Language selection


Appearance before the Standing Committee on Access to Information, Privacy and Ethics on the Transfer of Information to the United States Internal Revenue Service (IRS)

April 14th, 2016
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Thank you for inviting me to provide my views on certain aspects of the tax information exchange agreement between the Canada Revenue Agency (CRA) and the Internal Revenue Service (IRS) of the United States. I am here given my oversight over the Privacy Act, which covers the personal information-handling practices of federal government departments and agencies, and the Personal Information Protection and Electronic Documents Act (PIPEDA), Canada’s federal private-sector privacy law.

Overview of previous statements made by the OPC

Through Bill C-31, Economic Action Plan 2014 Act, No. 1, the Canada-United States Enhanced Tax Information Exchange Agreement Implementation Act enacted an intergovernmental agreement — or IGA — for the exchange of tax information between Canada and the United States required to meet the Foreign Account Tax Compliance Act or FATCA reporting requirements. Bill C-31 also included an amendment to the Income Tax Act, adding Part XVIII to implement due diligence requirements set out in the IGA.

FATCA is a U.S. law which requires financial institutions in countries outside of the United States, including Canada, to report certain information on accounts of a “U.S. Person” to the IRS, or face a 30% withholding tax on U.S. sourced payments. We understand that there are 112 jurisdictions that have, or plan to, implement FATCA reporting agreements.

Under the IGA, the Canadian government agrees to obtain certain information with respect to accounts held by certain U.S. persons from Canadian financial institutions and report that information to the U.S.

This happens in two steps:

  • The Income Tax Act sets out requirements for Canadian financial institutions to report information with respect to those accounts to the CRA.
  • In turn, the CRA shares this information with the IRS. The IGA is reciprocal in that the CRA also receives information from the IRS.

In previous appearances before Parliament on FATCA my Office recognized the long-established practice of information-sharing between nations for the purposes of taxation enforcement.  For example, the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital, which lays the foundation to exchange information under the IGA, was signed in 1980. In more recent years there have been international efforts by the OECD for the automatic exchange of tax information.

However we also conveyed our expectations that information-sharing activities be undertaken in a way which respects privacy rights of individuals. This holds true both for the CRA and financial institutions.

Specific privacy considerations

As we said in our appearance on Bill C-31, as well as in our review of the privacy impact assessment (PIA) submitted to us by the CRA, we expect there to be limits to the collection, use, and disclosure of personal information, defined retention periods, and appropriate safeguards.

For example, all parties involved must limit the collection of personal information to what is necessary and not collect data elements that are not required. This applies not only to the CRA, but also to reporting institutions governed by PIPEDA.

Use and disclosure of personal information must likewise be limited. The IGA specifically notes that information received under the IGA is subject to protections provided for under the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital, which limit use and disclosure to only the collection, administration and enforcement of taxes.

With respect to retention, as we understand it, the CRA retains its records for seven years, which is consistent with CRA’s retention of individual returns.

With respect to safeguards, we note that the IGA states that exchanges are subject to confidentiality and protections under the Convention between Canada and the United States of America with Respect to Taxes on Income and on Capital. The Convention mentions that information received shall be treated as secret in the same manner as information obtained under the taxation laws of that State. The CRA is expected to protect personal information from unauthorized uses and disclosures of personal information, especially considering the sensitivity of financial information and the reasonable expectation of individuals that it generally be kept confidential.

PIA consultations

My Office received a PIA from CRA in August 2015 and we are pleased that CRA adopted all of our recommendations, including:

  • Reducing its retention period from 11 to 7 years;
  • Educating financial reporting institutions to guard against the risk of over collection.
  • Committing to safeguard information, including through specific measures to mitigate risks identified through its threat-risk assessment; and
  • Updating the PIA to reflect all proposed uses and disclosures of personal information and ensuring these be strictly limited for purposes of tax administration only.


While my Office acknowledges the need to combat tax evasion, it is important for the enabling legislation to be clear in the obligations it imposes on all reporting entities, including the CRA and organizations that have FATCA reporting obligations, such as financial institutions.

For example, the IGA states that unless a reporting institution elects otherwise, accounts under certain thresholds (such as deposit accounts under USD 50,000) are not required to be reviewed, identified, or reported.

We note, however, that Part XVIII of the Income Tax Act seems to require reporting on all U.S. reportable accounts, unless the financial institution specifically designates an account to not be a U.S. reportable account.

A concern is that given the apparent discretionary nature of the threshold exemptions, it may not be clear when accounts under $50,000 will be reported to the CRA.

Continuing follow-up

My Office has written to the CRA with follow-up questions, including how many accounts under USD 50,000 they have received and transferred, clarification on how threshold exemptions are applied, clarification with regard to the level of review the CRA performs on records that are transferred to the IRS, and if the CRA could advise how many records it received related to Canadian persons from the IRS.

We have also requested clarification as to why the first round of records sent to the IRS were more than originally estimated.


FATCA reporting requirements are an example of cooperation between states on tax enforcement, and in that respect it is neither unusual nor objectionable.  

That said, privacy principles have to be respected and provide balance in the implementation of the arrangement.

The IGA and implementing legislation create legal effects vis-à-vis privacy law by creating an obligation to share information without the consent of the individual under the Privacy Act and PIPEDA. There is also some lack of clarity around questions on reporting threshold exemptions. To this extent, we are following up with the CRA on these issues as a part of our PIA review process.

Protecting the privacy rights of individuals and advising on improving protections under information sharing arrangements are key parts of my mandate. 

Given that Parliament has chosen to pass implementing legislation to support FATCA reporting requirements, we continue to strongly recommend that these obligations not be over broadly applied, but appropriately balanced against privacy rights.

Thank you for your time and I would be pleased to take your questions.

Date modified: