The current controversy concerning Cambridge Analytica, Aggregate IQ and Facebook has raised to public and media attention a number of interrelated issues, that need to be carefully distinguished:
- The monopoly power of companies like Facebook in the “platform economy” and their dependence on personal data for their business models
- The non-consensual harvesting of information on one’s wider social network through third-party applications
- The possible violations of campaign spending limitations
- The accountability and transparency for targeted political ads especially from fake foreign accounts.
- Cyberthreats to election integrity
- The larger question of the role of Big Data analytics in modern elections
- The central role that political parties play in the data-driven election, and the need to bring them within Canada’s regime of privacy protection legislation
Cambridge Analytica and Aggregate IQ are part of a larger voter analytics industry. There are many other companies, mainly American, which have taken advantage of more flexible privacy standards in the US and the ability to process vast amounts of personal information from public and commercial sources, used to “micro-target” consumers in an increasingly granular manner, and thus “shop for votes.”
There has been a lot of hype about the importance of the “data-driven” election, and recent scholarly work that sheds a skeptical light on the extent to which data analytics do indeed influence election outcomes. Nevertheless, the competitiveness of current elections continues to place enormous pressure on major political parties in most democracies to continue to use data analytics to gain any edge over their rivals. Thus, more data on voters are being captured, and those data are increasingly shared through a complicated and dynamic network of organizations, involving some quite obscure companies that play important roles as intermediaries between the voters and their elected representatives.
This industry is not as extensive in Canada, but still a large variety of businesses offer various services on: polling, data analytics, software development, digital ad placement, social media outreach and so on. We lack a comprehensive understanding of the role that personal data plays in the political process in Canada, and an accurate picture of this industry.
I have followed your hearings carefully. This investigation is an important beginning, but I hope it will motivate further analysis.
I would like to make three general points about policy development going forward.
- The critical importance of bringing Canadian privacy law in line with the GDPR.
The recent decision of Facebook to move data on all its non-European users from Ireland to the United States is clearly motivated by a desire to escape some of the more stringent rules inherent in the GDPR. To discourage this kind of “jurisdiction shopping,” it is critically important that Canada raises its privacy standards, to make it more difficult for companies to engage in this kind of behavior. Your February report is an excellent start. Particularly critical for these issues about the processing of information on political opinions (defined as sensitive information in the GDPR) is the need:
- to strengthen PIPEDA’s consent provisions
- to implement provisions for algorithmic transparency
- to make privacy by design and default central legislative principles
- to strengthen the Privacy Commissioner’s audit and enforcement powers, and
- to clarify categories of sensitive personal data (including those on political opinions)
2. The pressing need to bring our political parties within Canada’s regime of privacy protection law
One of the keys to preventing the kinds of abuses we have seen in other countries is to establish some clearer and consistent rules on the kinds of data that political parties may use for campaigning purposes. We need to establish a level-playing field that essentially prevents companies like Cambridge Analytica from engaging in the same practices in Canada that have been witnessed elsewhere.
Canada is one of the only advanced democratic countries where privacy protection law does not cover political parties. For the most part, they are not covered under PIPEDA, or substantially similar provincial laws (with the exception of the Personal Information Protection Act in BC). They are not government agencies, and are therefore not covered by the Privacy Act. They are also largely and expressly exempt from the new anti-Spam legislation (CASL) as well as from some of the “Do-Not Call” list regulations administered through the CRTC. There are privacy and security rules within the Canada Elections Act; but these just apply to the voters lists, and not to other sources of personal information.
Thus Canadians have no legal rights to learn what personal information about them is contained in party databases, to access and correct those data, to remove themselves from these systems, or to restrict the collection, use and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure and accurate, to be transparent about the sources of the information, to only retain it for as long as necessary, and to control who has access.
Moreover, whereas the Privacy Commissioner can investigate Facebook, he cannot investigate the practices of our political parties. So he cannot get the full picture, in the way that the Information Commissioner in the UK can, and is, under her current investigation.
There are four major legislative options with respect to regulating federal political parties:
- The Privacy Act
- The Elections Act
- Stand-alone legislation.
There is a need for serious legal and constitutional analysis about the various legislative options; each approach has its pros and cons.
However, it is clear to me that the status quo is untenable.
First, there will be continuing publicity about the use of personal data in elections, that will only increase leading up to the federal election of 2019, particularly with respect to political micro-targeting on Facebook.
Secondly, political parties do have to comply with BC’s Personal Information Protection Act (PIPA). The BC Information and Privacy Commissioner is currently investigating the practices of BC’s provincial parties. I believe that federal political parties are also governed by this legislation to the extent that they are capturing information on voters in BC. If federal parties will have to comply with BC’s privacy legislation (which is consistent with PIPEDA), then there is no sensible reason why they should not extend those same good practices across the country.
And third, I do sense a growing recognition among parties that pursuing good privacy management practices is in their interests, as well as those of citizens.
3. Parties should self-regulate to improve their privacy policies and practices
Legislative change might take some time. In the meantime, there is much that parties can do to self-regulate and restore public confidence. I have analyzed the privacy policies of federal and provincial political parties, and the commitments that have already been made. There have been some improvements since our 2012 report, but they are still incomplete and inadequate. None provide clear commitments against all ten principles contained in the National Privacy Standard which is at the heart of PIPEDA.
I don’t see why all parties cannot publicly endorse these principles, and adhere to a common privacy code that comprehensively addresses the protections for all the personal information under their control. It is not enough, but it would create a more level playing-field. In 2013, the Chief Electoral Officer recommended that adherence to such a code would be a condition for receiving the Voters List. It is unlikely that one party would pursue such a course on its own, and leadership will be necessary, involving the CEO and the Privacy Commissioner, to support joint action.
What should change?
- Greater transparency on the sources of data, directly and indirectly captured, that enter the parties’ Voter Relationship Management systems (like Liberalist, Populus, CIMS).
- A common commitment that the parties do not, and will not, purchase commercial sources of personally identifiable information on consumer behavior (as opposed to aggregate level data)
- An agreement on how social media platforms should, and should not, be used for electoral purposes, particularly with respect to automated “bots.”
- Commitments to privacy accountability, including designated Chief Privacy Officers, and better training of staff and volunteers on privacy and security
- Stronger commitments to provide rights of access and correction to individuals
- Better management and updating of internal do-not-call lists
- A common commitment to provide unsubscribe options for email and text messages
- Better management of role-based access to party databases
- Clearer policies about how to respond to data breaches
None of this should be difficult, nor contentious, if all parties commit to higher standards and a common approach. It certainly should not be a party-political issue. Political parties have a responsibility to educate and mobilize the electorate. But there should also be an appropriate balance between their important interests and roles, and the privacy rights of Canadians.
No organization likes data breaches — just ask Facebook. Just think of the ramifications of a major data breach by any political party in the course of an election campaign.
 “Data Driven Elections and Political Parties in Canada: Privacy Implications, Privacy Policies and Privacy Obligations,” forthcoming Canadian Journal of Law and Information Technologyat: https://papers.ssrn.com/sol3/papers.cfm?abstract_id=3146964
Fenwick McKelvey & Elizabeth Dubois, “Toward the Responsible Use of Bots in Politics” Policy Options(23 November 2017), online: <http://policyoptions.irpp.org/magazines/november-2017/toward-the-responsible-use-of-bots-in-politics/>.