BRIEF TO THE HOUSE OF COMMONS COMMITTEE ON PROCEDURE AND HOUSE AFFAIRS ON BILL C-25 (MAY 3, 2026)

 

Executive summary

This brief addresses exclusively the provisions in Sec. 36 of Bill C-25 relating to the privacy protection policies of Federal Political Parties (FPPs). Although there are some minimal improvements to security requirements over the amendments passed earlier this year in Bill C-4, the overall regime is still hopelessly inadequate.

Sec 36 has to be analyzed in conjunction with Part 4 of Bill C-4, the stated purpose of which is “to provide for a national, uniform, exclusive and complete regime applicable to registered parties and eligible parties respecting their activities in relation to personal information, including the collection, use, disclosure, retention and disposal of personal information.”   These amendments do nothing of the sort. 

 Registered political parties must develop a privacy policy and ensure that it is complied with by employees and volunteers.  But there is nothing to require the FPPs to apply a uniform set of standards for collection, use, disclosure, retention and disposal of personal information.   Each political party could (and does) apply very different standards.   There is nothing “national or uniform” about these provisions.

These provisions hardly constitute a “complete” regime. Historical and international standards for privacy protection, reflected in the ten principles that underpin Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), go a lot further than the weak provisions contained in the CEA.

These amendments will likely create considerable confusion for the organizations that process personally identifiable data on behalf of the FPPs, and which are obliged to comply with the stronger requirements in PIPEDA.  Rather than establishing some uniform rules, these provisions could add considerable confusion.

 A “complete” regime would also embody a meaningful oversight and enforcement mechanism.   “Trust us to protect your privacy” has long since ceased to be a credible position for modern data processing organizations like political parties.

Sec. 36 should be repealed along with Part 4 of Bill C-4.  The FPPs should be brought within the scope of a modernized Personal Information Protection and Electronic Documents Act (PIPEDA).   Failing that, it should develop, in consultation with the CEO and the OPC, a truly effective and enforceable national regulatory scheme as a separate national privacy protection statute applying to the FPPs.

 

Introduction

I have researched and written about the uses and abuses of personal information in election campaigns for over 12 years.  I have also addressed several House and Senate committees on these issues, including the House of Commons Standing Committees on Procedure and House Affairs.  I am grateful for the opportunity to submit this brief on Bill C-25.

 

The Regulatory Gap and the Campaign for Reform

In most democratic countries, the opportunities for political parties to capture and use personal information to identify and target voters are constrained by comprehensive privacy protection laws.[1] This is not the case in Canada.  Generally, individuals have no legal rights to learn what information about them is contained in party databases, to access and correct that information, to remove themselves from the systems, or to restrict the collection, use and disclosure of their personal information. Parties can typically capture personal information from multiple sources, analyze it freely, and mobilize it to target messages on the doorstep, through email and text, and over social media platforms.[2]

The campaign to bring the FPPs under the umbrella of comprehensive federal privacy law and the oversight of the Office of the Privacy Commissioner of Canada (OPC) has been met with stiff and generally unified resistance. FPPs are still the one category of organization in Canada over which individuals have few, if any, legal privacy rights.

This issue has been on the agenda for over 13 years.[3]  Back in 2013, the Chief Electoral Officer (CEO) recommended that all ten privacy principles in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) be implemented by the FPPs.[4]  He repeated that call in his 2022 annual report.[5]  In 2018, in response to the Cambridge Analytica scandal, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) recommended “that the Government of Canada take measures to ensure that privacy legislation applies to political activities in Canada, either by amending existing legislation or enacting new legislation.”[6]  The same was recommended by the Senate Legal and Constitutional Affairs Committee in 2023.[7]

The federal, provincial and territorial information and privacy commissioners have called on their respective governments to pass legislation “requiring political parties to comply with globally recognized privacy principles; empowering an independent body to verify and enforce privacy compliance by political parties through, among other means, investigation of individual complaints; and, ensuring that Canadians have a right to access their personal information in the custody or control of political parties.”[8]  In April 2019, the OPC and the CEO issued joint guidance on the protection of personal information by the FPPs in response to the requirement in the Canada Elections Act (CEA) that each develop privacy policies as a condition of registration.[9]

