Notices of Meeting include information about the subject matter to be examined by the committee and date, time and place of the meeting, as well as a list of any witnesses scheduled to appear. The Evidence is the edited and revised transcript of what is said before a committee. The Minutes of Proceedings are the official record of the business conducted by the committee at a sitting.
Thank you, everyone, for coming in early in the morning, and special thanks to Ms. Kwan, because I know it's very early in British Columbia. Thanks to all of the members for accommodating this time.
Welcome to meeting number 16 of the House of Commons Standing Committee on Citizenship and Immigration.
To allow our services to prepare this room for the next meeting, we should adjourn this meeting no later than 10 a.m. Given the ongoing pandemic situation and in light of the recommendations from the health authorities as well as the director of the Board of Internal Economy on January 28, 2021, to remain healthy and safe, to all of those attending the meeting in-person, please maintain physical distance of at least two metres from others. Wear a non-medical mask when moving in the meeting room and preferably wear a mask at all times, including when seated. Maintain proper hand hygiene by using the provided hand sanitizers at the room entrance and wash your hands well with soap regularly. As the chair, I will be enforcing these measures for the duration of the meeting, and I thank all of the members in advance for their co-operation.
Pursuant to Standing Order 108(2), the committee is resuming its study of the immigration and refugee measures for the people of Hong Kong. Today's meeting is taking place in a hybrid format pursuant to the House order of January 25, 2021. The proceedings will be made available via the House of Commons website. So you are aware, the webcast will always show the person speaking rather than the entirety of the committee.
I would like to take this opportunity to remind all participants to this meeting that screenshots or taking photos of your screen is not permitted. For those participating virtually, I would like to outline a few rules to follow.
Members and witnesses may speak in the official language of their choice. Interpretation services are available for this meeting. You have the choice at the bottom of your screen, either French or English. With the latest Zoom version, you may speak in the language of your choice without the need to select the corresponding language channel. You will also notice that the platform “raise hand” feature is now in a more easily accessed location on the main toolbar, should you wish to speak or alert the chair.
For members participating in person, proceed as you usually would when the whole committee is meeting in person in a committee room. Before speaking, please wait until I recognize you by name. If you are on the video conference, please click on the microphone icon to unmute yourself. For those in the room, your microphone will be controlled as normal by the proceedings and verification officer.
This is a reminder that all comments by members and witnesses should be addressed through the chair. When you are not speaking, your microphone should be on mute. With regard to a speaking list, the committee clerk and I will do the best we can to maintain a consolidated order of speaking for all members whether they are participating virtually or in person.
With this, I would like to welcome our witnesses. Representing VFS Global, I would like to welcome Mr. Chris Dix, head of business development, and Mr. Jiten Vyas, regional, group chief operating officer, APAC, CIS, Europe and sub-Saharan Africa.
Mr. Dix, you have five minutes for your opening remarks. You can please start.
Madam Chair, committee members, on behalf of VFS Global I'd like to thank you for the invitation to speak today.
I'd like to thank the committee also for accommodating the time difference, allowing us to appear today from our headquarters in Dubai.
Madam Chair, VFS welcomes this scrutiny. It's essential that Canadians have full confidence in the integrity and the security of their government's programs and services.
At VFS Global the security of personal information entrusted to our care is our paramount concern. We work with a range of world-leading cybersecurity providers and also very closely with our cybersecurity consultant, Conrad Prince, to ensure a very strong cybersecurity posture.
Mr. Prince was formerly the deputy head of the U.K. government's signals intelligence and cybersecurity agency, GCHQ. He led GCHQ's intelligence and cyber operations for seven years. After that, he was appointed the United Kingdom's cybersecurity ambassador. We work very closely with Mr. Prince and we take data security very seriously at VFS Global.
People around the world rely on us for visa and passport application services. Since we started in 2001, we have successfully received and transferred over 220 million applications, and 64 governments trust us around the world. We operate for them in 143 countries through nearly 3,500 application centres. They trust us with the secure handling of personal information. The members of the Five Eyes intelligence alliance, and virtually all European Union and NATO governments are our clients.
Our global operations are certified ISO 27001, 2013, the global gold standard for information and data security.
