Executive summary
The stated purpose of the amendments to the Canada Elections Act (CEA) contained in Part 4 of Bill C-4 is “to provide for a national, uniform, exclusive and complete regime applicable to registered parties and eligible parties respecting their activities in relation to personal information, including the collection, use, disclosure, retention and disposal of personal information.” These amendments do nothing of the sort.
According to Part 4, the main obligation is for political parties to develop a privacy policy and ensure that it is complied with by employees and volunteers. There is nothing to require the federal political parties (FPPs) to apply a uniform set of standards for collection, use, disclosure, retention and disposal of personal information. Each federal political party could apply very different standards. There is nothing “national or uniform” about these provisions.
These provisions hardly constitute a “complete” regime. Historical and international standards for privacy protection, reflected in the ten principles that underpin Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA), go a lot further than the weak provisions contained in Part 4. This regime amounts to little more than “self-regulation” – entirely at odds with the contemporary international consensus on how to protect personal information in the modern digital age.
Part 4 will likely create considerable confusion for the organizations that process personally identifiable data on behalf of the FPPs, and which are obliged to comply with the stronger requirements in PIPEDA. Rather than establishing some uniform rules, these provisions add considerable confusion.
A “complete” regime would embody a meaningful oversight and enforcement mechanism. “Trust us to protect your privacy” has long since ceased to be a credible position for modern data processing organizations like political parties. A “complete” regime would also include a system to report data breaches. Such a provision did appear in its predecessor in the last parliament — Bill C-65. It has been cynically removed from Bill C-4.
Introduction
In recent years, I have addressed the House of Commons Standing Committees on Procedure and House Affairs and on Information Privacy and Ethics on prior iterations of the provisions contained in Part 4 of Bill C-4. It is, of course, completely unacceptable for important measures on privacy protection to be contained within a Bill devoted to unrelated measures pertaining to affordability. I am grateful that the Senate has decided to refer these measures to the LCJC and to examine their implications independently. My work on these issues was referred to by Senators Deacon and Dasko in the debate on February 5th. I am grateful for the opportunity to submit a longer written brief.
The Regulatory Gap and the Campaign for Reform
In most democratic countries, the opportunities for political parties to capture and use personal information to identify and target voters are constrained by comprehensive privacy protection laws.[1] This is not the case in Canada. Generally, individuals have no legal rights to learn what information about them is contained in party databases, to access and correct that information, to remove themselves from the systems, or to restrict the collection, use and disclosure of their personal information. Parties can typically capture personal information from multiple sources, analyze it freely, and mobilize it to target messages on the doorstep, through email and text, and over social media platforms.[2]
The campaign to bring the FPPs under the umbrella of comprehensive federal privacy law and the oversight of the Office of the Privacy Commissioner of Canada (OPC) has been met with stiff and generally unified resistance. FPPs are still the one category of organization in Canada over which individuals have few, if any, legal privacy rights.
This issue has been on the agenda for over 13 years.[3] Back in 2013, the Chief Electoral Officer (CEO) recommended that all ten privacy principles in Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) be implemented by the FPPs.[4] He repeated that call in his 2022 annual report.[5] In 2018, in response to the Cambridge Analytica scandal, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) recommended “that the Government of Canada take measures to ensure that privacy legislation applies to political activities in Canada, either by amending existing legislation or enacting new legislation.”[6] The same was recommended by the Senate Legal and Constitutional Affairs Committee in 2023.[7]
The federal, provincial and territorial information and privacy commissioners have called on their respective governments to pass legislation “requiring political parties to comply with globally recognized privacy principles; empowering an independent body to verify and enforce privacy compliance by political parties through, among other means, investigation of individual complaints; and, ensuring that Canadians have a right to access their personal information in the custody or control of political parties.”[8] In April 2019, the OPC and the CEO issued joint guidance on the protection of personal information by the FPPs in response to the requirement in the Canada Elections Act (CEA) that each develop privacy policies as a condition of registration.[9]
Civil society organizations also exerted pressure. Most notably, Vancouver based, Open Media, conducted a systematic comparison of the FPPs’ privacy policies against the national information privacy principles, and exposed the obvious inadequacies.[10] Media attention has increased. Whistleblowers have come forward.[11] And public opinion surveys have registered both a general surprise that FPPs are not covered by our privacy laws, and strong support for bringing them within the regulatory framework.[12]
There is, therefore, widespread political and public support for bringing the FPPs into the ambit of Canada’s privacy laws. But the campaign has confronted the overwhelming reality that any attempt to restrict the parties’ control of personal information would also curtail their use of a key resource that brought them to power.
