I addressed the PROC committee on November 21st 2024, on the requirements in Bill C-65 concerning the personal information collected by Canada’s federal political parties (FPPs). I am grateful for the opportunity to submit a longer written brief on these provisions.
THE REGULATORY GAP AND THE CAMPAIGN FOR REFORM
In most democratic countries, the opportunities for political parties to capture and use personal information to identify and target voters are constrained by comprehensive privacy protection laws.[1] This is not the case in Canada. Generally, individuals have no legal rights to learn what information about them is contained in party databases, to access and correct that information, to remove themselves from the systems, or to restrict the collection, use and disclosure of their personal information. Parties can typically capture personal information from multiple sources, analyze it freely, and mobilize it to target messages on the doorstep, through email and text, and over social media platforms.[2]
The campaign to bring the FPPs under the umbrella of comprehensive federal privacy law and the oversight of the Office of the Privacy Commissioner of Canada (OPC) has been met with stiff and generally unified resistance. FPPs are still the one category of organization in Canada over which individuals have few, if any, legal privacy rights.
This issue has been on the agenda for over 12 years.[3] Back in 2013, the Chief Electoral Officer (CEO) recommended that all ten privacy principles in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) be implemented by the FPPs.[4] He repeated that call in his 2022 annual report.[5] In 2018, in response to the Cambridge Analytica scandal, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) recommended “that the Government of Canada take measures to ensure that privacy legislation applies to political activities in Canada, either by amending existing legislation or enacting new legislation.”[6] The same was recommended by the Senate Legal and Constitutional Affairs Committee in 2023.[7]
The federal, provincial and territorial information and privacy commissioners have called on their respective governments to pass legislation “requiring political parties to comply with globally recognized privacy principles; empowering an independent body to verify and enforce privacy compliance by political parties through, among other means, investigation of individual complaints; and, ensuring that Canadians have a right to access their personal information in the custody or control of political parties.”[8] In April 2019, the OPC and the CEO issued joint guidance on the protection of personal information by the FPPs in response to the requirement in the Canada Elections Act (CEA) that each develop privacy policies as a condition of registration.[9]
Civil society organizations also exerted pressure. Most notably, Vancouver based, Open Media, conducted a systematic comparison of the FPPs’ privacy policies against the national information privacy principles, and exposed the obvious inadequacies.[10] Media attention has increased. Whistleblowers have come forward.[11] And public opinion surveys have registered both a general surprise that FPPs are not covered by our privacy laws, and strong support for bringing them within the regulatory framework.[12] There is, therefore, widespread political and public support for bringing the FPPs into the ambit of Canada’s privacy laws. But the campaign has confronted the overwhelming reality that any attempt to restrict their control of personal information would also curtail their use of a key resource that brought them to power.
Not until the Center for Digital Rights (CDR) initiated a series of formal complaints to regulators about the FPPs’ practices, did the parties pay serious attention to the problem.[13] One of those complaints went to British Columbia’s Information and Privacy Commissioner. Most provincial and federal privacy protection laws do not apply to political parties. There are two exceptions, in BC and Quebec. BC’s Personal Information Protection Act (PIPA) has always applied to provincial political parties, and the BC Office of the Information and Privacy Commissioner (OIPC) has conducted several investigations.[14] But did the law also apply to the FPPs when they collect, use or disclose personal information in BC? In 2019, and supported by the CDR, three BC citizens sought access to the personal information collected, used or disclosed in BC by the federal Liberal, Conservative, New Democrat and Green parties.
Before the OIPC was able to begin its investigation, however, the Liberals, Conservatives and NDP challenged its jurisdiction. The Commissioner’s delegate, former BC Commissioner David Loukidelis K.C. then held an inquiry on the specific question of whether FPPs were organizations covered by PIPA, and whether or not federal law “ousted” BC’s jurisdiction. In March 2022, he found the FPPs were organizations under PIPA, and that the law is constitutionally applicable to the collection, use and disclosure of personal information in BC by FPPs registered under the CEA.[15] The FPPs then jointly sought judicial review to quash the Loukidelis order.
