The Canada Revenue Agency’s audit and compliance practices continue to evolve rapidly for businesses and individual taxpayers.
As digital commerce expands, an increasing share of transactions occurs across diverse online platforms, which reshapes how business activity is conducted and monitored. This prompted the CRA to look beyond taxpayer-provided books and records.
Minister of National Revenue v. Shopify Inc., which is currently before the Federal Court of Appeal (FCA), highlights how courts are shaping the boundaries of CRA’s information-gathering powers and signals what taxpayers can expect in an era of expanding data access.
The CRA’s expanded information-gathering powers
Traditionally, CRA audits focus primarily on information directly within a taxpayer’s control, including documentation such as financial statements, invoices and tax returns.
But the CRA increasingly relies on third-party data sources, broader datasets and analytics-driven risk assessment tools to identify potential non-compliance.
Under section 231.2 of the Income Tax Act, the CRA may require taxpayers or third parties to provide documents or information relevant to the administration or enforcement of tax legislation.
However, if the request relates to a group of unnamed persons, the CRA must first obtain authorization from the Federal Court to ensure the group is clearly identifiable and that the request is made to verify compliance with the Income Tax Act. One example of this is the unnamed persons requirement (UPR); similar provisions exist under the Excise Tax Act for GST/HST purposes.
What happened in the Shopify case?
Canadian courts have consistently held that while the CRA’s authority is broad, it’s not unlimited.
In 2023, the CRA sought judicial authorization to issue a UPR to Shopify Inc. to compel the company to produce six years of data related to certain Canadian merchants using its platform. The CRA’s objective was to identify sellers potentially failing to report income or comply with GST/HST obligations.
The Federal Court declined to authorize the proposed UPR after it found that the group targeted by the CRA’s request was not ascertainable as required by the Income Tax Act. As a result, the application was dismissed and the national revenue minister appealed to the FCA.
While the FCA has not ruled on the underlying authorization at the time of publication, it granted a modified preservation order and acknowledged the public interest in maintaining potentially relevant information for compliance purposes.
This emphasizes the importance of maintaining evidence relevant to tax investigations during ongoing litigation and demonstrates the CRA’s ongoing focus on digital platform data as a compliance tool.
Practical implications for taxpayers
While the Shopify case focuses on judicial authorization, the broader message for Canadian businesses is clear: the CRA is increasingly leveraging third-party data and digital tools to assess compliance risk.
Taxpayers should consider the following measures, in consultation with the appropriate advisors, to strengthen audit readiness and maintain compliance:
Expect continued focus on digital income reporting
The CRA is paying closer attention to income generated through online platforms amid the growing role of e-commerce in Canada’s economy. Cases involving companies such as Shopify highlight that digital sales activity is an area of interest for tax authorities.
As a result, audit teams are leveraging third-party data to assess compliance. This can include information from banks and credit card providers, e-commerce platforms, and payment processors.
When discrepancies arise between reported income and these external records, it may trigger a review or reassessment.
For taxpayers engaged in digital commerce, this means that the CRA may request detailed platform sales reports, cross-check your income against third-party data, and investigate any inconsistencies. Even unintentional reporting gaps can attract additional scrutiny.
