Merci, monsieur le président.
Ladies and gentlemen of the committee, thank you for inviting me to provide my views on certain aspects of the tax information exchange agreement between the Canada Revenue Agency and the IRS in the United States.
The minister explained a little about the legal framework under which this transfer is made. I do not want to repeat what she said, except to remind you that there are two important documents in this matter. We have an intergovernmental agreement, an agreement between the two governments, and we have the provisions of the Income Tax Act that were passed in 2014.
Under the IGA, the Canadian government agrees to collect certain information on accounts held by Americans in Canadian financial institutions and report that information to the United States.
This happens in two steps. First the Income Tax Act sets out requirements for Canadian financial institutions to report information with respect to those accounts to the CRA. In turn, the CRA shares this information with the IRS. The IGA is reciprocal in that the CRA also receives information from the IRS.
In previous appearances before Parliament on FATCA, my office has recognized the long-established practice of information-sharing between nations for purposes of taxation enforcement. For example, the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital, which lays the foundation to exchange information under the IGA, was signed in 1980. In more recent years, there have been international efforts by the OECD for the automatic exchange of tax information. However, we also conveyed our expectations that information-sharing activities be undertaken in a way that respects privacy rights of individuals. This holds true both for the CRA and for financial institutions
As we said in our appearance on Bill C-31, which amended the Income Tax Act, as well as in our review of the privacy impact assessment submitted to us by the CRA, we expect there to be limits to the collection, use, and disclosure of personal information, defined retention periods, and appropriate safeguards. For example, all parties involved must limit the collection of personal information to what is necessary and not collect data elements that are not required. This applies not only to the CRA, but also to reporting institutions governed by PIPEDA.
The use and disclosure of personal information must likewise be limited. The IGA specifically notes that information received under the IGA is subject to protections provided for under the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital, which limit the use and disclosure to only the collection, administration and enforcement of taxes.
With respect to retention, as we understand it, the CRA retains its records for seven years, which is consistent with CRA's retention of individual returns.
With respect to safeguards, we note that the IGA states that exchanges are subject to confidentiality and protections under the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital. The convention mentions that information received shall be treated as secret in the same manner as information obtained under the taxation laws of that state.
The CRA is expected to protect personal information from unauthorized uses and disclosures of personal information, especially considering the sensitivity of financial information and the reasonable expectation of individuals that it generally be kept confidential.
My office received a privacy impact assessment from the CRA in August 2015.
We are pleased that the CRA has adopted all our recommendations: first, reducing its retention period from 11 to seven years; second, educating financial reporting institutions to guard against the risk of over-collection; third, committing to safeguarding information, including the use of specific measures to mitigate risks identified through its threat risk assessment; fourth, updating the privacy impact assessment to reflect all proposed uses and disclosures of personal information and ensuring that these are strictly limited to purposes of tax administration.
While my office acknowledges the need to combat tax evasion, it is important for the enabling legislation to be clear in the obligations it imposes on all reporting entities, including the CRA and organizations that have FATCA reporting obligations, such as financial institutions.
For example, the IGA states that unless a reporting institution elects otherwise, accounts under certain thresholds, such as deposit accounts under $50,000—U.S., I believe, although perhaps Canadian—are not required to be reviewed, identified, or reported. However, part XVIII of the Income Tax Act seems to require reporting on all U.S. reportable accounts unless the financial institution specifically designates an account to not be a U.S. reportable account. This leads to a concern: given the apparent discretionary nature of the threshold exemptions, it may not be clear when accounts under $50,000 will be reported to the CRA.
My office has written to the CRA with follow-up questions following their response to our earlier comments of December 2015. These questions included the number of accounts under $50,000 U.S. they have received and transferred, clarification on how threshold exemptions are applied, clarification with regard to the level of review the CRA performs on records that are transferred to the IRS, and notification of how many records it received from the IRS about Canadian persons. We've also requested clarification as to why the first round of records sent to the IRS was larger than originally estimated.
In conclusion, FATCA reporting requirements are an example of co-operation among states on tax enforcement. In that respect, FATCA is neither unusual nor objectionable. That said, privacy principles have to be respected and provide balance in the implementation of the arrangement. The IGA and implementing legislation create legal effects vis-à-vis privacy law by creating an obligation to share information without the consent of the individual under the Privacy Act or PIPEDA, the private sector legislation.
There's also some lack of clarity around questions on reporting threshold exemptions. To this extent, we are again following up with the CRA. We wrote to them earlier this week on these issues as part of our privacy impact assessment review process. Protecting the privacy rights of individuals and advising on improving protections under information-sharing agreements are key parts of my mandate. Given that Parliament has chosen to pass implementing legislation to support FATCA reporting requirements, we continue to strongly recommend that these obligations not be over-broadly applied but appropriately balanced against privacy rights.
I'll be glad to take your questions.