After several delays, the case was heard in the BC Supreme Court in April 2024. On May 14, 2024, BC Supreme Court Justice G.C. Weatherill issued his decision.[16] He affirmed all the findings in the Loukidelis order, and held that Canada’s FPPs and their personal information practices are subject to the privacy law requirements in PIPA, when they operate in BC. PIPA applies to the FPPs, because it applies to allorganizations, including unincorporated associations. The judge situated this analysis within a broader endorsement of the significance of privacy for democratic values: “The ability of an individual to control their personal information is intimately connected to their individual autonomy, dignity and privacy. These fundamental values lie at the heart of democracy.” All three FPPs have appealed the ruling to the BC Court of Appeal.
PRIVACY PROVISIONS IN THE CANADA ELECTIONS ACT
Rather than amend federal privacy legislation to cover the FPPs, as has been recommended by many individuals and groups, the federal government has concluded that the CEA is the appropriate statutory vehicle to regulate the personal information practices of the FPPs.
Under the CEA, the voter lists provided to registered FPPs are subject to reasonably strict rules concerning security, retention, unauthorized access and so on. The CEA specifies that the FPPs, and their candidates and MPs are expressly authorized to use the lists for communicating with electors, including using them for soliciting contributions and recruiting members.[17] The CEA also provides that no person may knowingly use personal information that is recorded in a list of electors for any other purpose; there are penalties for failing to comply in Part 19 of the CEA.[18] These rules do not, however, apply to the vast range of other personal data the FPPs might collect, on the doorstep, over the phone, from petitions, from third parties providers, or from social media.
In 2018, the Elections Modernization Act (Bill C-76), introduced some modest provisions requiring registered FPPs to have a publicly available, easily understandable policy describing the collection, protection, and sale of personal information, procedures for staff training, and the identity of a designated person to whom privacy concerns can be addressed. Furthermore, the submission of a privacy policy was made a condition for registration with Elections Canada.[19] These provisions were met with strong criticism for their incompleteness, vagueness, and lack of any real enforcement mechanism.[20]
In April 2023, the government introduced Bill C-47 (the Budget Implementation Act) which included amendments to the CEA, the express purpose of which was to provide for a “national uniform, exclusive and complete regime applicable to federal political parties and eligible parties respecting the collection, use, disclosure, retention, and disposal of personal information” (Sec. 385.2). This provision was an attempt to preempt the litigation in BC, by signaling that there is indeed a regime for privacy protection at the federal level that ousts the provincial jurisdiction. These amendments passed in June 2023.
In March 2024, the government introduced Bill C-65 which, if enacted, would repeal Sec. 385.2 and replace it with some further provisions concerning the required content of the FPPs privacy policies, addressed in Secs. 444.1 – 444.5.
BILL C-65 DOES NOT CONSTITUTE A “NATIONAL, UNIFORM, EXCLUSIVE AND COMPLETE” PRIVACY REGIME
Sec 444.1 of Bill C-65, is intended to provide for a “national, uniform, exclusive and complete” privacy regime for FPPs. Sec 444.2 stipulates that the provisions of the FPPs’ privacy policies apply broadly to “any registered party or eligible party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives.” There are several reasons why the privacy provisions in Bill C-65 do not constitute a “national, uniform, exclusive and complete” regime for the protection of personal information processed by the FPPs.
First, the CEA is not the appropriate statutory vehicle for imposing privacy obligations on the FPPs. Privacy protection law is that vehicle. But contemporary privacy protection law is complex, and requires far more than the obligations for transparency included in Bill C-65. The provisions are not “complete”. On the contrary they are incomplete. The required amendments which would produce a complete regime cannot be shoehorned into a statute designed to regulate the conduct and financing of federal elections.
