— Patricia Moon (@nobledreamer16) April 1, 2016
Continued from An Extraordinary Debate in the Canadian Senate the Day Before #FATCA IGA Received Royal Assent Part I
The Consultation of the Privacy Commissioner-An Exercise in Futility?
Given the fact that we are expecting a hearing concerning the Privacy Commissioner’s Report (which apparently was not examined before the release of information by CRA to the IRS in September, 2015), I think it is worth revisiting some of the discussions held with the Interim Privacy Commissioner Chantal Bernier prior to the actual implementation of the IGA.
Proceedings of the Standing Senate Committee on
National Finance, April 29, 2014 OTTAWA,
2:32-4:16 pm / 4:17-4:39 pm)
*The actual session lasted 22 minutes
also available here, 10:82-89
Senator Callbeck: I have a question on privacy concerns. I understand that some serious concerns are being expressed over privacy. I’m wondering, has the Privacy Commissioner been consulted?
Mr. Ernewein: “… In our discussions with the U.S., we’ve kept the Office of the Privacy Commissioner informed about what we were doing. We’ve also made sure to alert them that the agreement was being signed, to share the agreement with them and to share the draft legislation at that time. It’s my understanding that the Privacy Commissioner does not bless, if you will, government actions or legislation, so I don’t wish to speak for the office or the commissioner, but certainly they have been kept informed of all developments.
I have not been terribly familiar with Mr. Ernewein (I only recall him from the HOC May 29 meeting), as my attention during this time was focused on the House of Commons FINA hearings. I suspect that was due to Lynne, John, and Allison testifying there. I was inclined to think Mr. Ernewein was a reasonable fellow until I read this statement. Mr. Shoom furthers this idea a bit later by basically saying that they presumed she had no objections because outside of contact initiated by them, she did not respond further. While seemingly respectful of the Commissioner, even appearing to defer to her, Mr. Ernewein achieves something much more noticeable, which is to say that he doesn’t think it is required for the Commissioner to be on board with the legislation. Perhaps the only requirement is to check with actual Ministers however, how many of them would be as familiar with The Privacy Act and PIPEDA? I guess it wouldn’t matter, since the CONS had a majority. However, it may come back to haunt them later. Ms. Bernier, however understated it may seem, made some strong points that suggest she had serious concerns about the IGA.
The Honourable Larry W. Smith (Deputy Chair) in the chair:
From the Office of the Privacy Commissioner of Canada we welcome Chantal Bernier, Interim Privacy Commissioner, and Barbara Bucknell, Acting Director, Policy and Research.
Chantal Bernier, Interim Privacy Commissioner of Canada, Office of the Privacy Commissioner of Canada
“…..Under the agreement, Canadian financial institutions will be required to begin due diligence procedures as outlined in the agreement starting July 1, 2014, and to report information to the Canada Revenue Agency beginning in 2015. While some have asserted that this agreement violates section 15 of the Canadian Charter of Rights and Freedoms on the grounds that it discriminates against Canadians based on the place of birth or citizenship, this issue is beyond the scope of my office’s mandate.
Equally beyond our scope is how foreign jurisdictions implement their own tax collecting operations internationally. What does fall within my mandate is ensuring that institutions fulfill their privacy obligations.
I would like to note that there is a long established practice of information sharing between nations for the purposes of taxation enforcement. This isn’t a new concept.
That said, we will expect that this and all information sharing activities be undertaken in a way which respects privacy. This means we expect that CRA will meet its obligations under the Privacy Act in carrying out its FATCA responsibilities.
Further, we expect private sector organizations, such as financial institutions, that would become legally required to collect consumers’ personal information and disclose it to CRA to also comply with their obligations under the Personal Information Protection and Electronic Documents Act, which is the private sector privacy legislation.
These obligations include limiting the amount of personal information collected to only that which is necessary and to safeguard it accordingly.
In my time now, I just wish to note that what we have seen regarding the evolution of the Proceeds of Crime (Money Laundering) and Terrorist Financing Act presents some lessons learned from FATCA-related obligations. When the PCMLTFA was introduced in 2002, it had narrowly — and clearly — defined reporting requirements. As time progressed, its scope of application has broadened and the incentive to over report has gradually increased; Bill C-31 increases it further still.