Not until the Center for Digital Rights (CDR) initiated a series of formal complaints to regulators about the FPPs’ practices, did the parties pay serious attention to the problem.[13] One of those complaints went to British Columbia’s Information and Privacy Commissioner. Most provincial and federal privacy protection laws do not apply to political parties. There are two exceptions, in BC and Quebec. BC’s Personal Information Protection Act (PIPA) has always applied to provincial political parties, and the BC Office of the Information and Privacy Commissioner (OIPC) has conducted several investigations.[14] But did the law also apply to the FPPs when they collect, use or disclose personal information in BC? In 2019, and supported by the CDR, three BC citizens sought access to the personal information collected, used or disclosed in BC by the federal Liberal, Conservative, New Democrat and Green parties.
Before the OIPC was able to begin its investigation, however, the Liberals, Conservatives and NDP challenged its jurisdiction.[15] The Commissioner’s delegate, former BC Commissioner David Loukidelis K.C. then held an inquiry on the specific question of whether FPPs were organizations covered by PIPA, and whether or not federal law “ousted” BC’s jurisdiction. In March 2022, he found the FPPs were organizations under PIPA, and that the law is constitutionally applicable to the collection, use and disclosure of personal information in BC by FPPs registered under the CEA.[16] The FPPs then jointly sought judicial review to quash the Loukidelis order.
After several delays, the case was heard in the BC Supreme Court in April 2024. On May 14, 2024, BC Supreme Court Justice G.C. Weatherill issued his decision.[17] He affirmed all the findings in the Loukidelis order, and held that Canada’s FPPs and their personal information practices are subject to the privacy law requirements in PIPA, when they operate in BC. PIPA applies to the FPPs, because it applies to allorganizations, including unincorporated associations. The judge situated this analysis within a broader endorsement of the significance of privacy for democratic values: “The ability of an individual to control their personal information is intimately connected to their individual autonomy, dignity and privacy. These fundamental values lie at the heart of democracy.” Three FPPs (Liberals, Conservative and NDP) have appealed the ruling to the BC Court of Appeal.
The Privacy Provisions in the Canada Elections Act
Rather than amend federal privacy legislation to cover the personal data processed by the FPPs, as has been recommended by many individuals and groups, the federal government has concluded that the CEA is the appropriate statutory vehicle to regulate their personal information practices.
Under the CEA, the voter lists provided to registered FPPs are subject to reasonably strict rules concerning security, retention, unauthorized access and so on. The CEA specifies that the FPPs, and their candidates and MPs are expressly authorized to use the lists for communicating with electors, including using them for soliciting contributions and recruiting members.[18] The CEA also provides that no person may knowingly use personal information that is recorded in a list of electors for any other purpose; there are penalties for failing to comply in Part 19 of the CEA.[19] These rules do not, however, apply to the vast range of other personal data the FPPs might collect, on the doorstep, over the phone, from petitions, from third parties providers, or from social media.
In 2018, the Elections Modernization Act (Bill C-76), introduced some modest provisions requiring registered FPPs to have a publicly available, easily understandable policy describing the collection, protection, and sale of personal information, procedures for staff training, and the identity of a designated person to whom privacy concerns can be addressed. The submission of a privacy policy was made a condition for registration with Elections Canada.[20] These provisions were met with strong criticism for their incompleteness, vagueness, and lack of any real enforcement mechanism.[21]
In April 2023, the government introduced Bill C-47 (the Budget Implementation Act) which included amendments to the CEA, the express purpose of which was to provide for a “national uniform, exclusive and complete regime applicable to federal political parties and eligible parties respecting the collection, use, disclosure, retention, and disposal of personal information” (Sec. 385.2). This provision was an attempt to preempt the litigation in BC, by signaling that there is indeed a regime for privacy protection at the federal level that ousts the provincial jurisdiction. These amendments passed in June 2023.
In March 2024, the government introduced Bill C-65 which sought to repeal Sec. 385.2 and replace it with some further provisions concerning the required content of the FPPs privacy policies. This Bill died on the order paper. After the 2025 election, the government introduced Bill C-4, incorporating Part 4 into entirely unrelated legislation on Canadian affordability. In so doing, the government is attempting to eviscerate an already weak set of privacy regulations, and is doing so in a way that betrays a cynical approach to an important issue that requires serious public and political debate.