Our Canadian government client is IRCC. Our client applies stringent personal information protection standards and these are embedded in our contracts and we follow them strictly. We conduct deep identity, credit, criminal, residency, education and employment checks on all our employees before we hire them. All operations-related email and telephone communications of our staff are monitored. We don't store any personal data related to visa applications. Data is purged from our systems 30 days following a case being closed, in accordance with IRCC regulations. IRCC also conducts unannounced audits to review the integrity of our systems.
Madam Chair, I'd now like to address some of the specific issues that have been raised in recent weeks about our operations in China.
First, I'd like to make clear that our Canadian visa centres in China operate according to the same tough security standards we employ around the world.
All data servers transferring China visa applications to IRCC are located in Canada. We operate no servers for IRCC in China. All access to personal information is restricted to officials who have been authorized by the Canadian government.
Second, recent media reports have suggested that we have Chinese ownership. This is false. VFS Global is owned and controlled by EQT, a global investment organization and publicly listed company based in Sweden.
Third, It's been alleged that sensitive data we handle is vulnerable to abuse. This too is false. Yes, we work with Chinese-owned facility management companies, but virtually all foreign companies operating in China work with locally owned, often state-owned, facility management companies. For foreign companies, they are a fixture of the business landscape in China. Facility management companies provide us with office space and administrative staff—nothing more.
These companies do not operate our visa centres and they do not collect visa information. They do not set up or have access to our IT systems. They have no access to any data.
For all our centres in China, VFS Global uses the same security controls we rigorously apply globally.
VFS Global has been operating in China since 2004-05. BSFSC is a facility management company that has been a subcontractor to VFS Global.
In China the regulatory environment requires foreign companies such as VFS Global and some of our competitors to have local facility management companies in order to operate. The reason for this is that these companies have the entry and exit licences—
Sir, to respond to your question, as far as VFS Global is concerned, the operations and the model of operating in China were absolutely made known to IRCC and to all our client governments. Every subcontractor—that is, the facility management company that we operate with—is communicated to the respective client government, and proper due diligence processes are followed, including notification to the host government.
VFS Global's operations in China—across a number of cities and the 33 client governments that we work for—are operated through facility management companies. Every single facility management company that we deploy undergoes thorough due diligence, and the respective client government approves the use of the facility management company right up front. This is a named subcontractor, and due diligence processes are followed by VFS and the respective client government.
As far as VFS is concerned, in delivering a solution to a client government, VFS will put forth its operating model, i.e., a facility management company, to the respective client government, and it is the government that will approve the use of a particular FMC, or facility management company. That has been the case with New Zealand and a number of other client governments, sir.
As far as VFS operations are concerned, sir, for every client government VFS submits a list of facility management companies in the respective cities or provinces. Following the due diligence, these are approved by the respective client governments.
We first started working for the Canadian government in China in 2008 with this FMC and we informed the Canadian government that it was our intention to use this FMC. On a more general note, I would just like to say we do not force any client government to use—
Thank you, Madam Chair, and thank you to the witnesses for your comprehensive global testimony here, it's very useful for the committee to clarify a lot of the misinformation that has been given to the committee, especially by the opposition members. The Library of Parliament says that you are the largest visa application company in the world. You mentioned about 147 centres. Can you just briefly outline how many you run on behalf of the Canadian government, and how many do you run in China, quickly please?
If I can respond to that, sir, on behalf of Chris, in China VFS operates for 33 client governments. Our presence in China has been since 2004-05. Across the network in China we operate close to 380 visa application centres.
How long have you been operating in Canada for the Canadian government? Also, the opposition has tired to paint VFS as neglectful, for a breach of security. I did some research with The Globe and Mail, the National Post and the Toronto Star, and I couldn't find one security breach that identified any individuals in Hong Kong. I just wanted to see if you could clarify the issue about the security breach. That's the core of your business.
Thank you, Mr. Serré, I'll answer that question. We've worked for Canada for a number of years. We very much value the relationship with IRCC. We have not had any data security breach for Canada, or any other client government in China or Hong Kong.
Earlier the question by the opposition was about the Chengdong Investment Corporation. My understanding is if it was you or other companies operating in China, the law in China requires that there be a facility management company. Your parent company is worth about $6 billion. Can you just clarify in regard to the Chengdong Investment Corporation that it's about 25,000 Euros, which is about $30,000 Canadian? How is that small amount of money influencing your decisions, which it is according to the opposition?
