This is a copy of my submission in response to the Elections Canada consultation on Political Communications in Federal Elections. The consultation closes on August 21, 2020. Note that this submission has endnotes which are at the end of the document. Where possible these include hyperlinks to the cited sources.
16 August 2020
I appreciate the invitation to respond to Election Canada’s consultation on the overall regulatory regime that governs political communications in federal elections. I hold the Canada Research Chair in Information Law and Policy at the University of Ottawa, where I am also a law professor. I provide the following comments in my capacity as an individual.
The consultation raises issues of great importance to Canadians. My comments will focus on Discussion Paper 3: The Protection of Electors’ Personal Information in the Federal Electoral Context.[1]
Concerns over how political parties handle personal information have increased steadily over the years. Not surprisingly, this coincides with the rise of big data analytics and artificial intelligence (AI) and the capacity of these technologies to use personal data in new ways including profiling and manipulating. Discussion Paper 3 hones in on the Cambridge Analytica scandal[2] and its implications for the misuse of personal data for voter manipulation. This egregious case illustrates why, in a big data environment, we need to seriously address how voter personal data is collected, used and disclosed.[3] The potential misuse of data for voter manipulation is an expanding threat.[4] Yet this kind of high-profile voter manipulation scandal is not the only concern that Canadians have with how their personal information is handled by political parties. Additional concerns include lax security;[5] unwanted communications;[6] targeting based on religion, ethnicity or other sensitive grounds;[7] data sharing;[8] lack of transparency,[9] and voter profiling.[10] In addition, there is a troubling lack of transparency, oversight and accountability.[11] All of these are important issues, and they must be addressed through a comprehensive data protection regime.[12]
Public concern and frustration with the state of data protection for Canadians when it comes to political parties has been mounting. There have been reports and studies,[13] op-eds and editorials,[14] privacy commissioner complaints,[15] a competition bureau complaint,[16] and even legal action.[17]
There is a growing gulf between what Canadians expect when it comes to the treatment of their personal data and the obligations of political parties. Canadians now have two decades of experience with the Personal Information Protection and Electronic Documents Act (PIPEDA)[18] which governs the collection, use, and disclosure of personal data in the private sector. Yet PIPEDA does not apply to political parties, and there is a very wide gap between PIPEDA’s data protection norms and the few rules that apply to federal political parties. There is also considerable unevenness in the regulatory context for use of personal data by political parties across the country. For example, B.C.’s Personal Information Protection Act (PIPA)[19] already applies to B.C. political parties, and while there have been some problems with compliance,[20] the democratic process has not been thwarted. A recent interpretation of PIPA by the B.C. Privacy Commissioner also places federal riding offices located in B.C. under its jurisdiction.[21] This means that there are now different levels of data protection for Canadians with respect to their dealings with federal parties depending upon the province in which they live and whether, if they live in B.C., they are interacting with their riding office or with the national party itself.. Further, if Quebec’s Bill 64 is enacted, it would largely extend the province’s private sector data protection law to political parties. Ontario, which has just launched a consultation on a new private sector data protection law for that province is considering extending it to political parties.[22] Internationally, The EU’s General Data Protection Regulation (GDPR)[23] applies to political parties, with some specially tailored exceptions. Frankly put, it is becoming impossible to credibly justify the lack of robust data protection available to Canadians when it comes to how their personal data is handled by political parties. Lax data protection is neither the rule in Canada, nor the norm internationally.
There are points at which Discussion Paper 3 is overly defensive about the need for political parties to collect, use and disclose personal information about voters in the course of their legitimate activities. This need is not contested. But for too long it has gone virtually unrestrained and unsupervised. To be clear, data protection is not data prohibition. Data protection laws explicitly acknowledge the need of organizations to collect, use and disclose personal information.[24] Such laws set the rules to ensure that organizations collect, use, and disclose personal data in a manner consistent with the privacy rights of individuals. In addition, they protect against broader societal harms that may flow from unrestrained uses of personal data, including, in the political context, the manipulation of voters and subversion of democracy.