We would strongly urge the committee to advise the government to proceed with caution to avoid the potential for further scope creep. In closing, thank you, Mr. Chair and members, for the opportunity to discuss this issue. I welcome your questions.
Senator Callbeck: Thank you for your explanation. In your comments at the bottom of page 1, you say that some have asserted this agreement violates section 15 of the Canadian Charter of Rights and Freedoms. You go on to say that’s not part of your mandate. Whose mandate is it to look at that?
Ms. Bernier: Well, the Canadian Human Rights Commission’s mandate is to look at issues in relation to discrimination.
Senator Callbeck: Are they looking at this? Do you know?
Ms. Bernier: I would not know.
Senator Callbeck: Well, aren’t you concerned about this?
Ms. Bernier: We have to apply our mandate. Our mandate is to seek compliance with the Privacy Act and the private sector legislation, which we call PIPEDA. We need to stick to our mandate as it is legislative, given to us.
Senator Callbeck: You would never say to the Human Rights Commission that this is something you have a concern about and are they checking on this?
Ms. Bernier: We have had conversations about issues that intersect between the two offices, but we respect their mandate and we feel it is for them to decide what issue warrants their attention.
Senator Callbeck: On page 2 you say that ensuring institutions fulfill their legal privacy obligations is within your mandate. You say you would expect them to do so, and then you go on and say the same thing about financial institutions. What happens if they don’t?
Ms. Bernier: You mean what happens if they do not respect PIPEDA or if the CRA violates the Privacy Act? There are two possibilities. In relation to the Privacy Act, as in relation to PIPEDA, citizens who would, for example, realize that their privacy has been violated could come to our office and file a complaint. We investigate, and we make recommendations for the correction if indeed the claim is well-founded.
In relation to the private sector, should there be a violation that is well-founded, we can actually refer the matter to a tribunal that could order damages and could actually force the company to change its practices.
Senator Callbeck: What tribunal would that be?
Ms. Bernier: The Federal Court; we can take it to the Federal Court.
Senator Bellemare: Ms. Bernier, could you please clarify some comments you just made about the need for caution. You said, and I quote:
As time progressed, its scope of application has broadened and the incentive to over report has gradually increased; Bill C-31 increases it further still. We would strongly urge the committee to advise the government to proceed with caution to avoid the potential for further scope creep. Could you please elaborate on that?
Ms. Bernier: Of course. Under the act, we are required to audit FINTRAC’s activities every two years. We have now audited FINTRAC twice and, each time, we observed the same trend, in that financial institutions or institutions that are subject to the act and required to report to FINTRAC tend to report too much information, in an excessive manner…………
Senator Chaput: Ms. Bernier, if we had asked you for your advice before studying the bill, would certain measures have been different?
Ms. Bernier: We had discussions with the Department of Finance and have seen improvements to the evolution of the bill.
However, we must resign ourselves to the fact that we are faced with a requirement from the United States and that the requirement corresponds to the public interest of the United States, meaning the integrity of their tax regime.
I think that the regime we have developed is proportional to that requirement, but I would like the assurance, on the one hand, as I was telling the chair a minute ago, that all of the measures required to avoid the excessive collection of information will be implemented, as well as all of the measures required to protect the security of the information once it has been collected.
Senator Gerstein: Thank you for being here today. Do you accept the premise that there is some form of balance between national security and privacy?
Ms. Bernier: Absolutely. In fact, I would say I accept the premise that privacy is a right that exists in relation to other rights.
Senator Gerstein: Would you accept the principle or premise that the balance may change as a result of external events?
Ms. Bernier: Definitely. If you look at the four-part test — the legitimacy test that the chairman was just referring to — on necessity, proportionality and the lack of a less intrusive alternative, it is precisely meant to integrate in the privacy analysis external events.
Senator Gerstein: Could you tell the committee how your personal views have changed in terms of this balance since 9/11?
Ms. Bernier: My views have never changed in principle, but evolved in the application of the legitimacy test. The legitimacy test is immutable. It is a fundamental right that intrusion upon privacy can only be legitimate if it corresponds to the four-part test that I have just stated.
That four-part test, being based on events, on circumstances, leads to different application. Therefore, the reality of a threat, for example, will justify a certain level of privacy intrusion proportionate to that threat.
