Balancing Privacy: Anti Money-Laundering
There’s a reason why they are called “data protection” as opposed to “privacy” laws. In Canada, the privacy rights you have come from the Charter of Rights – our data protection laws provide rules principally as to the collection, use and disclosure of personal information with more than a passing nod to other topics such as retention, access and security. Data protection legislation in Canada is about a balancing of interests and to understand that balance requires a good feel as to the exceptions to the rules. Anti money-laundering law (“AML”) provides a good illustration.
The formal history of AML legislation in Canada is short. Dating from 1991, it essentially establishes record keeping and client identification requirements to support the investigation of offenses found in the Criminal Code and the Controlled Drugs and Substances Act. If you want to see the legislation, search for the unwieldy title of Proceeds of Crime (Money Laundering) and Terrorist Financing Act or the unpronounceable acronym of “PCMLTFA”.
In 2000, FINTRAC was established as a federal financial intelligence unit. In 2001, the legislation was expanded to include combating anti-terrorism financing activities. People take FINTRAC very seriously and for good reason. It has the power to issue administrative monetary penalties and did so as recently as last month involving a credit union in Ontario.
Further amendments to PCMLTFA in 2006 expanded existing client identification, record-keeping and reporting requirements; added new obligations concerning suspicious transactions as well as international electronic fund transfers, and ratcheted up compliance obligations by requiring risk assessments and formal procedures to manage identified risks.
Section 7(3)(c.2) of PIPEDA provides that disclosures may be made without knowledge and consent if the disclosure is to “made to the government institution mentioned in section 7 of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act as required by that section”. That institution is FINTRAC.
Organizations have to comply with both PIPEDA and the PCMLTFA: one requires the protection of personal information; the other, its disclosure. PIPEDA requires the same organization to collect, use and disclose no more than necessary. PCMLTFA will require organizations to collect certain information items pertaining to transactions and to copy specific identity documentation used in verifying an individual’s identity.
How does this all work in practice? One example is identity documents. PIPEDA says where not required by law to collect a copy of an identity document then an organization has to determine whether there is a legitimate business reason to do so. If none, then don’t collect the personal information. This is the practical application of the Limiting Collection Principle. But in this instance there is a requirement in law: the PCMLTFA requires, in certain circumstances, that an organization must collect copies of identity documents — personal information that normally might run afoul of PIPEDA.
Of course, what may trip up an organization is not what it has to do but how. Transparency and openness requirements under PIPEDA affect what an organization does in meeting information collection requirements. Case Summary 2003-256 provides an example where a complainant thought a bank’s collection of personal information was excessive. It wasn’t but the federal Privacy Commissioner nonetheless required that applications forms be amended to clearly indicate that there were legal requirements to collect of the information in question.
Compliance with PCMLTFA also highlights a wrinkle with respect to access. Normally, with the access requirements found in PIPEDA (See Principle 4.9), an individual may request to be informed of disclosures to FINTRAC, but that does not necessarily mean that the request can be granted. Section 9 of PIPEDA lays out a process when an organization receives such a request:
Where there has been a disclosure to FINTRAC because a transaction is believed to be related to possible commission or attempted commission of money laundering or terrorist activity financing (section 7(3)(c.2) of PIPEDA), section 9(2.1)(a)(i) of PIPEDA requires notification to FINTRAC in writing about an access request.
FINTRAC may approve or object to the access request. An organization is not to respond to the request until receiving notice from FINTRAC or, if no notification, 30 days from the date the organization notified FINTRAC.
Where FINTRAC objects, section 9(2.4) of PIPEDA provides that the organization shall (i) refuse the request; (ii) notify the Privacy Commissioner of Canada (“OPC”) in writing, and without delay, of the refusal; (iii) not provide the individual any information relating to the disclosure; (iv) not indicate that FINTRAC or the OPC have been notified; and(v) not indicate that FINTRAC objected to the request.
Bottom line, practical privacy advice: (1) look at the rules under PIPEDA; then (2) look at other regulatory or legal obligations; and finally (3) look at the exceptions under PIPEDA. More likely than not, an exception under PIPEDA will allow an organization to meet its other legal obligations. This is how the balancing that occurs.