Second, privacy law should include all ten principles in PIPEDA, supplemented with proper and enforceable provisions for independent oversight and accountability. The current provisions proposed in Bill C-65 amount to little more than tell us what you do, and give “illustrative examples.” Essentially, the amendments in Sec. 444 permit the FPPs to collect whatever personal data they wish from whatever sources and to process it in any way they please, provided they are transparent about it, don’t harm anyone, and don’t sell it.[21] There is no external statutory standard for the legal processing of personal data, as is the cornerstone of international data protection law. They amount to little more than “self-regulation” – entirely at odds with the contemporary international consensus on how to protect personal information in the modern digital age.
As the Privacy Commissioner stated in his submission of November 18, 2024[22]: “unlike the key provisions and principles that underpin the federal Privacy Act or the Personal Information Protection and Electronic Documents Act (PIPEDA), the rules proposed for federal political parties would not include statutory requirements for parties to: obtain individual consent; limit the collection of personal information; provide means for individuals to seek access to their information; limit the use and disclosure of personal information to those purposes for which it was collected; allow individuals to exercise a right of correction.”
I therefore support the Privacy Commissioner’s Recommendation 1: “the Committee should amend Bill C-65 to set requirements for political parties to seek consent (subject to express authority in the legislation), limit collection, use and disclosure and provide a mechanism for access and correction in connection with their handling of personal information.”
Third, and contrary to the claim in Sec 444(1) that these amendments will provide for a “national, uniform, exclusive and complete” privacy regime for FPPs they actually do nothing of the sort, when one considers the entire network of individuals, organizations and companies involved in contemporary political campaigns. A recent report from Open Media, based on analysis of national and provincial filings on campaign expenditures, reveals over 90 companies in Canada that work for political parties at federal, provincial and municipal levels.[23] This report demonstrates that the campaigning ecosystem in Canada is extensive and complex. All organizations within this ecosystem need to abide by the same rules with respect to the protection of personal information.
Bill C-65 does not achieve that goal. Most notably, nothing in the CEA’s provisions obliges the FPPs to obtain consent when they collect personal data on Canadians. And yet, companies that work for them and which are governed by the consent requirements in federal and provincial privacy laws, must (according to the 2019 decision on Aggregate IQ Inc. from the BC and federal privacy commissioners):[24] “take reasonable measures to ensure that the consent on which it relies – as the basis for its collection, use and disclosure of personal information on behalf of its clients – is compliant with PIPA and PIPEDA, as appropriate.” Sec. 444 does not provide for uniformity, and will likely create considerable confusion for the companies that process personally identifiable data on behalf of the FPPs.
Fourth, there is no meaningful oversight or enforcement mechanism. Violations of an FPP’s privacy policy is now an offence, and subject to some very modest administrative monetary penalties (Sec. 508.5). But these provisions are designed to enforce compliance from individuals and organizations who work in some capacity for the FPPs. They do not address the deeper question of whether or not the practices of the FPPs (as reflected in their privacy policies) violate the reasonable expectations of privacy of Canadians.
Obligations for compliance are based on the entirely fictitious notion that the CEO could, and would, cease an FPP’s registration if it did not submit a valid privacy policy. There is no clear process for complaint investigation and resolution. There is no indication of what individuals are supposed to do if they are dissatisfied with the response received from the party’s privacy officer. Indeed, how would an outsider know that a violation has even occurred?
With all due respect to Elections Canada, and the Commissioner of Canada Elections, they do not possess the resources or the expertise to monitor the complex technical environment of modern digital campaigning. The OPC, and its provincial and territorial counterparts do have that expertise and can give appropriate guidance about best practices. In BC, oversight is exercised jointly between the OIPC and Elections BC. [25] The OPC has recommended that Bill C-65 should be amended to provide for a similar formal collaboration between Elections Canada, the Commissioner of Canada Elections and the OPC. I support that recommendation.
Fifth, and relatedly, there is no effective mechanism for reporting data breaches. We have already witnessed a number of data breaches from political parties.[26] They are only likely to continue. The current provisions only require the FPPs to inform the individuals affected if they judge that there is a “real risk of significant harm.” There must also be a duty to report such breaches to an independent and expert body, such as the OPC.