Civil society organizations also exerted pressure. Most notably, Vancouver based, Open Media, conducted a systematic comparison of the FPPs’ privacy policies against the national information privacy principles, and exposed the obvious inadequacies.[10]  Media attention has increased.   Whistleblowers have come forward.[11]   And a recent IPSOS survey demonstrates  both a general surprise among Canadians that FPPs are not covered by our privacy laws, and strong support for bringing them within the regulatory framework.   Around sixty percent of Canadians have little or no trust in political parties to protect their personal information.[12]

Not until the Center for Digital Rights (CDR) initiated a series of formal complaints to regulators about the FPPs’ practices, did the parties pay serious attention to the problem.[13]  One of those complaints went to British Columbia’s Information and Privacy Commissioner.  Most provincial and federal privacy protection laws do not apply to political parties.   There are two exceptions, in BC and Quebec.  BC’s Personal Information Protection Act (PIPA) has always applied to provincial political parties, and the BC Office of the Information and Privacy Commissioner (OIPC) has conducted several investigations.[14]  But did the law also apply to the FPPs when they collect, use or disclose personal information in BC?   In 2019, and supported by the CDR, three BC citizens sought access to the personal information collected, used or disclosed in BC by the federal Liberal, Conservative, New Democrat and Green parties.

Before the OIPC was able to begin its investigation, however, the Liberals, Conservatives and NDP challenged its jurisdiction.[15]  The Commissioner’s delegate, former BC Commissioner David Loukidelis K.C. then held an inquiry on the specific question of whether FPPs were organizations covered by PIPA, and whether or not federal law “ousted” BC’s jurisdiction.  In March 2022, he found the FPPs were organizations under PIPA, and that the law is constitutionally applicable to the collection, use and disclosure of personal information in BC by FPPs registered under the CEA.[16]  The FPPs then jointly sought judicial review to quash the Loukidelis order.

After several delays, the case was heard in the BC Supreme Court in April 2024.   On May 14, 2024, BC Supreme Court Justice G.C. Weatherill issued his decision.[17]   He affirmed all the findings in the Loukidelis order, and held that Canada’s FPPs and their personal information practices are subject to the privacy law requirements in PIPA, when they operate in BC.  PIPA applies to the FPPs, because it applies to allorganizations, including unincorporated associations.  The judge situated this analysis within a broader endorsement of the significance of privacy for democratic values: “The ability of an individual to control their personal information is intimately connected to their individual autonomy, dignity and privacy. These fundamental values lie at the heart of democracy.”   Three FPPs (Liberals, Conservative and NDP) have appealed the ruling to the BC Court of Appeal.

 

The Privacy Provisions in the Canada Elections Act

Rather than amend federal privacy legislation to regulate the personal data processed by the FPPs, as has been recommended by many individuals and groups, the federal government has concluded that the CEA is the appropriate statutory vehicle to regulate their personal information practices.

Under the CEA, the voter lists provided to registered FPPs are subject to reasonably strict rules concerning security, retention, unauthorized access and so on. The CEA specifies that the FPPs, and their candidates and MPs are expressly authorized to use the lists for communicating with electors, including using them for soliciting contributions and recruiting members.[18]  The CEA also provides that no person may knowingly use personal information that is recorded in a list of electors for any other  purpose; there are penalties for failing to comply in Part 19 of the CEA.[19]  These rules do not, however, apply to the vast range of other personal data the FPPs might collect, on the doorstep, over the phone, from petitions, from third parties providers, or from social media.

In 2018, the Elections Modernization Act (Bill C-76), introduced some modest provisions requiring registered FPPs to have a publicly available, easily understandable policy describing the collection, protection, and sale of personal information, procedures for staff training, and the identity of a designated person to whom privacy concerns can be addressed. The submission of a privacy policy was made a condition for registration with Elections Canada.[20] These provisions were met with strong criticism for their incompleteness, vagueness, and lack of any real enforcement mechanism.[21]

In April 2023, the government introduced Bill C-47 (the Budget Implementation Act) which included amendments to the CEA, the express purpose of which was to provide for a “national uniform, exclusive and complete regime applicable to federal political parties and eligible parties respecting the collection, use, disclosure, retention, and disposal of personal information” (Sec. 385.2).  This provision was an attempt to preempt the litigation in BC, by signaling that there is indeed a regime for privacy protection at the federal level that ousts the provincial jurisdiction.   These amendments passed in June 2023.