Yes, I think your numbers are more or less correct in terms of the size of the EQT VII fund, which is the fund that contains the VFS Global.
For legal reasons, the identity of investors in the fund cannot be identified; however, if the investment you're referring to were to be of 25,000 euros, that would equate to approximately 0.0004% of the overall fund.
As you can imagine, it's frankly ludicrous to say that the investor would have control of the fund. In fact, no investors of that kind have any control of the fund.
There have been no security breaches of any individuals, and you mentioned that you don't store any Canadian data. Would you maybe take the remaining two minutes I have left to talk a bit about the process?
You've been a contractor with the Canadian government since 2012. What is the process in terms of your security and the storing of information and how secure it is? There haven't been any breaches, so I want you to elaborate on that a bit just to assure the Canadian population—and the Hong Kong people too—about the security.
We've actually worked with the Canadian government since 2008, and from 2012 under a global contract, which was then retendered and won by us in 2018 in a competitive tender process.
As I've mentioned, we take data security and the protection of personal information as our most important job. We ensure that all data that concerns Canadian visa applicants is stored in Canada on servers operated there. It's a contractual requirement that we do that.
We send all data, fully encrypted, to Canada, and it is then only accessible by authorized personnel of the Canadian government. We ourselves—
Madam Chair, the operating environment in China is as unique as a number of other countries, the 64 client governments that we work for across 140-plus countries.
In China, since 2004-05 one of the prerequisites of the regulatory requisite is for companies to have an entry/exit licence. Foreign companies like VFS Global and some of our competitors are required to work with local facility management companies. It's these companies that have the requisite entry/exit licences, and that is where the requirement is to work with these companies, following a thorough due diligence process and the requisite approvals from our client governments.
We do have other facility management companies operating throughout China. In Beijing as well, the answer is yes. In the operating environment that we follow, with the approval of our client governments, we have a number of FMCs that we operate with, the reason being to ensure de-risking our operations from a control perspective, and to ensure that we don't put all our eggs in one basket. That is, again, very important. Finally, just to reiterate, it's the approval of the client governments that we always take into account before appointing an FMC.
For the IRCC operations in Beijing, when we set the operations in 2008, we analyzed two potential facility management companies. At that point in time the priority was, of course, the due diligence processes, approvals of client governments, i.e., IRCC, and then the requirements of client governments. How soon is one required to set the visa application centre operations, what are the volumes coming through and how soon will they be able to accommodate the entry/exit licence approvals? These are some of the factors that are taken into account before identifying and approving an FMC, subject to client government approvals, of course.
According to The Globe and Mail article, Britain's corporate registry...Chengdong Investment Corporation is one of the most significant contributing partners to the parent company of TT Services, which runs the visa application centres for the Canadian government in 24 countries. In China alone there are 11 locations.
TT Services is owned by VFS Global. Is that correct?
In a different Globe and Mail article, we have learned that the subcontractor Beijing Shuangxiong Foreign Service Company is delivering VAC services in China for the Canadian government, and that company is owned by the Beijing Municipal Public Security Bureau. Is that correct?
Beijing Shuangxiong is owned by Beijing Tongda Asset Management, which in turn is owned by the parent Beijing Sifu Enterprise Management, which is an investment of the organization. It has a number of private investments ranging from hospitality to transportation to retail.
The BSFSC ownership that I just described is through Beijing Tongda Asset Management, and above that stands Beijing Sifu Enterprise Management. It is a common practice in China for private and state-owned companies to have investments in a number of organizations within the entities or the industries that I just described.
I guess they are investments that they have within it. According to the company's own website, it was established in 1993 and is a state-owned enterprise with more than 180 employees. Is that what you found in your own due diligence?
I would not know that offhand. As far as VFS Global employees are concerned, every employee at VFS Global undergoes thorough checks regarding employment, education, criminal and identity, and every employee of VFS is then duly approved by the respective client government. It is only then that—
Then you will be aware that the Chinese regulations are such that they require that any state-owned company must include recognition of the Communist Party in its articles of association, and a party organ must be created in any state firm that employs more than three Communist Party members. Are you aware of that?
