One of the obvious lessons from the appalling breach of the list of electors, containing personal information on 2.9 million Albertans, is that election regulators are not well equipped to investigate massive privacy invasions such as this.
Elections Alberta has issued cease and desist letters to more than 500 Albertans who accessed a searchable database, operated by the Centurion Project. It has launched a broader investigation into how the voters list was sourced from the Republican Party of Alberta. But questions are swirling about when Elections Alberta first new about the breach, and why they did not act earlier.
For her part, Alberta’s Information and Privacy Commissioner, Diane McLeod, has already conceded that she is unable to conduct a full investigation because her authority does not extend to political parties. She is investigating the Centurion Project, the third party-advertiser that allegedly used the personal information derived from the list of electors under Alberta’s Personal Information Protection Act – the law that covers commercial organizations. But her hands are tied.
Election regulators, like Elections Alberta, are primarily responsible for a range of other duties: maintaining the register of electors; administering the rules around election advertising; appointing and overseeing returning officers; registering political parties; administering the complex system of financial contributions; and generally ensuring that our electoral system is accessible.
Privacy breaches can be technically complex. They typically involve human and systemic error. They require a sophisticated understanding of privacy risks. Federal and provincial information and privacy commissioners deal with data breaches all the time. They know what questions to ask. And they know how to give appropriate advice about harm mitigation. Elections regulators generally do not, because they generally have no experience. I could not find one administrative penalty, letter of reprimand or any other public finding or decision on the Elections Alberta website relating to the illegal misuse of the list of electors. The vast majority of decisions relate to violations of contribution and expense limits. The same would generally be true in other provinces and at the federal level.
The crazy patchwork of responsibilities seen in Alberta, is also reflected at the federal level. Elections Canada has responsibility over the use of the voters list and can (but rarely has) administered penalties for its misuse. The list of electors may only be used by registered political parties and constituency associations for the purposes of “communicating with electors.” But we know that political parties use those data to build sophisticated “Voter Relationship Management” systems which include a range of personal data collected from other sources, and which have been developed to profile the electorate and prioritize elections communications.
But the jurisdiction of election regulators just extends to the narrow range of data in the voters list, and no further. How do we know? Because back in 2019, the Center for Digital Rights asked the Commissioner of Canada Elections to investigate how the voters list was being used by political parties to build these more extensive databases, and whether this and other uses violated the Canada Elections Act. The Commissioner refused to investigate, and even fought the issue in court (which upheld his very narrow interpretation of the legislation).
The Canada Elections Act also requires registered federal political parties to develop privacy policies, deliver them to the Chief Electoral Officer, and be subject to penalties if their employees and volunteers do not follow these self-determined rules. This model of self-regulation has been widely criticized. This lame system of self-regulation with a crazy patchwork of oversight responsibilities has evolved through several amendments to the Canada Elections Act, the latest of which is in Bill C-25, currently being considered by the House Committee on Procedure and House Affairs (PROC) right now.
Volumes of personal data flows around the complex electoral campaigning system at federal and provincial levels. No one authority can oversee the entire picture. Some data from some organizations is subject to some privacy rules. Some organizations in the campaign ecosystem are overseen by election regulators, some by the privacy commissioners. This system makes no sense. It should be completely overhauled. Both the Chief Electoral Officer and the Privacy Commissioner have agreed as much.
The Alberta scandal will continue to capture public attention because of the volume of data disclosed illegally, and the obvious risks to vulnerable populations, as well as its role in the wider push for Alberta separatism. But it wasn’t the first breach of a voters list – and it won’t be the last. The scandal in Alberta was a disaster waiting to happen, and it should operate as a wake-up call and prompt some serious consideration of the weaknesses of the current system of accountability for voters’ sensitive information.