In March 2024, the government introduced Bill C-65 which sought to repeal Sec. 385.2 and replace it with some further provisions concerning the required content of the FPPs privacy policies.   This Bill died on the order paper.   After the 2025 election, the government introduced Bill C-4, incorporating Part 4 into entirely unrelated legislation on Canadian affordability.   The Bill was studied and critiqued by the Senate Committee on Legal and Constitutional Affairs which took the unusual step of recommending a sunset clause.   The House rejected the Senate amendment, and the Bill received Royal Assent on March 13, 2026.

 Section 36 of Bill C-25 adds further amendments to an already weak and rickety legal structure.  This current episode in this saga only reinforces the basic problem:  the Canada Elections Act is not the appropriate statutory vehicle to regulate the processing of personal data by political parties.

 

The Canada Elections Act is not the appropriate vehicle for imposing privacy obligations on the FPPs

Part 4 of Bill C-4 is intended to provide for a “national, uniform, exclusive and complete” privacy regime for FPPs.   It also stipulates that the provisions of the FPPs’ privacy policies apply broadly to “any registered party or eligible party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives.”   There are several reasons why the current regime does not constitute a “national, uniform, exclusive and complete” regime for the protection of personal information processed by the FPPs.

First, the CEA is not the appropriate statutory vehicle for imposing privacy obligations on the FPPs.  Privacy protection law is that vehicle, and the Office of the Privacy Commissioner is the appropriate regulator.   Contemporary privacy protection law is legally and technically complex and requires far more than the obligations for transparency included in the CEA.  The provisions are not “complete”.  On the contrary they are incomplete.

Second, privacy law should include all ten principles in PIPEDA, supplemented with proper and enforceable provisions for independent oversight and accountability.   The current provisions proposed in Part 4 amount to little more than tell us what you do, and give “illustrative examples.”   Essentially, the CEA permits the FPPs to collect whatever personal data they wish from whatever sources and to process it in any way they please, provided they are transparent about it.[22]   There is no external statutory standard for the legal processing of personal data, as is the cornerstone of international data protection law.

Therefore, there is nothing to oblige the FPPs to follow the same practices.  They could (and by all accounts do) collect different categories of personal data from different sources.  They could (and by all accounts do) share it widely within the larger campaigning ecosystem.  They could (and by all accounts do) follow different security practices and standards.  Part 4 amounts to little more than “self-regulation” and therefore, by definition, cannot be a uniform standard.

As the Privacy Commissioner stated in his submission on Bill C-65 of November 18, 2024[23]: “unlike the key provisions and principles that underpin the federal Privacy Act or the Personal Information Protection and Electronic Documents Act (PIPEDA), the rules proposed for federal political parties would not include statutory requirements for parties to:  obtain individual consent; limit the collection of personal information; provide means for individuals to seek access to their information; limit the use and disclosure of personal information to those purposes for which it was collected; allow individuals to exercise a right of correction.”

Third, these amendments do not provide a “national, uniform, exclusive and complete” privacy regime, when one considers the entire network of individuals, organizations and companies involved in contemporary political campaigns.  A 2025 report from Open Media, based on analysis of national and provincial filings on campaign expenditures, reveals over 90 companies in Canada that work for political parties at federal, provincial and municipal levels.[24]   This report demonstrates that the campaigning ecosystem in Canada is extensive, dynamic and complex.   All organizations within this ecosystem need to abide by the same rules with respect to the protection of personal information.

Most notably, nothing in these provisions obliges the FPPs to obtain consent when they collect personal data on Canadians. And yet, companies that work for them and which are governed by the consent requirements in federal and provincial privacy laws, must (according to the 2019 decision on Aggregate IQ Inc. from the BC and federal privacy commissioners):[25] “take reasonable measures to ensure that the consent on which it relies – as the basis for its collection, use and disclosure of personal information on behalf of its clients – is compliant with PIPA and PIPEDA, as appropriate.”   Part 4 does not provide for uniformity, and will likely create considerable confusion for the companies that process personally identifiable data on behalf of the FPPs.

Fourth, there is no meaningful oversight or enforcement mechanism.  These provisions are designed to enforce compliance from individuals and organizations who work in some capacity for the FPPs.  They do not address the deeper question of whether or not the practices of the FPPs (as reflected in their privacy policies) violate the reasonable expectations of privacy of Canadians.  There is no clear process for complaint investigation and resolution.  There is no indication of what individuals are supposed to do if they are dissatisfied with the response received from the party’s privacy officer.

