Political Parties and Voter Data: A Disquieting Gap in Canadian Privacy Legislation

A 2018 complaint to the Saskatchewan Information and Privacy Commissioner (IPC) about a data breach within the provincial NDP highlights the gap in privacy protection in relation to political parties in most of Canada. This comment briefly explores the complaint and the IPC's response to it before assessing the changes introduced at the federal level by the recent Elections Modernization Act.

By Fraser Duncan*

On May 9, 2018, a member of the public complained to the Saskatchewan Information and Privacy Commissioner (“IPC”) about the use by two individuals in the Saskatchewan New Democratic Party (“NDP”) of the federal NDP’s online voter database, Populus.1 An earlier internal investigation by the Saskatchewan NDP found that one party volunteer had not only accessed the complainant’s personal data2 but had, using the online database, also committed seventeen more privacy breaches in accessing data related to a further twelve individuals.3 Set against international scandals involving the use of online voter data that potentially affect more than eighty-seven million people,4 the incident appears minor in scale. Moreover, the party reacted swiftly and proportionately: the individual responsible was suspended from accessing voter data for four years albeit with the potential for monitored access after a year, contingent on information and privacy training.5 The complaint, however, illustrates clearly the current legal gap in privacy protection in relation to political parties in most of Canada. Recent amendments to the Canada Elections Act6 do not substantively address the current inadequacies in the law. This comment briefly explores the response of the Saskatchewan IPC to the breach before discussing the current state of the law in regard to privacy and political parties and the recent changes effected by Bill C-76.7

The Saskatchewan IPC, after analysing the relevant sections of The Freedom of Information and Protection of Privacy Act,8 concluded that he did not have jurisdiction to investigate the complaint.9 The Saskatchewan NDP is not a government institution as defined by FOIP10 and the FOIP regulations.11 While the offices and employees of both Ministers12 and Members of the Legislative Assembly (“MLA”)13 are subject to some portions of FOIP,14 provincial political parties are not.15 Nonetheless, despite his lack of jurisdiction, the Saskatchewan IPC decided to use the complaint to provide a helpful overview of best practices for political parties to avoid data breaches and to respond to breaches when they occur. Best practices for avoiding breaches consisted of the following: the use of systems producing access logs16 and random audits of these logs;17 the implementation of Privacy Impact Assessments when new electronic systems are introduced or changes made to existing ones;18 and the provision of information and training for staff and volunteers.19 In the event of a breach, political parties should exercise containment through revocation of access to personal information,20 conduct a thorough and documented investigation,21 and notify affected individuals.22

The Saskatchewan IPC’s report in Re NDP provides some constructive guidance for political parties using voter databases containing vast amounts of sensitive information. However, Re NDP also exemplifies a more fundamental issue: political parties in Canada are for the most part not subject to privacy legislation. British Columbia is currently the only Canadian jurisdiction in which privacy legislation applies to political parties.23 Privacy statutes in other provinces, such as FOIP,24 do not apply to political parties. Political parties, generally, are also not subject to the Personal Information Protection and Electronic Documents Act25 as they are not federal works, undertakings or businesses26 nor are they engaged in commercial activities.27 Neither are parties subject to the federal Privacy Act28 as this only applies to listed federal government institutions, any parent Crown corporation, and any wholly-owned subsidiary of such a corporation.29

The inapplicability of privacy legislation to political parties in Canada outside British Columbia is alarming. Recent polls have suggested that nearly three-quarters of Canadians are concerned or somewhat concerned about how parties use the data about voters they collect.30 Such anxiety is not misplaced. Data-driven campaigning, particularly micro-targeting, has become a key aspect of parties’ electoral strategies.31 This necessarily creates a tension between the electoral benefits of increasingly sophisticated voter analytics that rely on extensive data collection and “the privileged, foundational position of privacy interests in our social and legal culture.”32