THE POTENTIAL RISKS TO DEMOCRACY
At root, this issue is not only about the rights of Canadians to exercise their privacy rights. It is about the heath and resilience of our democracy, and about restoring the trust of Canadians in their political institutions – including our political parties. The application of privacy law across the campaigning environment can assist in enforcing more transparency and rebuilding that trust. Political campaigning is changing dramatically as elections increasingly become more “data-driven” and voter analytics, predictive modelling and artificial intelligence tools drive campaign communications.
Prior research, in Canada and elsewhere, has demonstrated that the risks to democratic practices from “data-driven” campaigning and micro-targeting may include:[27]
- Chilling effects on participation.
- A propensity to deliver messages on wedge issues.
- The fragmentation of the national political discourse and debate.
- Ambiguous political mandates for elected governments.
- Voter suppression and disenfranchisement.
- Targeted voter manipulation campaigns.
- The prevalence of “permanent campaigning”.
- The erosion of trust between party volunteers “on the ground” and data analysts.
The application of an effective privacy regime for the FPPs will not solve all the deeper problems with Canadian democracy, but it will:
- Establish a more level playing field and slow the incessant drive for more and more refined data used to profile Canadian voters, which typically benefits the larger and better resourced parties.
- Add some necessary clarity about the appropriate collection, use and disclosure of personal information – for employees, volunteers and the huge network of companies that operate within the campaigning ecosystem (which must comply with PIPEDA and provincial private sector privacy laws).
- Render more transparent the entirely opaque Voter Relationship Management Systems operated by each of the FPPs, which have become more sophisticated, interactive, integrative and efficient as new generations of digital and database technology, typically developed for US political campaigns, have been deployed.
- Establish some clearer rules about data security, and about best practices in the event of data breaches and cyberattacks.
- Provide for some truly enforceable privacy rights for individual Canadians.
CONCLUSION
There is no evidence, despite assertions by the FPPs, that compliance with privacy laws in other countries hinders political engagement, constrains their ability to recruit volunteers or otherwise prevents political parties from communicating their messages. There is also no credible reason why Canadians should enjoy privacy rights with respect to government agencies and private sector organizations, and not with political parties. Political parties do have special responsibilities in democratic societies to mobilize voters and communicate about their policies. But those functions can be performed whilst respecting privacy rights – as they are in the EU, the UK, New Zealand, and indeed in Quebec and BC, where provincial privacy law applies to the activities of political parties.
However, even if the amendments in Bill C-65 are strengthened along the lines suggested by the CEO and the OPC, it would still not constitute an effective regime for the protection of the personal information processed by the FPPs. If the government really wants to establish a “national, uniform, exclusive and complete” privacy regime for FPPs”, it should bring the FPPs into the current Bill C-27 amending PIPEDA. Failing that, it should develop, in consultation with the CEO and the OPC, a truly effective and enforceable national regulatory scheme as a separate national privacy protection statute applying to the FPPs.
_________________________________________________________
ENDNOTES
[1] Bennett, C.J. Voter databases, micro-targeting and data protection law: can political parties campaign in Europe as they do in North America? (Dec 2016) 6(4) International Data Privacy Law 261.
[2] Delacourt, S. (2016). Shopping for votes: How politicians choose us and we choose them. Madeira Park: D & M Publishers.
[3] Bennett, C. J., & Bayley, R. M. (2012). Canadian federal political parties and personal privacy protection: A comparative analysis. Gatineau: Office of the Privacy Commissioner of Canada.
[4] Elections Canada, Preventing deceptive communications with electors: Recommendations from the Chief Electoral Officer of Canada following the 41st General Election (2013) at: http://www.elections.ca/res/rep/off/comm/comm_e.pdf
[5] Elections Canada, Meeting new challenges: Recommendations from the Chief Electoral Officer of Canada following the 43rd and 44th General Elections, June 7, 2022 at: https://www.elections.ca/content.aspx?section=res&dir=rep/off/rec_2022&document=index&lang=e
[6] House of Commons, Standing Committee on Access to Information, Privacy and Ethics (ETHI). (2018). Addressing digital privacy vulnerabilities and potential threats to Canada’s democratic electoral process: Report of the Standing Committee on Access to Information, Privacy and Ethics.