With all due respect to Elections Canada, and the Commissioner of Canada Elections, they do not possess the resources or the expertise to monitor the complex technical environment of modern digital campaigning.  The current furore over the massive data breach in Alberta clearly demonstrates this sad reality.   The OPC, and its provincial and territorial counterparts do have that expertise and can give appropriate guidance about best practices.  In BC, oversight is exercised jointly between the OIPC and Elections BC. [26]   The OPC has recommended a similar oversight model based on similar formal collaboration between Elections Canada, the Commissioner of Canada Elections and the OPC.   I support that recommendation.

 

The Potential Risks to Democracy

At root, this issue is not only about the rights of Canadians to exercise their privacy rights.   It is about the heath and resilience of our democracy, and about restoring the trust of Canadians in their political institutions – including our political parties.  The application of privacy law across the campaigning environment can assist in enforcing more transparency and rebuilding that trust.  Political campaigning is changing dramatically as elections increasingly become more “data-driven” and voter analytics, predictive modelling and artificial intelligence tools drive campaign communications.

Prior research, in Canada and elsewhere, has demonstrated that the risks to democratic practices from “data-driven” campaigning and micro-targeting may include:[27]

• Chilling effects on participation.
• A propensity to deliver messages on wedge issues.
• The fragmentation of the national political discourse and debate.
• Ambiguous political mandates for elected governments.
• Voter suppression and disenfranchisement.
• Targeted voter manipulation campaigns.
• The prevalence of “permanent campaigning”.
• The erosion of trust between party volunteers “on the ground” and data analysts.

The application of an effective and enforceable privacy regime for the FPPs will not solve all the deeper problems with Canadian democracy, but it will:

• Establish a more level playing field and slow the incessant drive for more and more refined data used to profile Canadian voters, which typically benefits the larger and better resourced parties.
• Add some necessary clarity about the appropriate collection, use and disclosure of personal information – for employees, volunteers and the huge network of companies that operate within the campaigning ecosystem (which must comply with PIPEDA and provincial private sector privacy laws).
• Render more transparent the entirely opaque Voter Relationship Management Systems operated by each of the FPPs, which have become more sophisticated, interactive, integrative and efficient as new generations of digital and database technology, typically developed for US political campaigns, have been deployed.
• Establish some clearer rules about data security, and about best practices in the event of data breaches and cyberattacks.
• Provide for some truly enforceable privacy rights for individual Canadians. 

Conclusion

There is no evidence, despite assertions by the FPPs, that compliance with privacy laws in other countries hinders political engagement, constrains their ability to recruit volunteers or otherwise prevents political parties from communicating their messages.  There is also no credible reason why Canadians should enjoy privacy rights with respect to government agencies and private sector organizations, but not with political parties.   Political parties do have special responsibilities in democratic societies to mobilize voters and communicate about their policies.   But those functions can be performed whilst respecting privacy rights – as they are in the EU, the UK, New Zealand, and indeed in Quebec and BC, where provincial privacy law applies to the activities of political parties.

There are, indeed, strong arguments for having one consistent set of rules across Canada for the processing of personal data by federal political parties.  But the provisions in the Canada Elections Act fall far short.

If the government really wants to establish a “national, uniform, exclusive and complete” privacy regime for FPPs”, it should repeal Sec. 36 of Bill C-25, and Part 4 of Bill C-4, and consider bringing the FPPs into its promised modernized version of PIPEDA.  Failing that, it should develop, in consultation with the CEO and the OPC, a truly effective and enforceable national regulatory scheme as a separate national privacy protection statute applying to the FPPs.

_____________________________

ENDNOTES

[1] Bennett, C.J.  Voter databases, micro-targeting and data protection law: can political parties campaign in Europe as they do in North America?  (Dec 2016) 6(4) International Data Privacy Law 261.

[2] Delacourt, S. (2016). Shopping for votes: How politicians choose us and we choose them. Madeira Park: D & M Publishers.

[3] Bennett, C. J., & Bayley, R. M. (2012). Canadian federal political parties and personal privacy protection: A comparative analysis. Gatineau: Office of the Privacy Commissioner of Canada.