Part 4 of Bill C-4 does not constitute a “national, uniform, exclusive and complete” privacy regime
I will leave it to other witnesses to address the significant constitutional problems with these amendments to the CEA. I would like to contend that the privacy provisions in Bill C-4 do not do what they claim.
Sec 446.2 of Bill C-4, is intended to provide for a “national, uniform, exclusive and complete” privacy regime for FPPs. Sec 446.3 stipulates that the provisions of the FPPs’ privacy policies apply broadly to “any registered party or eligible party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives.” There are several reasons why the privacy provisions in Bill C-4 do not constitute a “national, uniform, exclusive and complete” regime for the protection of personal information processed by the FPPs.
First, the CEA is not the appropriate statutory vehicle for imposing privacy obligations on the FPPs. Privacy protection law is that vehicle. Contemporary privacy protection law is complex, and requires far more than the obligations for transparency included in Part 4. The provisions are not “complete”. On the contrary they are incomplete.
Second, privacy law should include all ten principles in PIPEDA, supplemented with proper and enforceable provisions for independent oversight and accountability. The current provisions proposed in Part 4 amount to little more than tell us what you do, and give “illustrative examples.” Essentially, these amendments permit the FPPs to collect whatever personal data they wish from whatever sources and to process it in any way they please, provided they are transparent about it.[22] There is no external statutory standard for the legal processing of personal data, as is the cornerstone of international data protection law.
Therefore, there is nothing to oblige the FPPs to follow the same practices. They could (and by all accounts do) collect different categories of personal data from different sources. They could (and by all accounts do) share it widely within the larger campaigning ecosystem. They could (and by all accounts do) follow different security practices and standards. Part 4 amounts to little more than “self-regulation” and therefore, by definition, cannot be a uniform standard.
As the Privacy Commissioner stated in his submission on Bill C-65 of November 18, 2024[23]: “unlike the key provisions and principles that underpin the federal Privacy Act or the Personal Information Protection and Electronic Documents Act (PIPEDA), the rules proposed for federal political parties would not include statutory requirements for parties to: obtain individual consent; limit the collection of personal information; provide means for individuals to seek access to their information; limit the use and disclosure of personal information to those purposes for which it was collected; allow individuals to exercise a right of correction.”
Third, and contrary to the claim in Sec 446 (2) that these amendments will provide for a “national, uniform, exclusive and complete” privacy regime for FPPs they actually do nothing of the sort, when one considers the entire network of individuals, organizations and companies involved in contemporary political campaigns. A 2025 report from Open Media, based on analysis of national and provincial filings on campaign expenditures, reveals over 90 companies in Canada that work for political parties at federal, provincial and municipal levels.[24] This report demonstrates that the campaigning ecosystem in Canada is extensive, dynamic and complex. All organizations within this ecosystem need to abide by the same rules with respect to the protection of personal information.
Part 4 does not achieve that goal. Most notably, nothing in these provisions obliges the FPPs to obtain consent when they collect personal data on Canadians. And yet, companies that work for them and which are governed by the consent requirements in federal and provincial privacy laws, must (according to the 2019 decision on Aggregate IQ Inc. from the BC and federal privacy commissioners):[25] “take reasonable measures to ensure that the consent on which it relies – as the basis for its collection, use and disclosure of personal information on behalf of its clients – is compliant with PIPA and PIPEDA, as appropriate.” Part 4 does not provide for uniformity, and will likely create considerable confusion for the companies that process personally identifiable data on behalf of the FPPs.
Fourth, there is no meaningful oversight or enforcement mechanism. These provisions are designed to enforce compliance from individuals and organizations who work in some capacity for the FPPs. They do not address the deeper question of whether or not the practices of the FPPs (as reflected in their privacy policies) violate the reasonable expectations of privacy of Canadians. There is no clear process for complaint investigation and resolution. There is no indication of what individuals are supposed to do if they are dissatisfied with the response received from the party’s privacy officer.
With all due respect to Elections Canada, and the Commissioner of Canada Elections, they do not possess the resources or the expertise to monitor the complex technical environment of modern digital campaigning. The OPC, and its provincial and territorial counterparts do have that expertise and can give appropriate guidance about best practices. In BC, oversight is exercised jointly between the OIPC and Elections BC. [26] The OPC has recommended a similar oversight model based on similar formal collaboration between Elections Canada, the Commissioner of Canada Elections and the OPC. I support that recommendation.