1. Information provided to parties by Elections Canada
Discussion Paper 3 sets out the current rules that protect electors’ personal information. For the most part, they are found in the Canada Elections Act (CEA).[25] In some instances, these rules provide less protection than comparable provincial election laws. For example, security measures, including the use of fictitious information in lists of electors to track unauthorized uses are in place in some jurisdictions, but not at the federal level. Discussion Paper 3 notes that while such measures are not part of the CEA, best practices are provided for in Elections Canada guidelines.[26] These guidelines are not mandatory and are insufficient to protect electors’ information from deliberate or unintentional misuse.
The CEA also contains new provisions requiring political parties to adopt privacy polices and to publish these online. While such privacy policies offer some improved degree of transparency, they do not provide for adequate enforcement or accountability. Further, they do not meet the threshold, in terms of prescribed protections, of the fair information principles that form the backbone of most data protection laws including PIPEDA.
There are some matters that should be addressed by specific provisions in the CEA. These relate to information that is shared by the CEA with political parties such as the list of electors. The CEA should maintain accountability for this information by imposing security obligations on parties or candidates who receive the list of electors. It would be appropriate in those circumstances to have specific data breach notification requirements relating to the list of electors contained in the CEA. However, with respect to the wealth of other information that political parties collect or use, they should have to comply with PIPEDA and be accountable under PIPEDA for data breaches.
2. Fair Information Principles Approach
Discussion Paper 3 takes the position that fair information principles should be applied to political parties, and frames its questions in terms of how this should be accomplished. There are two main options. One is to craft a set of rules specifically for political parties which might be incorporated into the CEA, with oversight by either the Privacy Commissioner and/or the Chief Electoral Officer. Another is to make political parties subject to PIPEDA, and to add to that law any carefully tailored exceptions necessary in the political context. The latter approach is better for the following reasons:
· The data protection landscape in Canada is already fragmented, with separate laws for federal and provincial public sectors; separate laws for the private sector, including PIPEDA and provincial equivalents in B.C., Alberta and Quebec; and separate laws for personal health information. There is a benefit to simplicity and coherence. PIPEDA can be adapted to the political context. There are many obligations which can and should be the same whether for private sector organizations or political parties. If particular exceptions tailored to the political context are required, these can be added.
· Political parties in BC (including federal riding associations) are already subject to data protection laws. Quebec, in Bill 64, proposes to make political parties subject to their private sector data protection law. The same approach should be followed federally.
· It is expected that PIPEDA will be amended in the relatively short term to bring it into line with the contemporary big data context. Creating separate norms in the CEA for political parties risks establishing two distinct privacy schemes which may not keep up with one another as the data context continues to evolve. It is much simpler to maintain one set of norms than to have two sets of privacy norms that are initially similar but that diverge over time.
3. Fair Information Principles: Specific Provisions
Discussion Paper 3 considers certain of the Fair Information Principles and how they apply to political parties. This discussion seems to assume in places that the solution will be to introduce new provisions in the CEA, rather than applying PIPEDA to political parties, subject to certain exceptions. For example, the first question under Accountability asks “Besides publishing their privacy policies, what other requirements could parties be subject to in order to make them accountable for how they collect, use and disclose personal information?”[27] As noted above, my view is that political parties should be subject to PIPEDA. The “other requirements” needed are those found in PIPEDA. There is no need to reinvent the wheel for political parties.