Growing cross-national concern about the use of voter data by political parties has been echoed within Canada. While the extent to which Canadian political parties rely on the collection and use of data is largely unknown, some studies have suggested that federal and provincial parties routinely handle data in ways inconsistent with the internationally recognized principles underpinning PIPEDA.33 A recent investigation by the British Columbia IPC found, for instance, multiple instances of political parties in the province collecting, using and disclosing personal information without adequate consent.34 Federal, Provincial, and Territorial IPCs across Canada issued a joint resolution in September 2018 calling for legislation requiring political parties to comply with “globally recognized privacy principles.”35 A report in December 2018 by the House of Commons Standing Committee on Access to Information, Privacy and Ethics similarly recommended that the federal government amend PIPEDA to extend its reach to political parties.36

Thus far, however, the response from the current federal government has been limited. In evidence to the Standing Committee, Michael Fenrick, Constitutional and Legal Adviser to the Liberal Party of Canada National Board of Directors, stated that the Liberal Party was against the application of PIPEDA to political parties.37 Instead, the government’s approach appears to be based on mandatory provision of privacy information but only voluntary compliance with privacy standards. The EMA, which came into force on June 13, 2019, amends the CEA to require registered political parties to publicize their privacy policies on their websites and to provide the policies to the Chief Electoral Officer (CEO).38 Political parties that fail to provide this information face non-voluntary deregistration39 and the EMA also provides the CEO with the power to deregister parties if they change their privacy policies but fail to publish the updated policies online.40

The EMA’s limited changes to the legal responsibilities of political parties in relation to privacy are to be welcomed. However, given the electoral value of voter data for parties, the new regime is not enough to protect effectively the privacy rights of Canadian citizens as pointed out by several witnesses at the recent Standing Committee.41 The amended CEA will require only that parties have and publicize up-to-date privacy policies. It will not, however, demand a specific minimum standard for such policies and it does not grant an independent body oversight over whether the parties’ stated policies are actually being followed. CEO Stéphane Perrault also drew attention to the fact that individuals will still be unable to find out whether information is held about them and if so, how it is being used. Nor will they be able to challenge any inaccurate or incomplete information.42

With the upcoming federal election in mind, in April 2019 the Office of the Privacy Commissioner of Canada (“OPC”), together with the CEO, issued guidance on safeguarding personal data to federal political parties.43 In it, the OPC and CEO note the changes introduced by the EMA and, in the form of a series of best practices, suggest how the PIPEDA principles apply to the activities of political parties.44 However, the guidance also effectively concedes that these best practices remain merely suggestions as the OPC has no jurisdiction over the activities of federal political parties.

Canada is not alone in its failure to hold political parties to account for their use of voter data. Australia, for instance, also exempts political parties from federal privacy legislation.45 However, in the context of constitutional challenges to electoral law, the Supreme Court of Canada has rejected the argument that restrictive laws in other nations justify comparable practices here.46 Similarly, given the quasi-constitutional nature of the right to privacy,47 the current inadequacies in Canadian privacy protection should not be justified by deficiencies in other states.

* J.D. Candidate (University of Saskatchewan)

1 Saskatchewan New Democratic Party (Re), 2018 CanLII 87635 (Sask IPC) at para 1 [Re NDP].

2 Ibid at para 4.

3 Ibid at para 5.

4 Tony Room et al, “‘It’s about time’: Facebook faces first lawsuit from U.S. regulators after Cambridge Analytica scandal”, The Washington Post (19 December 2018), online: <https://www.washingtonpost.com/technology/2018/12/19/dc-attorney-general-sues-facebook-over-alleged-privacy-violations-cambridge-analytica-scandal/?utm_term=.729ef20aa098>, archived: <https://perma.cc/B4HR-J3LV>.

5 Re NDP, supra note 1 at para 36.

6 SC 2000, c 9 [CEA].

7 An Act to amend the Canada Elections Act and other Acts and to make certain consequential amendments, 1st Sess, 42nd Parl, 2018 (assented to 13 December 2018) SC 2018, c 31 [EMA].

8 SS 1990-91, c F-22.01 [FOIP].

9 Re NDP, supra note 1 at para 13.

10 FOIP, supra note 8, s 2(1)(d).

11 RRS c F-22.01, Reg 1, s 3, Appendix.

12 FOIP, supra note 8, s 3(4).

13 Ibid, s 3(3).

14 Sections 24, 24.1, 25-30 and 34 of FOIP (ibid) apply in each case while s. 24.2 also applies to the offices and employees of MLAs.

