Privacy commissioner shows firms how to win approval for data sharing

The regulator will take up to 120 days to say yes - and the clock can stop

Privacy commissioner shows firms how to win approval for data sharing

Canadian financial firms that want to share clients' personal information without consent to detect money laundering now have guidance on securing the privacy regulator's approval. 

The Office of the Privacy Commissioner of Canada published the guidance on July 9, 2026, aiming to help firms draft codes of practice that meet the standard the Commissioner applies before any such information sharing can begin. 

The move builds on legislative changes made in March 2025. Under the Proceeds of Crime (Money Laundering) and Terrorist Financing Act, reporting entities can now share an individual's personal information among one another, without that person's knowledge or consent, in certain circumstances. But there is a condition. A firm must first establish a code of practice governing the sharing and have it approved by the Privacy Commissioner. 

The guidance is aimed at reporting entities such as banks, credit unions, trust companies, and providers of life insurance and loans. Participation is voluntary. The Commissioner's office notes that developing a code is not mandatory unless a firm intends to engage in this kind of information sharing. 

The guidance clarifies what a code must contain to win approval. Under the regulations, a code has to identify the firms bound by it, describe the personal information that may be shared, spell out the purposes and manner of sharing, and set out how the information will be protected and retained. It must also show that it provides the same or greater protection of personal information than the country's federal private-sector privacy law, known as PIPEDA. 

To meet that last test, the guidance walks firms through familiar privacy principles - accountability, limiting collection, safeguards, accuracy, openness, individual access and handling complaints - and explains what the Commissioner expects under each. 

Timing matters. Applicants are told to contact the Commissioner's office first and to notify the Financial Transactions and Reports Analysis Centre of Canada on the same day they submit a code. FINTRAC, the office said, is well placed to inform the assessment. Once a code is submitted, the Commissioner has 120 days to decide, with the option to extend by 15 days and to pause the clock while awaiting more information. 

The obligations do not end at approval. Firms that revise an approved code must notify the Commissioner, who has 30 days to flag whether the change is significant enough to require a fresh application. A code must be resubmitted for approval every five years, or it lapses. 

"This new guidance will support organizations as they establish codes of practice that maintain strong privacy protections in the context of information sharing meant to detect and prevent money laundering, terrorist financing, and sanctions evasion," Privacy Commissioner Philippe Dufresne said. 

The Commissioner's office stressed that the guidance is meant to help applicants and does not constitute legal advice. 

The full text of the Guidance on submitting Codes of Practice under the Proceeds of Crime (Money Laundering) and Terrorist Financing Regulations is available at https://www.priv.gc.ca/en/privacy-topics/surveillance/police-and-public-safety/financial-transaction-reporting/gd_cp_pcmltfr/

LATEST NEWS