On the issue of data breaches, I note with concern that Discussion Paper 3 takes an overly cautious approach. For example, it states, presumably referring to PIPEDA, that “There are also penalties for organizations that knowingly fail to report a breach, which could be ruinous for a smaller party.”[28] In the first place, these penalties are for knowingly failing to report a breach, not for experiencing a breach. A party that experiences a data breach that creates a real risk of serious harm to an individual (the reporting threshold) and does not report it, should not complain of the fines that are imposed for this failure. Secondly, the amounts set out in the legislation are maximum fines and courts have discretion in imposing them. In any event, a class action law suit following a data breach is much more likely to be the ruination of a smaller party; liability for such a data breach could be mitigated by being able to demonstrate not only that the party complied with data protection norms but that it also responded promptly and appropriately when the breach took place. In my view, the data breach notification requirements can and should be applied to political parties.
Discussion Paper 3 also floats the idea of a voluntary code of practice as an alternative to parties being subject to data protection laws. It states: “A voluntary code may be more palatable to political parties than legislated change, while at the same time moving towards increasing electors’ privacy”.[29] It is fair to say that ‘soft’ guidance with no enforcement is always more palatable to those to whom it would apply than real obligations. However, we are long past the time for a gentle transition to a more data protective approach. Political parties have embraced big data and data analytics and now collect, use, and disclose unprecedented amounts of personal information. They need to be subject to the same data protection laws as other actors in this environment. While those laws may need a few carefully tailored exceptions to protect the political process, on the whole, they can and should apply.
It would be wasteful, confusing, and unsatisfactory to create a parallel regime for data protection and political parties in Canada. Given their embrace of the big data environment and their expanding use of personal data, these parties should be held to appropriate and meaningful data protection norms, with oversight by the Privacy Commissioner of Canada. Federal political parties should be subject to PIPEDA with some carefully tailored exceptions.
[1] Elections Canada, Discussion Paper 3: The Protection of Electors’ Personal Information in the Federal Electoral Context, May 2020, online: https://www.elections.ca/content.aspx?section=res&dir=cons/dis/compol/dis3&document=index&lang=e.
[2] See, e.g.: Office of the Privacy Commissioner of Canada, PIPEDA Report of Findings #2019-004: Joint investigation of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia, November 26 2019, online: https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-004/.
[3] Cherise Seucharan and Melanie Green, “A B.C. scandal has pulled back the curtain on how your online information is being used”, November 29, 2019, online: https://www.thestar.com/vancouver/2019/11/29/heres-how-companies-and-political-parties-are-getting-their-hands-on-your-data.html.
[4] Brian Beamish, 2018 Annual Report: Privacy and Accountability for a Digital Ontario, Office of the Information and Privacy Commissioner of Ontario, June 27, 2019, at p. 30, online: https://www.ipc.on.ca/wp-content/uploads/2019/06/ar-2018-e.pdf. Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, online: https://www.oipc.bc.ca/investigation-reports/2278.
[5] Joan Bryden, “Elections Canada chief warns political parties are vulnerable to cyberattacks”, 4 February 2019, Global News, online: https://globalnews.ca/news/4925322/canada-political-parties-cyberattack-threat/; Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 6 (noting the number of complaints received relating to lax security practices), and pp. 27-31 (outlining security issues), online: https://www.oipc.bc.ca/investigation-reports/2278.
[6] Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 22, online: https://www.oipc.bc.ca/investigation-reports/2278. Note that the complaint that led to the ruling that that province’s Personal Information Protection Act applied to federal riding associations in B.C. was based on an unconsented to use of personal data. See: OIPC BC, Courtenay-Alberni Riding Association of The New Democratic Party of Canada, Order No. P19-02, 28 August 2019, online: https://www.oipc.bc.ca/orders/2331.
[7] See, e.g.: Michael Geist, “Why Political Parties + Mass Data Collection + Religious Targeting + No Privacy Laws = Trouble”, October 11, 2019, online: http://www.michaelgeist.ca/2019/10/why-political-parties-mass-data-collection-religious-targeting-no-privacy-laws-trouble/; Sara Bannerman, Julia Kalinina, and Nicole Goodman, “ Political Parties’ Voter Profiling Is a Threat to Democracy”, The Conversation, 27 January 2020, online: https://thetyee.ca/Analysis/2020/01/27/Political-Parties-Profiling-Democracy/.