According to those regulations, it further states that all major business and management decisions must be discussed by the Communist Party organ before being presented to the board of directors or management for decision. It further states that the party secretary and chairman of the board of a state firm should be “the same person” and that the general manager position within the state company must be filled by a deputy party committee secretary. It doesn't stop there. For those enterprises under the direct control of the central government, the board of directors must include a special deputy party secretary who takes no management role and is exclusively responsible for party building. The first role of the directors or executive who are party members is to—
Just to reiterate once again in response to what the member who was on earlier said in reference to the Chinese law and the membership of CCP, at VFS we want to clarify that no facility management owners have any role whatsoever in the visa application process that my colleague, Chris Dix, and I, have just described.
Also, I want to highlight that VFS Global has its own operational management structure within China. We have a chief operating officer with a very robust organization structure in China, comprising 172 employees of VFS who oversee our operations, in conformance with our client government contracts.
Mr. Chiu, I'll take that information and that question.
As my colleague, Jiten, has mentioned—and I have mentioned also already—no facility management company has access to our data.
All our visa application data is fully encrypted at the entry point and transferred securely and directly to servers located in jurisdictions defined by the client government.
For instance, in the case of a European country, that would be in the Schengen area. In the case of Canada, it's in Canada and then only government officials authorized to have access to that information have access to it. I repeat, it's fully encrypted. All of our operations are certified ISO 27001 for information security management, and that certification—
There is just one point to highlight, Madam Chair.
All the IT hardware and the equipment is absolutely hardened within the visa application centres. What we mean is, there is no access to emails, there is no USB drive, no pen drive that can copy any data whatsoever. Access is driven through role-based, which is only to VFS Global personnel.
As Chris Dix, my colleague, described, the servers are hosted in Canada and encrypted.
I'm sure the African Union would actually appreciate data security as well, and somehow nightly there have been downloads of data to China from Africa, so please understand that we are not conspiracy theorists here. Also, there have been media reports, specifically Global News in Canada has reported that there has been a leak of data pertaining to Italy. There was a leak.
My first question is: has that actually happened? My second question is: has it been updated to the Canadian authority, such as IRCC?
On the very rare occasions when breaches or incidents occur, we are always entirely transparent with our client governments and we take swift action to rectify the situation. We did inform the Italian government and we also informed the U.K. Information Commissioner's office about the incident.
I know you've stated that this arrangement in China has been in place since 2008.
I'd like to understand the nature of your subcontracts. How many local companies in China are involved with VFS and are they subject to the same clauses and vetting processes as you are, as the prime contractor?
In China we've been operating since 2004-2005 and we have 11 facility management companies across China. Every facility management company is required to hold the requisite entry/exit licence. All facility management companies undergo VFS Global's due diligence process and thereafter the approval of the respective client government. Of course, client governments conduct their own degree of due diligence.
As far as VFS Global is concerned, every single facility management company has flow-down provisions from our main contracts with the respective governments. This means that every facility management company across any visa centre conforms and is required to conform to the same exacting standards that VFS Global is responsible for. The delivery of customer service and the end-to-end system remains the primary objective of VFS Global.
You've mentioned that in order to operate in China it's a business environment requirement of the Chinese government that you work with local Chinese-owned management facility companies, and this is an unavoidable element of working in China. As I understand it, these companies provide administrative staff.
Are these staff subject to the same security checks mentioned by Mr. Dix?
Also, can you tell us about the security of applications of people from Hong Kong and why we should be confident, if we should, about those applications being secure?
To respond to the first part of the question, every single employee who works at the visa application centre undergoes a two-pronged due diligence check. One is from a VFS perspective and covers, as we mentioned earlier, employment, criminal, identity and education. Client governments then conduct their own due diligence on every single employee who operates within the visa application centres. Once we have the requisite approval, only then is that employee on board operating within the visa application centre.
On the next part of the question regarding Hong Kong, in Hong Kong VFS operates through a facility management company that is owned by a Canadian national. We've been operating there since 2011, and for IRCC since 2013, and also work with 10 other client governments in Hong Kong.
Were there any concerns raised in your operation in China with regard to your working relationship with the local facility managers in terms of security breaches or privacy breaches? Have there been any concerns at all raised in the past 10 years?