So the legitimacy test is immutable in its framework, but flexible in its application precisely to ensure this organic coexistence of safety and privacy.
Senator Gerstein: I’m not sure I understand exactly what you said, but having said that —
Ms. Bernier: I can explain it.
Senator Gerstein: Let me pursue that for a moment. If you go back to 9/11 and the events that took place at that point, you are urging this committee to advise the government to proceed with caution with further scope creep. I submit to you: Have you not had scope creep yourself with regard to events since 9/11?
Ms. Bernier: No, I don’t feel we have had scope creep. Perhaps I am not entirely objective in answering your question because I believe that privacy must evolve with the rest of society. So our analysis must make sure that at every turn, as our society evolves, that we apply the analysis that is relevant.
An answer to your question would be found in a document that we have published called A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century. This document really addresses the point that you are making. We are in a rapidly changing world in many aspects; technological but also political. If you look at the special report we presented to you on January 28 on privacy and national security in relation to cybersurveillance, we start with a statement of the facts. We start with a description of the current national security challenges. Then we move to the privacy implications and to recommendations on how you integrate the two.
The protection of privacy is the proper integration of remaining private and yet safe at the same time. It will look different depending on the realities of the threats, definitely.
Senator Gerstein: I accept that. I come back to why you conclude your statement this morning with saying to this committee that you are strongly urging we advise the government to proceed with caution to avoid further scope creep. What’s your worry?
Ms. Bernier: What I’m trying to tell you is that there is a tremendous increase in surveillance capacity as well as appetite. This increase must remain faithful to the fundamental right of privacy, which means that as we adopt new measures that may be more intrusive to privacy, we must make sure they meet that legitimacy test. We must make sure that we have a demonstrated need, it is proportionate to that demonstrative need, it is likely to be effective and that there’s no less intrusive alternative.We must never lose sight of that legitimacy test to make sure that we have a society that, through all its evolutions in relation to threats, remains both safe and private.
Senator Eaton: I’m sure you can explain something to me, Ms. Bernier, in following up on my colleague’s question. With FINTRAC, information is turned over to the IRS, but it seems that it goes through the CRA. I don’t quite understand how the CRA protects our privacy. Wouldn’t it be more efficient for banks and financial institutions to pass that to the IRS without going through CRA? What is the role of CRA in that?
Ms. Bernier: The CRA is a Canadian institution.
Senator Eaton: Yes.
Ms. Bernier: Obviously I see the role of the CRA as an assertion of Canada’s sovereignty over the personal information of its nationals.
Senator Eaton: Will it edit or look at the information? What will its role be, apart from being Canadian? Is its role any more than symbolic or flag flying? Do they have a role?
Ms. Bernier: First of all, I think CRA should be asked exactly how they intend to play that role. What I understand from the analysis of FATCA is that the CRA will indeed give the information to the IRS. But we believe introducing the presence of CRA in that process, in fact, consolidates protection of the personal information of Canadians.
Some have been upset at Ms. Bernier’s comment “we must resign ourselves to the fact that we are faced with a requirement from the United States and that the requirement corresponds to the public interest of the United States, meaning the integrity of their tax regime.” I agree that it is hardly a statement that elicits a positive attitude moving forward. However, I think it is clear that she considers the issue of overreporting to require attention. I don’t know of any way in which we can confirm (or not) what information is sent to the IRS. I believe most of us would also consider banks reporting accounts that are under the threshold as a form of over-reporting, in spite of the fact that the IGA allows for it. I also find it interesting that Ms. Bernier makes reference to discrimination and that lies in the madate of the Human Rights Commission. There are fairly broad provisions for the CRA in the Privacy Act; perhaps this is a hint that a different focus may be more productive for us.
I have never heard her speak about this 4 part test. Specifically, the reality of a threat has a bearing on how much information may be shared. When one is talking about cybersurveillance or 911, I can understand to a certain degree. But FATCA? The US tax problems are a threat to Canada? (outside of the economic sanction). That idea is ridiculous. How “safe” is a Canadian with US taint once their financial information is passed on to the Americans? On income and assets that are earned in Canada? What will happen to those who are wrongly reported? As I recall, Allison Christians indicated there is no way to “appeal; it will be just like the no-fly list. And who will take responsibility for that? The IGA prevents the banks from being sued. WE are already seeing how difficult it is to sue. So exactly who is being threatened here?