[7]Senate Standing Committee on Legal and Constitutional Affairs, Fourteenth Report (June 2023) at: https://sencanada.ca/en/committees/LCJC/Report/117611/44-1
[8] Office of the Privacy Commissioner of Canada (OPC) (2018). Securing trust and privacy in Canada’s electoral process. Resolution September 11-13, 2018.
[9] Office of the Privacy Commissioner of Canada (OPC) (2019). Guidance for federal political parties on protecting personal information, April 1, 2019. Pursuant to Bill C-76, the Elections Modernization Act, S.C. 2018, c. 31, s. 385.
[10]Open Media, “Federal Political Parties: Flunking the Privacy Law Test,” (April 23rd, 2024) at: https://openmedia.org/article/item/federal-political-parties-flunking-the-privacy-law-test
[11] Kevin Newman, Podcast, The Data on Us (September 16, 2019) (podcast with anonymous whistleblower)
[12] Curry, B. (2019). Majority of poll respondents express support for extending privacy laws to political parties. The Globe and Mail, June 13, 2019; Boutilier, A. Canada’s political parties are exempt from privacy laws. Voters say that needs to end. Global News, April 25, 2023 at: https://globalnews.ca/news/9649677/federal-parties-voters-privacy/
[13] Center for Digital Rights at: https://www.centrefordigitalrights.org/our-work/quinfecta
[14] British Columbia Office of the Information and Privacy Commissioner (2019). Full disclosure: Political parties, campaign data and voter consent. Investigation Report P19-01 at: https://www.oipc.bc.ca/documents/investigation-reports/2156
[15]British Columbia Office of the Information and Privacy Commissioner (2022). Order P22-02. David Loukidelis QC. Conservative Party of Canada, Green Party of Canada, Liberal Party of Canada, New Democratic Party of Canada.
[16] Liberal Party of Canada v. Complainants 2024 BCSC 814 at: https://www.canlii.org/en/bc/bcsc/doc/2024/2024bcsc814/2024bcsc814.html
[17] Canada Elections Act, s 110, s 111
[18] Canada Elections Act, s. 275.
[19] Bill C-76, Elections Modernization Act: An Act to amend the Canada Elections Act and consequential amendments, 1st Sess, 42nd Parl, 2018
[20] Scassa, T. ‘A federal bill to impose privacy obligations on political parties in Canada falls (way) short of the mark’ (2 May 2018) <http://www.teresascassa.ca/index.php?option=com_k2&view=item&id=276:a-federal-bill-to-impose-privacy-obligations-on-political-parties-in-canada-falls-way-short-of-the-mark&Itemid=80
[21]I satirized these provisions at: https://www.colinbennett.ca/blog/the-surveillance-party-of-canada-policy-for-the-protection-of-personal-information-amended-april-1-2024/
[22] https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2024/parl_sub_241118/#
[23] https://openmedia.org/article/item/openmedias-influence-industry-report
[24] Office of the Privacy Commissioner of Canada, Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia: PIPEDA Findings 2019-004 (26 November 2019) at: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-004/
[25] BC OIPC and Elections BC. Guidance Document: Political Campaign Activity (August 2022) at: https://www.oipc.bc.ca/documents/guidance-documents/2537
[26] Canada’s Political Party Privacy Hall of Shame (January 17, 2024) at: https://openmedia.org/article/item/canadas-political-party-privacy-hall-of-shame
[27] The research is extensive. The literature was discussed in C. J. Bennett and D. Lyon, Data-driven Elections, Internet Policy Review, Vol. 8. No. 4 (2019); and N. Witzleb, M.Paterson & J. Richardson, ed, Big Data, Political Campaigning and the Law: Democracy and Privacy in the Age of Micro-Targeting (Abingdon, UK: Routledge: 2019). See also, UK Information Commissioner, Democracy Disrupted? Personal Information and Political Influence (July 11, 2018).