I recall this is a response pending from your earlier session. We have two other facility management companies that we operate in Beijing, Beijing Eastern Tian Show Business and Beijing Balino Investment and Consulting Company in addition to VSFSC.
Madam Chair, as highlighted earlier during this session, a number of operating requirements stipulate the use of a particular facility management company. Most important to note is that every facility management company is duly approved by the respective client government.
Requirements in terms of timelines or timetables to operate or open a new visa application centre, volumes that we expect the centres to process, readiness for peak seasons, the office space availability, etc. are some of the top reasons we identify and conduct due diligence and seek approval from client governments before appointing a facility management company.
Madam Chair, as I highlighted earlier to the member, we operate with three different facility management companies in Beijing alone across a number of client governments. The reasons articulated earlier, operational requirements, timelines to set up a visa application centre, volumes process, and most importantly, every single FMC is duly approved by the client government.
If I may just get a clarification, when the information of the CCP members from each of the companies, subsidiaries or subcontractors is being tabled, could you make sure that this is identified with the respective companies, please?
To follow up on that, if the FMC hires the people who work for this company, do those people not then have access to the data information?
Madam Chair, to the member's second point, facility management companies' employees undergo the same level of due diligence as all across China, including the approval of the client government that we operate for.
I'm sorry, I'm going to interrupt here because I have limited time. The fact of the matter is, though, that the FMC hired the people and they work for the company. For them to process the application, they have access to the data in processing the information. How could it be that they don't have access to the data? They process the information. They put it into the system.
I go back, then, to the requirements of the Chinese regulations. For state-owned companies, if you have three or more CCP members working for a company, they are required, by Chinese regulations, to actually have a different management structure that reports back to the Chinese Communist Party. Isn't that correct?
I hope the witnesses can appreciate that, as the Liberal minister has said himself, China's a lot different now than it was before, and there are a lot more threats. That's why there's so much scrutiny right now, even given some of the answers that the witnesses have given. They gave three different answers to one question. They must understand how crucial it is that they answer properly here.
Do the U.S. embassy in Beijing and the U.S. consulate in China use VFS or visa-related administrative services?
In response to your question, VFS does operate for the U.S. government in China where VFS is a subcontractor. However, there is no visa application centre. It's a very separate process for Chinese nationals applying to the U.S.
This actually just underlines a different working method that the U.S. government has in many other countries. It doesn't follow the same approach as most of our client governments. Very often they will accept applications directly at the diplomatic mission rather than using visa application centres.
Department officials were asked this question about knowing about subcontractors in 2013, about VFS in China and if they had any subcontractors. At that time, they said no. According to your testimony today, where you've given three different dates between the both of you, what's the right answer? Did they know in 2013 when they gave testimony here in this committee, or is it one of the answers that one of you gave today?
Thank you, Madam Chair, and thank you to the presenters.
Mr. Vyas and Mr. Dix, you mentioned that VFS Global and BSFSC came into a relationship in 2008 when there was a Conservative government and the Prime Minister was Mr. Harper at that time, and now it's a Liberal government.
Can you tell me when it came into effect when Mr. Harper was in power, or today, who makes those decisions on the information that you collect?
Mr. Dhaliwal, forgive me, I am not the greatest expert as far as dates relating to Canadian prime ministers are concerned, but also I think I should say on this point that it's not really for me to answer for the Canadian government on how they make their own internal approval decisions.
I'm sorry, I misunderstood your question, Mr. Dhaliwal. It is IRCC that makes these decisions. VFS Global purely performs administrative tasks. The decision-making tasks of the visa application are always the responsibility of the client government, in this case IRCC, and those decisions are made by authorized personnel who have access to the visa application material that is stored on those servers in Canada.
Since its inception in 2008, have you had any security or privacy issues reported to IRCC in those years of your contract? Have there been any individuals negatively impacted by the potential information leak?
Mr. Dhaliwal, I can say for sure that we have had no cybersecurity-related issues in China for IRCC since 2008. In fact, we've had no cybersecurity-related issues in China for any client government since we started work there in 2004.
I would request both the witnesses to provide the information that has been requested by the committee member. Is there any timeline you can provide us now, or can you provide that information afterwards?