The next day, May 14, 2014, Ms. Bernier gave basically
Thank you, Mr. Chair.
Thank you, members of the committee, for inviting me to discuss the privacy implications of Bill C-31.
Like my colleagues, I will focus on the United States Foreign Account Tax Compliance Act, or FATCA, and I will conclude with some brief comments on two other parts of the bill that have privacy implications.
FATCA is a U.S. law which requires financial institutions in countries outside of the United States, including Canada, to report certain information on accounts of a U.S. person to the U.S. Internal Revenue Service, or IRS. Bill C-31 includes an agreement to implement this through the Canada Revenue Agency.
While there is a long-established practice of information sharing between nations for the purposes of taxation enforcement, all information sharing activities must be undertaken in a way that respects privacy obligations. These obligations include limiting the amount of personal information collected to only that which is necessary for the stated purposes and safeguarding it appropriately.
The risk to privacy here, then, is mainly related to over-collection, over-reporting, and information security. To avoid over-collection and over-reporting, education and outreach to institutions affected by this new reporting requirement will be crucial. To address information security considerations, appropriate technological measures, as well as controls, will be called for.Beyond this, Bill C-31 introduces other legislative amendments that affect privacy.
First, the Proceeds of Crime (Money Laundering) and Terrorist Financing Act—the PCMLTFA—will be modified in a way that broadens the amount of personal information collected and increases information sharing capabilities and requirements by the Financial Transactions and Reports Analysis Centre of Canada, FINTRAC.
I’m encouraged, however, by the provision of Bill C-31 that requires FINTRAC to destroy the personal information it receives that is not related to the suspicion of criminal or terrorist activity. This corresponds to our recommendations in our audits of FINTRAC.
Second, changes to the Income Tax Act will allow for broader disclosure of taxpayer information to law enforcement authorities. This means that if CRA officials have reasonable grounds to believe that taxpayer information provides evidence of certain crimes, they may disclose this information to law enforcement. It appears that this information would be shared between the CRA and law enforcement authorities without judicial oversight. We would urge the committee in its examination of this provision to seek demonstration that this provision is necessary, and if it is necessary that appropriate oversight mechanisms will apply.
In closing, thank you, Mr. Chair and members for the opportunity to discuss this issue. I welcome your questions.
Mr. Murray Rankin: … Now I have a question for Madam Bernier, from the Office of the Privacy Commissioner of Canada. We had testimony from Mr. Ernewein, of the Department of Finance, who said, “Our understanding is that in relation to Canadian law, the Privacy Act and its various provisions are subject to other laws of Parliament.” We’re led to believe that this agreement could supersede the Privacy Act. Is that your opinion as well?
Ms. Chantal Bernier:The Privacy Act has been declared to be quasi-constitutional by the courts. He was perhaps referring to section 8 of the Privacy Act; that section does mention “subject” to other laws. However, in general, the Privacy Act has quasi-constitutional status.
Mr. Murray Rankin:Therefore, what that means, in lay terms, is that if the intergovernmental agreement or the provisions of Bill C-31 are in conflict with the Privacy Act, the Privacy Act would prevail.
Ms. Chantal Bernier: That would be my view, certainly.
Mr. Murray Rankin:Okay. I’d like to ask you about something else you said just now. I’m very pleased to see that you’ve also drawn this committee’s attention to the provisions of the Income Tax Act that allow CRA officials to tell the police about things that concern them, without any warrant. You’ve said that this information would be shared between the CRA and law enforcement authorities without “judicial oversight”. I take it that you think that would be an aberration. What word would you use to describe that situation?
Ms. Chantal Bernier:I would describe it as an exception, and that exception needs to be justified as necessary and proportionate, so I urge you to seek the demonstration that indeed it would be necessary to have this exception.
Mr. Murray Rankin:Necessary? Do you mean in terms of compliance with the Charter of Rights and Freedoms?
