Information & Ethics Committee on April 14th, 2016

An example would be these accounts under $50,000.

Again, you start from the principle that it is legitimate for the two states, Canada and the U.S., to share information to avoid tax evasion. In order for Canada to obtain information from the United States, we have to provide some information to the United States in reciprocity.

The purpose of the whole scheme is to ensure that the tax regimes of both Canada and the U.S. are applied properly, yet the arrangement provides for certain exceptions. You've heard tax officials refer to some of them having to do with TFSAs and so on and so forth. Even though the rule is exchange of information for tax purposes, the arrangement provides for certain exemptions, including this question of whether or not accounts under $50,000 should be reported.

The rules should be clear. What happens to records under $50,000? If the rule is that they should not be reported, then that would be an example of information that theoretically would be relevant to a tax assessment and that should not be and would not be necessary to be transferred, because the arrangement so provides.

From the privacy perspective, the retention issue relates to, again, the ultimate purpose of the arrangement, which is to avoid tax evasion. The two governments share information for that purpose and should only retain that information for a period that is necessary for the other government to actually take tax enforcement action.

Normally in Canada the information is retained for seven years. Originally, the information shared between Canada and the U.S. was retained for 11 years. We asked the CRA to justify that period. They have agreed, in their response to our comments of December, to reduce the period from 11 to seven years. We think seven years is a reasonable period.

I don't believe we have asked for clarifications along those lines, but they are certainly relevant. We will check on the content of the IGA. If the agreement does not speak to this aspect, we will ask these questions of the CRA.

I would start with what recourse there would be for improper disclosure, either by Canadian institutions or the CRA. Canadian financial institutions normally would have to keep the information of their clients secret, but the arrangement provides the legal basis for them to share information with the CRA with a view to sharing it with the IRS.

If there is something wrong, and if there's oversharing of information, PIPEDA would be a ground to invoke. In terms of oversharing by the CRA to the IRS, the Privacy Act could be invoked.

If on the American side, there is something untoward that is happening, again we will have to look into this question.

We have asked along those lines for the CRA to give us information about the threat assessment or the risk of breach assessment that they are conducting. We have not received that information yet, and it will be part of the next round of information that the CRA has promised to give us by the fall of 2016.

I'll start with some general comments and, then, I'll speak specifically to the transfer of information that occurred.

In his answer earlier, Mr. Gallivan told you that, in addition to the correspondence that was exchanged, a certain number of meetings between the CRA and my office were held before the PIA was actually passed on. That is entirely true. We had two or three meetings prior to our correspondence.

Treasury Board policy on PIAs does not state that the commissioner's office has to have given its approval or input before a new program can come into effect. I think the CRA acted in accordance with the policy in effect, in doing what it did. We did meet a number of times and we did correspond in August, one month before the information was transferred. Three months after our correspondence, we provided our comments. All of that is acceptable under the Treasury Board policy.

Generally speaking, is that the best way to proceed? No, it's not ideal for departments to be able to adopt and implement new programs before receiving a formal opinion on the privacy implications from the commissioner's office. But that's the system we have in place.

I would add that the commissioner's office recommended amendments to the Privacy Act, as the members of this committee are well aware. And one of those recommendations sought to make the obligation to conduct PIAs a statutory requirement, as opposed to a policy one. The idea was to give the process more teeth and, ideally, ensure that the comments of the commissioner's office are taken into account before any new program comes into effect.

The question we asked was of a general nature. If we had reason to believe that the regime was not properly applied, we could conduct an audit under the Privacy Act, but we aren't there yet.

Technically speaking, the Privacy Act authorizes the sharing of information for all the purposes listed in the agreement between the two governments. Once again, the purpose of the agreement is to combat tax evasion. Provided, then, that the information is shared for the purpose of preventing tax evasion, the CRA can transfer that information to the American government under the agreement. Because an agreement exists and because the Income Tax Act provides for that, the sharing of information is allowed under the Privacy Act. I mentioned accounts under $50,000 because the rules around that are not clear.

To pick up on an earlier discussion with the minister and the government officials, I would say that, although the sharing of information is allowed to verify that tax evasion was not committed, it is also important to make sure that the two governments do not share information beyond what is set out in the agreement. That's one of the things we've asked the CRA about because there still isn't a clear answer on the matter.

We haven't yet asked that question, specifically, but the developments we've seen in the situation overall have led us to do so now. We will receive information from the CRA, and, once again, if the answer is satisfactory, we will say so. If, however, the answer isn't satisfactory, we do have the authority to take a deeper look at things.

It would be a few weeks, or months at the most.