15 The application of FOIP to MLAs was of potential relevance as the complaint initially incorrectly alleged that the breach took place in the office of Vicki Mowat, MLA for Saskatoon Fairview (Re NDP, supra note 1 at para 2).

16 Ibid at para 29.

17 Ibid at para 30.

18 Ibid at para 31.

19 Ibid at paras 39-40.

20 Ibid at para 17.

21 Ibid at para 21.

22 Ibid at para 22.

23 The Personal Information Protection Act (SBC 2003, c 63) applies to all organizations that are engaged in the “collection, use and disclosure of personal information” (ibid, s 2) unless the activity or the personal information falls under the exemptions listed under s 3(2).

24 Supra note 8.

25 SC 2000, c 5 [PIPEDA].

26 Ibid, s 4(1)(b).

27 Ibid, s 4(1)(a). A possible exception to this may be the sale of party-branded goods via party websites.

28 RSC 1985, c P-21.

29 Ibid, s 3.

30 Bill Curry, “Canadians concerned about how Facebook, political parties protect their privacy: poll”, The Globe and Mail (19 December 2018), online: <https://www.theglobeandmail.com/politics/article-canadians-concerned-about-how-facebook-political-parties-protect>, archived: <https://perma.cc/Q33K-K38J>.

31 See e.g. David W Nickerson and Todd Rodgers, “Political Campaigns and Big Data” (2014) 28:2 J Econ Persp 51.

32 Dagg v Canada (Minister of Finance), [1997] 2 SCR 403 at 436, 1997 CanLII 358, La Forest J, dissenting.

33 See e.g. Colin M Bennett and Robin M Bayley, “Canadian Federal Political Parties and Personal Privacy Protection: A Comparative Analysis” (2012), online (pdf): Office of the Privacy Commissioner of Canada <https://www.priv.gc.ca/media/1756/pp_201203_e.pdf>, archived: <https://perma.cc/9STZ-L7K5>.

34 British Columbia, Office of the Information and Privacy Commissioner for British Columbia, Investigation Report P19-01. Full Disclosure: Political parties, campaign data, and voter consent (6 February 2019), online (pdf): <https://www.oipc.bc.ca/investigation-reports/2278>, archived: <https://perma.cc/B3GJ-XVSS>.

35 Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners, “Securing Trust and Privacy in Canada’s Electoral Process” (11–13 September 2018), online: <https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/joint-resolutions-with-provinces-and-territories/res_180913, archived: <https://perma.cc/M4SH-4QBE>.

36 House of Commons, Standing Committee on Access to Information, Privacy and Ethics, Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly (December 2018) (Chair: Bob Zimmer) at 25, online (pdf): <https://www.ourcommons.ca/Content/Committee/421/ETHI/Reports/RP10242267/ethirp17/ethirp17-e.pdf>, archived: <https://perma.cc/RV8T-ZLWW> [Democracy].

37 Ibid at 21.

38 Supra note 7, ss 254(1), (3), 255.

39 For existing registered parties, failure to comply within three months of the new legal rules coming into force will result in non-voluntary deregistration (ibid, s 255). The new regime will also apply to currently eligible non-registered parties and parties whose eligibility is as yet undetermined (ibid).

40 Ibid, ss 258, 260.

41 Democracy, supra note 36 at 19-20.

42 Ibid at 22.

43 Office of the Privacy Commissioner, “Guidance for federal political parties on protecting personal information” (1 April 2019), online: <https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_pp_201904>, archived: <https://perma.cc/9EKH-TA26>.

44 Ibid.

45 Privacy Act 1988 (Cth), 1988/119, s 6C.

46 Sauvé v Canada (Chief Electoral Officer), 2002 SCC 68 at para 41, [2002] 3 SCR 519; Frank v Attorney General (Canada), 2019 SCC 1 at para 62, 428 DLR (4th) 451.

47 Lavigne v Canada (Office of the Commissioner of Official Languages), 2002 SCC 53 at paras 24-25, [2002] 2 SCR 773.