Ms. Chantal Bernier:Yes, absolutely. Obviously you have section 1 of the Charter of Rights and Freedoms, which speaks of necessity “prescribed by law” and “justified in a free and democratic society”. That is the test to meet, and I think evidence should be gathered from this committee as to why this provision is felt to be necessary.
Mr. Murray Rankin: So it’s of concern to the Privacy Commissioner?
Ms. Chantal Bernier: It is of concern to us, yes.
Hon. Scott Brison:…….Madam Bernier, in an earlier response to Mr. Rankin, you seemed to indicate there may be a concern regarding a potential charter challenge around the privacy issue. I want you to expand on that. Is there a potential charter challenge inherent in this?
Ms. Chantal Bernier: I would urge you, in your studying of this bill, to ask for a demonstration of the necessity of the provision whereby an official out of the Canada Revenue Agency could provide to law enforcement authorities without a warrant information about a taxpayer on the basis of reasons to believe that perhaps there was criminal activity. That is exceptional and therefore should be buttressed by an empirical demonstration of necessity, and I would encourage you to seek it.
In this testimony, Ms. Bernier makes it clear that she believes the Privacy Act has precedence over the IGA. This statement has been overshadowed by the fact the CONS went ahead and voted for it anyway. However is not a small issue. She is basically pointing out that privacy is a constitutional issue/right which should not be overriden by any law that is not in line with Canadian values as expressed in PIPEDA and the Privacy Act.
Some of you may remember this conversation from May 29 between MP Keddy and MP Cullen; I remain amazed at comments by Mr. Keddy. How difficult is it to understand in this situation, that fundamental rights, such as all Canadians have equal rights, there are privacy rights, etc. And never forget “I’ve never heard the term “US Person” before. You’re either an American citizen or you are not an American citizen.” Proof positive that the Parliamentary Secretary to the Minister of National Revenue, did not even bother to read the IGA, a mere 47 pages. Pathetic. Absolutely pathetic.
May 29, 2014 (at 16 25)
Mr. Gerald Keddy: …… The provision is unnecessary. The charter applies where it applies. The Privacy Commissioner has given no indication that part 5 is inconsistent with the Privacy Act. The motion is absolutely unduly vague, and it’s not clear what “fundamental values” mean, or what “fundamental values” are intended to mean. Similarly, the IGA and the implementing legislation do not result in any kind of general override of official languages or the Access to Information Act, so the charter applies where it applies, and the Privacy Commissioner has looked at this and given us the green light. So where is this information coming from?
Mr. Nathan Cullen:You might want to check back with our Privacy Commissioner about having given this agreement a green light. I think serious concerns were raised by that same Privacy Commissioner, so green light might be an exaggeration of the testimony we heard.
FOOD FOR THOUGHT
Comments made by Daniel Therrien to the Senate considering his appointment as Privacy Commissioner,June 3, 2014. Orders of the Day at 14:50.
Daniel Therrien, nominee for the position of Privacy Commissioner:
In order to improve privacy, one needs, I think, to play on the factors enhancing control by individuals: more transparency by government and companies collecting information; more justification for collecting information without consent; more information by the Office of the Commissioner on the privacy risks faced by individuals; and more security safeguards so that personal information is safe from those with malicious intent.
The goal of my actions, therefore, my overall priority, would be to improve these control factors for Canadians. This does not mean that I would disregard reasonable needs of government and companies, but I would ask them tough questions to determine whether what they claim is a reasonable need is in fact just an easier or cheaper way of proceeding, and whether alternatives that offer better privacy protection had been considered.
… I totally agree that it is a deficit not to have parliamentary oversight of national security agencies. My office can contribute to public debate about privacy in all matters of form.
I indicated that I would want to contribute to a discussion which enhances the controls that individuals have over their information. I would want to contribute to a discussion which enhances transparency and accountability, and in that context, I would see the discussion around parliamentary oversight as totally relevant.
One of the advancements or enhancements found in the privacy principles I referred to is a clause which says that information sharing should not be shared in a discriminatory way. I think that is an important message in this agreement, which seeks to provide safeguards around information sharing for border control and national security reasons. One of the principles explicitly says that sharing of information between states for these purposes is not to be done in a discriminatory way. Certainly as Privacy Commissioner I would ensure that this principle is totally respected in the programs that departments would develop to give effect to the border accord.