Fifth, and relatedly, there is no effective mechanism for reporting data breaches. We have already witnessed a number of data breaches from political parties.[27] They are only likely to continue. The law should require the FPPs to inform the individuals affected if they judge that there is a “real risk of significant harm.” There must also be a duty to report such breaches to an independent and expert body, such as the OPC.[28] There was a provision obliging the parties to report data breaches in Bill C-65. It has been removed from Part 4.
The Potential Risks to Democracy
At root, this issue is not only about the rights of Canadians to exercise their privacy rights. It is about the heath and resilience of our democracy, and about restoring the trust of Canadians in their political institutions – including our political parties. The application of privacy law across the campaigning environment can assist in enforcing more transparency and rebuilding that trust. Political campaigning is changing dramatically as elections increasingly become more “data-driven” and voter analytics, predictive modelling and artificial intelligence tools drive campaign communications.
Prior research, in Canada and elsewhere, has demonstrated that the risks to democratic practices from “data-driven” campaigning and micro-targeting may include:[29]
- Chilling effects on participation.
- A propensity to deliver messages on wedge issues.
- The fragmentation of the national political discourse and debate.
- Ambiguous political mandates for elected governments.
- Voter suppression and disenfranchisement.
- Targeted voter manipulation campaigns.
- The prevalence of “permanent campaigning”.
- The erosion of trust between party volunteers “on the ground” and data analysts.
The application of an effective and enforceable privacy regime for the FPPs will not solve all the deeper problems with Canadian democracy, but it will:
- Establish a more level playing field and slow the incessant drive for more and more refined data used to profile Canadian voters, which typically benefits the larger and better resourced parties.
- Add some necessary clarity about the appropriate collection, use and disclosure of personal information – for employees, volunteers and the huge network of companies that operate within the campaigning ecosystem (which must comply with PIPEDA and provincial private sector privacy laws).
- Render more transparent the entirely opaque Voter Relationship Management Systems operated by each of the FPPs, which have become more sophisticated, interactive, integrative and efficient as new generations of digital and database technology, typically developed for US political campaigns, have been deployed.
- Establish some clearer rules about data security, and about best practices in the event of data breaches and cyberattacks.
- Provide for some truly enforceable privacy rights for individual Canadians.
Conclusion
There is no evidence, despite assertions by the FPPs, that compliance with privacy laws in other countries hinders political engagement, constrains their ability to recruit volunteers or otherwise prevents political parties from communicating their messages. There is also no credible reason why Canadians should enjoy privacy rights with respect to government agencies and private sector organizations, but not with political parties. Political parties do have special responsibilities in democratic societies to mobilize voters and communicate about their policies. But those functions can be performed whilst respecting privacy rights – as they are in the EU, the UK, New Zealand, and indeed in Quebec and BC, where provincial privacy law applies to the activities of political parties.
There are, indeed, strong arguments for having one consistent set of rules across Canada for the processing of personal data by federal political parties. But these provisions fall far short. If the government really wants to establish a “national, uniform, exclusive and complete” privacy regime for FPPs”, it should consider bringing the FPPs into its promised modernized version of PIPEDA. Failing that, it should develop, in consultation with the CEO and the OPC, a truly effective and enforceable national regulatory scheme as a separate national privacy protection statute applying to the FPPs.
___________________________________
[1] Bennett, C.J. Voter databases, micro-targeting and data protection law: can political parties campaign in Europe as they do in North America? (Dec 2016) 6(4) International Data Privacy Law 261.
[2] Delacourt, S. (2016). Shopping for votes: How politicians choose us and we choose them. Madeira Park: D & M Publishers.
[3] Bennett, C. J., & Bayley, R. M. (2012). Canadian federal political parties and personal privacy protection: A comparative analysis. Gatineau: Office of the Privacy Commissioner of Canada.
[4] Elections Canada, Preventing deceptive communications with electors: Recommendations from the Chief Electoral Officer of Canada following the 41st General Election (2013) at: http://www.elections.ca/res/rep/off/comm/comm_e.pdf
[5] Elections Canada, Meeting new challenges: Recommendations from the Chief Electoral Officer of Canada following the 43rd and 44th General Elections, June 7, 2022 at: https://www.elections.ca/content.aspx?section=res&dir=rep/off/rec_2022&document=index&lang=e
[6] House of Commons, Standing Committee on Access to Information, Privacy and Ethics (ETHI). (2018). Addressing digital privacy vulnerabilities and potential threats to Canada’s democratic electoral process: Report of the Standing Committee on Access to Information, Privacy and Ethics.
