Eroding Financial Privacy: PIPEDA & FATCA
As noted in the previous post, we now have a new American law – the Foreign Accounts Tax Compliance Act (“FATCA”) — that essentially requires organizations in Canada to identify clients who are American; obtain their consent to the disclosure of sensitive personal information to the IRS or withhold the provision of a service for a failure to provide that consent. How does that mesh with the obligations of those organizations under Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”)?
The “good” news – for institutions having to comply with this law – is that privacy may not pose a substantive problem. The “bad” news – for those interested in advancing privacy interests – PIPEDA doesn’t look like it’s going to be of much help.
The financial and non-financial institutions in question are likely to be subject to PIPEDA (as opposed to a provincial statute), either because they are federal works, undertakings or businesses or because this is an instance of a cross-border data flow of client personal information collected in the course of commercial activities.
The first thing that people have to consider is that this is not just a tax issue. FATCA involves developing new information flows and reporting systems for those affected – namely banks, funds, insurance companies and brokers.
Information about financial accounts held by individual US citizens or residents in Canada would certainly be considered “sensitive” personal information. FATCA centers on a “United States person”, a defined term, which would not only require a confirmation as to whether a person is a citizen or resident of the US but also whether a person is a “foreign person” under American law.
Therefore, the key data elements to determine would appear to be citizenship and country of residence – not information normally collected. Arguably citizenship or residency might be deduced from addresses or social insurance/security numbers but this wouldn’t necessarily be useable in all instances since dual citizens might just provide Canadian information in connection with Canadian accounts.
Would the collection of citizenship/residency information to satisfy a foreign law meet the “reasonable purpose” test found in s. 5(3)? Would a reasonable person consider the collection and disclosure for FATCA purposes “appropriate in the circumstances”?
PIPEDA prohibits the disclosure of personal information unless consent is obtained or there is a permitted exception found in subsection 7(3). The current s. 7(3)(c.1) appears to provide an organization with cover to disclose personal information without consent. “C.1” permits disclosure to government institutions to comply with foreign laws. “Government institution” is not a defined term and “c.1” could be interpreted as also to refer to foreign government institutions. “7(3)(d)” also permits disclosure but it would seem more for situations where there is the breach of an agreement or contravention of a law. No one is suggesting that Americans with accounts in Canada are necessarily breaching agreements or breaking laws.
If the Privacy Commissioner’s SWIFT decision is considered analogous then it’s likely the requirements of 5(3) and 7(3)(c.1) would be met. For those who don’t remember the 2007 finding, Canadian information, collected by Canadian banks, was captured through an American subpoena presented to an international organization (SWIFT) that provided traffic and messaging services to a large number of banks, including Canadian banks. The federal Privacy Commissioner found no violation of PIPEDA by SWIFT.
So what do we tell those Americans who are permanent residents of Canada and consider themselves as Canadian but who haven’t taken that final step in renouncing their American citizenship? What happens if the American taxpayer expressly doesn’t consent (FATCA would appear to require a “consent”)? At first blush, it seems PIPEDA doesn’t provide much help.
Non-Americans shouldn’t be too smug here — one can’t help but wonder when (not if) this idea will catch on with tax authorities elsewhere.
Benjamin Franklin is quoted as saying “In this world nothing can be said to be certain, except death and taxes.” Should we add the further erosion of privacy?