privacy Commission in writing. It is not clear that this provision will apply to organizations refusing access under the new section 9.1. Bill C-22 should clarify that such notification continues to be required.
In summary, then, because of its nature as a law enforcement and investigation, the regime established by Bill C-22 is largely exempted from the fundamental privacy protections set out in both the federal Privacy Act and Bill C-6. The “privacy-protective” provisions in Bill C-22, while important, are in the nature of minor constraints on a regime which involves massive privacy invasions, however justified these invasions may be.
Bill C-22, The Proceeds of Crime (Money Laundering) Act, is a good example of a situation in which individual privacy rights clash with law enforcement tools. In order to effectively address the problem of money laundering, perceived as pernicious and thriving, Bill C-22 makes significant sacrifices in terms of consumer privacy.
The first question that legislators must ask is: Is this sacrifice justified in a free and democratic society? This requires a detailed examination of the goal of Bill C-22 (do we need new legislation to address the problem of money laundering?), an analysis the privacy invasive aspects of Bill C-22 (does the Bill minimally impair privacy rights in the achievement of its goals?), and a balancing of the law enforcement objective against the privacy invasions it creates (is the invasion proportional to the objective?).
We do not have sufficient information on which to judge the adequacy of existing laws relating to money laundering or the extent of the problem. Assuming that Bill C-22 can be so justified, however, we have set out some concerns about the extent of consumer privacy invasion that it authorizes. These concerns include:
- systemic over-reporting by private entities subject to the Bill;
- reliance on individual judgement re: s.7 “suspicious transaction” reporting;
- potential over-collection of personal information by FTRAC from other sources (s.54(b));
- limited ability of individuals to identify and correct inaccurate information about them held by FTRAC;
- lack of full accountability of s.5 entities and FTRAC to individuals who have suffered undue privacy invasions under the regime (ss.10, 69);
- accountability within FTRAC for data protection;
- appropriate sensitivity to privacy issues among FTRAC staff;
- lack of public awareness of the regime; and
- limited oversight/redress powers of the Privacy Commissioner.
Much of the important detail of the new regime remains to be determined through regulations. For example, the types of transactions subject to mandatory reporting under s.9 remain to be specified. While information subject to disclosure by FTRAC without warrant is listed in s.55(7), the Bill permits the use of regulations to expand this list. The drafting of these regulations will therefore be critical. It is essential that the regulation-making process be open and based on broad consultations with interested stakeholders.
It is clear that this Bill has been carefully drafted with a view to minimizing the privacy invasions consequent upon establishing a mandatory reporting regime for better detecting, deterring, investigating and prosecuting money laundering and related crime. Many of our concerns are inherent to a mandatory reporting regime, and others lie with the inadequacy of the Privacy Act generally. However, some concerns could be addressed without undermining the whole regime. In this respect, we recommend the following:
- that the Bill require FTRAC to designate an individual (e.g, a “privacy officer”) responsible for ensuring that the collection, use and disclosure of personal information by FTRAC is appropriately minimized;
- that one of the qualities sought when hiring personnel for FTRAC is sensitivity to privacy issues;
- that a process be established to ensure that FTRAC officials, as well as those in the private sector responsible for reporting, are properly educated as to the importance of minimizing the collection, use and disclosure of personal information to what is necessary under the Act;* that measures be taken by the government to ensure public awareness of the regime, through preparation and distribution to s.5 entities of brochures and other informational materials for public consumption;
- that s.5 entities be encouraged, if not required, to place stickers identifying themselves as reporting entities under the Act (similar to the CDIC model);
- that the five year Parliamentary review required under s.72 be made perpetual; and
- that the open, public process followed to date with respect to the drafting of regulations under this Act be continued.
1. Finance Canada, Backgrounder on the New Proceeds of Crime (Money Laundering) Act, News Release 99-046.
2. Terence Corcoran, “Canada’s Money Laundering Dragnet: Creating a Subculture of Informants and Snitches”, The Financial Post, March 4, 2000.
3. Frank Cilluffo and Sharon Cardash,”Time to pay our laundry bill”, The Globe and Mail, March 30, 2000, p.A15.
4. Legislative Summary of Bill C-22, Parliamentary Research Branch, 9 February 2000, http://www.parl.gc.ca/36/2/parlbus/chambus/house/bills/summaries/c22-3.htm
5. See http://www.ustreas.gov/fincen
6. See http://www.ustreas.gov/fincen/40rec.pdf or http://www.oecd.org/fatf/recommendations.htm
7. Legislative Summary, op cit.
8. FATF, Annual Report 1997-98, June 1998, p.13; http://www.oecd.org//fatf/reports.htm
9. Op cit, footnote 1.
10. March 4, 2000.
11. Cristin Schmitz, “CBA leads battle against proposed money laundering law”, The Lawyers’ Weekly, March 31, 2000, p.3; See also “Suspicious Minds; Bill C-22”, The National, vol.9 no.1, Jan-Feb. 2000, p.43.
12. As reported by Schmitz, ibid.; and Vancouver Sun, July 11, 2000.
13. See Principle 4 of the CSA Privacy Code, Schedule 1 to Bill C-6, s.4.4.
14. s.3(a), Bill C-22.
15. Section 97, Bill C-22, adding the new clause 9.1 to Bill C-6.