[7]Senate Standing Committee on Legal and Constitutional Affairs, Fourteenth Report (June 2023) at: https://sencanada.ca/en/committees/LCJC/Report/117611/44-1
[8] Office of the Privacy Commissioner of Canada (OPC) (2018). Securing trust and privacy in Canada’s electoral process. Resolution September 11-13, 2018.
[9] Office of the Privacy Commissioner of Canada (OPC) (2019). Guidance for federal political parties on protecting personal information, April 1, 2019. Pursuant to Bill C-76, the Elections Modernization Act, S.C. 2018, c. 31, s. 385.
[10]Open Media, “Federal Political Parties: Flunking the Privacy Law Test,” (April 23rd, 2024) at: https://openmedia.org/article/item/federal-political-parties-flunking-the-privacy-law-test
[11] Kevin Newman, Podcast, The Data on Us (September 16, 2019) (podcast with anonymous whistleblower)
[12] Curry, B. (2019). Majority of poll respondents express support for extending privacy laws to political parties. The Globe and Mail, June 13, 2019; Boutilier, A. Canada’s political parties are exempt from privacy laws. Voters say that needs to end. Global News, April 25, 2023 at: https://globalnews.ca/news/9649677/federal-parties-voters-privacy/
[13] Center for Digital Rights at: https://www.centrefordigitalrights.org/our-work/quinfecta
[14] British Columbia Office of the Information and Privacy Commissioner (2019). Full disclosure: Political parties, campaign data and voter consent. Investigation Report P19-01 at: https://www.oipc.bc.ca/documents/investigation-reports/2156
[15] The Green Party supports the extension of Canada’s privacy law to political parties.
[16]British Columbia Office of the Information and Privacy Commissioner (2022). Order P22-02. David Loukidelis QC. Conservative Party of Canada, Green Party of Canada, Liberal Party of Canada, New Democratic Party of Canada.
[17] Liberal Party of Canada v. Complainants 2024 BCSC 814 at: https://www.canlii.org/en/bc/bcsc/doc/2024/2024bcsc814/2024bcsc814.html
[18] Canada Elections Act, s 110, s 111
[19] Canada Elections Act, s. 275.
[20] Bill C-76, Elections Modernization Act: An Act to amend the Canada Elections Act and consequential amendments, 1st Sess, 42nd Parl, 2018
[21] Scassa, T. ‘A federal bill to impose privacy obligations on political parties in Canada falls (way) short of the mark’ (2 May 2018) <http://www.teresascassa.ca/index.php?option=com_k2&view=item&id=276:a-federal-bill-to-impose-privacy-obligations-on-political-parties-in-canada-falls-way-short-of-the-mark&Itemid=80
[22]I satirized these provisions at: https://www.colinbennett.ca/blog/the-surveillance-party-of-canada-policy-for-the-protection-of-personal-information-amended-april-1-2024/
[23] https://www.priv.gc.ca/en/opc-actions-and-decisions/advice-to-parliament/2024/parl_sub_241118/#
[24] https://openmedia.org/article/item/openmedias-influence-industry-report
[25] Office of the Privacy Commissioner of Canada, Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia: PIPEDA Findings 2019-004 (26 November 2019) at: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-004/
[26] BC OIPC and Elections BC. Guidance Document: Political Campaign Activity (August 2022) at: https://www.oipc.bc.ca/documents/guidance-documents/2537
[27] Canada’s Political Party Privacy Hall of Shame (January 17, 2024) at: https://openmedia.org/article/item/canadas-political-party-privacy-hall-of-shame
[28] Bill C-65 did contain some modest provisions requiring data breach notification. They no longer appear in C-4.
[29] The research is extensive. The literature was discussed in C. J. Bennett and D. Lyon, Data-driven Elections, Internet Policy Review, Vol. 8. No. 4 (2019); and N. Witzleb, M.Paterson & J. Richardson, ed, Big Data, Political Campaigning and the Law: Democracy and Privacy in the Age of Micro-Targeting (Abingdon, UK: Routledge: 2019). See also, UK Information Commissioner, Democracy Disrupted? Personal Information and Political Influence (July 11, 2018).