[4] Elections Canada, Preventing deceptive communications with electors: Recommendations from the Chief Electoral Officer of Canada following the 41st General Election (2013) at: http://www.elections.ca/res/rep/off/comm/comm_e.pdf

[5] Elections Canada, Meeting new challenges:   Recommendations from the Chief Electoral Officer of Canada following the 43^rd and 44^th General Elections, June 7, 2022 at: https://www.elections.ca/content.aspx?section=res&dir=rep/off/rec_2022&document=index&lang=e

[6] House of Commons, Standing Committee on Access to Information, Privacy and Ethics (ETHI). (2018). Addressing digital privacy vulnerabilities and potential threats to Canada’s democratic electoral process: Report of the Standing Committee on Access to Information, Privacy and Ethics.

[7]Senate Standing Committee on Legal and Constitutional Affairs,  Fourteenth Report (June 2023) at: https://sencanada.ca/en/committees/LCJC/Report/117611/44-1

[8] Office of the Privacy Commissioner of Canada (OPC) (2018). Securing trust and privacy in Canada’s electoral process. Resolution September 11-13, 2018.

[9] Office of the Privacy Commissioner of Canada (OPC) (2019). Guidance for federal political parties on protecting personal information, April 1, 2019.   Pursuant to Bill C-76, the Elections Modernization Act, S.C. 2018, c. 31, s. 385.

[10]Open Media, “Federal Political Parties:  Flunking the Privacy Law Test,” (April 23^rd, 2024) at: https://openmedia.org/article/item/federal-political-parties-flunking-the-privacy-law-test

[11] Kevin Newman, Podcast, The Data on Us (September 16, 2019) (podcast with anonymous whistleblower)

[12] IPSOS survey on privacy and political parties (April 2026) at:  www.voterprivacy.ca

[13] Center for Digital Rights at:  https://www.centrefordigitalrights.org/our-work/quinfecta

[14] British Columbia Office of the Information and Privacy Commissioner (2019). Full disclosure: Political parties, campaign data and voter consent. Investigation Report P19-01 at: https://www.oipc.bc.ca/documents/investigation-reports/2156

[15] The Green Party supports the extension of Canada’s privacy law to political parties.

[16]British Columbia Office of the Information and Privacy Commissioner (2022). Order P22-02. David Loukidelis QC. Conservative Party of Canada, Green Party of Canada, Liberal Party of Canada, New Democratic Party of Canada.

[17] Liberal Party of Canada v. Complainants 2024 BCSC 814 at:  https://www.canlii.org/en/bc/bcsc/doc/2024/2024bcsc814/2024bcsc814.html

[18] Canada Elections Act, s 110, s 111

[19] Canada Elections Act, s. 275.

[20] Bill C-76, Elections Modernization Act: An Act to amend the Canada Elections Act and consequential amendments, 1st Sess, 42nd Parl, 2018

[21] Scassa, T. ‘A federal bill to impose privacy obligations on political parties in Canada falls (way) short of the mark’ (2 May 2018) <http://www.teresascassa.ca/index.php?option=com_k2&view=item&id=276:a-federal-bill-to-impose-privacy-obligations-on-political-parties-in-canada-falls-way-short-of-the-mark&Itemid=80

[22]I satirized these provisions at:  https://www.colinbennett.ca/blog/the-surveillance-party-of-canada-policy-for-the-protection-of-personal-information-amended-april-1-2024/

[23] https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2024/parl_sub_241118/#

[24] https://openmedia.org/article/item/openmedias-influence-industry-report

[25] Office of the Privacy Commissioner of Canada, Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia: PIPEDA Findings 2019-004 (26 November 2019) at:   https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-004/

[26] BC OIPC and Elections BC.  Guidance Document: Political Campaign Activity (August 2022) at: https://www.oipc.bc.ca/documents/guidance-documents/2537

[27] The research is extensive.   The literature was discussed in C. J. Bennett and D. Lyon, Data-driven Elections, Internet Policy Review, Vol. 8. No. 4 (2019);  and N. Witzleb, M.Paterson & J. Richardson, ed, Big Data, Political Campaigning and the Law: Democracy and Privacy in the Age of Micro-Targeting (Abingdon, UK: Routledge: 2019).  See also, UK Information Commissioner, Democracy Disrupted?   Personal Information and Political Influence (July 11, 2018).