- 4 mins
H&R Block, Tax Filing, and Data Security: Testimony from Peter Davis
On December 12, 2024, the House of Commons Standing Committee on Access to Information, Privacy, and Ethics (ETHI) heard testimony from Peter Davis, representing H&R Block Canada. The discussion focused on tax-filing security, data breaches, and whether private tax-preparation companies should be more integrated with the Canada Revenue Agency (CRA).
Below is a summary of Davis’s arguments, along with my thoughts. Davis’s testimony was supposed to reassure MPs that H&R Block takes privacy seriously. Instead, it raised questions about corporate accountability, government oversight, and whether Canadians’ financial data is being entrusted to firms with their own vested interests. . All page references come from the official transcript.
Shifting Blame
Davis’s central message was clear: if the Canada Revenue Agency were the sole tax-filing entity, Canadians’ data would be less secure. He pointed to past breaches at the CRA as proof (p.2). But that argument glossed over something crucial — one of the most significant incidents stemmed from compromised third-party credentials, including those tied to H&R Block logins, according to CRA findings and CBC reporting.
Yes, the CRA has its flaws. Underfunding has left it vulnerable to fake returns and fraud schemes. But suggesting that more data sharing with private companies like H&R Block will somehow make the system safer stretches credibility. Especially when some of that data flows through servers in the United States, beyond the reach of Canadian privacy law (p.5).
Organizations using e-file, including non-profits and low-income tax clinics, already face vulnerabilities in their systems. Comparing these risks to government breaches is flawed: while a federal breach could compromise data at scale, hundreds of individual client accounts are already at risk across private and volunteer tax-filing networks.
Investigating Themselves
When pressed about breaches, Davis leaned on an internal investigation. H&R Block looked into it, he said, and found no wrongdoing on their end. Therefore, they had no obligation to report to the Privacy Commissioner (p.3).
Internal investigations differ from independent or third-party audits. When breaches involve compromised credentials, internal reviews may not reveal issues that external oversight would uncover. And it sidesteps the fact that compromised credentials were already surfacing on the dark web. Davis’s claim technically aligns with statutory obligations but does not eliminate the underlying security concerns (p.3–5).
Dodging the Tough Questions
Davis repeatedly deflected when MPs asked about past leaks or the frequency of breaches. At one point, Bloc Québécois MP René Villemure asked directly whether there had been prior leaks. Davis’s answer? He wasn’t a privacy expert (p.6).
NDP MP Matthew Green went further, challenging Davis’s narrative that government systems are uniquely insecure. Green cited statistics showing 90% of breaches happen in the private sector — a fact that directly undercut Davis’s central claim. Still, Davis did not reconcile the contradiction (p.9-10).
Lenient Conservative Questioning
Contrast that with Conservative MP Adam Chambers, whose questions were noticeably more supportive than critical. Chambers asked if H&R Block follows the Privacy Act (Davis: yes) and whether the company invests heavily in security (Davis: yes). He then suggested that the lack of reports to the Privacy Commissioner implied the real problem lay elsewhere — perhaps with the CRA itself.
The exchange ended with congratulations for H&R Block’s 60th anniversary (p.7). It was a stark departure from the grilling Davis faced from other parties. Davis’s answers were often evasive or noncommittal. Conservative questioning was noticeably lenient, giving Davis room to reinforce the company’s narrative.
Data Retention and International Transfers
Davis’s claim: H&R Block retains data for six years, as legally required, and does not share data with Meta or Google (p.5–6).
Retention itself prolongs vulnerability, and even limited transfers to U.S.-based parent servers create potential risks. The company’s consent forms disclose this (p.5, p.8), but many clients may not fully understand the implications. For clients relying on urgent tax refunds, alternatives are often limited. Allegations in the U.S. suggest H&R Block has, in some cases, manipulated data access to pressure consumers toward more expensive services (FTC report), highlighting a need for scrutiny even in Canada.
A Lobbying Landscape
H&R Block isn’t alone in pushing its case. Other private tax-filing companies, including Intuit/TurboTax Canada and Wealthsimple (SimpleTax), are actively registered as lobbyists in Ottawa. They meet with officials, submit briefs, and work behind the scenes to shape Canada’s tax-filing future.
Their business model depends on it. The more the government entertains private involvement in tax filing, the more entrenched these firms become. That’s why testimony like Davis’s matters: it’s not just about one company’s reputation, but about how much control over Canadians’ financial data we’re willing to hand over to profit-driven firms.
The Takeaway
Davis came to Parliament to defend H&R Block’s record. What Canadians saw instead was a witness who was evasive, selective in his answers, and quick to shift blame onto public institutions.
A few months after the hearing, a Fifth Estate investigation revealed an internal H&R Block memo showing the company was aware of the fraud. The memo instructed staff not to speak with reporters, warning that the company could not risk losing revenue. Yet when confronted again, H&R Block continued to insist it had no knowledge of the fraud.
The irony is clear: while Davis argued that government systems can’t be trusted, he couldn’t convincingly show that private ones are any better. And when the tough questions came, his answers exposed the very reason why so many Canadians remain skeptical of handing their most sensitive financial information to corporations whose first duty is to their shareholders, not the public interest.