[8] See: Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 25, online: https://www.oipc.bc.ca/investigation-reports/2278.
[9] Colin Bennett, “They’re spying on you: how party databases put your privacy at risk”, iPolitics, September 1, 2015, online: https://ipolitics.ca/2015/09/01/theyre-spying-on-you-how-party-databases-put-your-privacy-at-risk/
[10] Colin J. Bennett, “Canadian political parties are gathering more and more data on voters all the time. It’s time we regulated what data they glean, and what they can do with it”, Policy Options, 1 February 2013, online: https://policyoptions.irpp.org/magazines/aboriginality/bennett/.
[11] See, e.g.: Yvonne Colbert, “What's in your file? Federal political parties don't have to tell you”, CBC, 30 July 2019, online: https://www.cbc.ca/news/canada/nova-scotia/privacy-federal-political-parties-transparency-1.5226118; Katharine Starr, “Privacy at risk from Canadian political parties, says U.K. watchdog”, CBC, 10 November 2018, online: https://www.cbc.ca/news/politics/uk-information-commissioner-canadian-parties-data-privacy-1.4898867.
[12] Federal, Provincial and Territorial Privacy Commissioners of Canada support meaningful privacy obligations for political parties. See: Securing Trust and Privacy in Canada’s Electoral Process: Resolution of the Federal, Provincial and Territorial Information and Privacy Commissioners, Regina, Saskatchewan, September 11-13, 2018, online: https://www.priv.gc.ca/en/about-the-opc/what-we-do/provincial-and-territorial-collaboration/joint-resolutions-with-provinces-and-territories/res_180913/.
[13] See, e.g.: Colin J. Bennett and Robyn M. Bayley, “Canadian Federal Political Parties and Personal Privacy Protection: A Comparative Analysis”, March 2012, online: https://www.priv.gc.ca/en/opc-actions-and-decisions/research/explore-privacy-research/2012/pp_201203/; Colin Bennett, “Data Driven Elections and Political Parties in Canada: Privacy Implications, Privacy Policies and Privacy Obligations”, (April 12, 2018). Canadian Journal of Law and Information Technology, Available at SSRN: https://ssrn.com/abstract=3146964; Colin J. Bennett, “Privacy, Elections and Political Parties: Emerging Issues For Data Protection Authorities”, 2016, online: https://www.colinbennett.ca/wp-content/uploads/2016/03/Privacy-Elections-Political-Parties-Bennett.pdf; House of Commons, Standing Committee on Access to Information, Privacy and Ethics, Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly (December 2018), online: <https://www.ourcommons.ca/Content/Committee/421/ETHI/Reports/RP10242267/ethirp17/ethirp17-e.pdf>, archived: https://perma.cc/RV8T-ZLWW.
[14] See, e.g.: Samantha Bradshaw, “Data-protection laws must be extended to political parties”, Globe and Mail, 22 March 2018, online: https://www.theglobeandmail.com/opinion/article-data-protection-laws-must-be-extended-to-political-parties/; Michael Morden, “Politicians say they care about privacy. So why can political parties ignore privacy law?”, Globe and Mail, 29 May 2019, online: https://www.theglobeandmail.com/opinion/article-politicians-say-they-care-about-privacy-so-why-can-political-parties/; Colin Bennett, “Politicians must defend Canadians’ online privacy from Big Tech – and from politicians themselves”, Globe and Mail, 26 December 2019, online: https://www.theglobeandmail.com/opinion/article-politicians-must-defend-canadians-online-privacy-from-big-tech-and/; Sabrina Wilkinson, “Voter Privacy: What Canada can learn from abroad”, OpenCanada.org, 4 October 2019, online: https://www.opencanada.org/features/voter-privacy-what-canada-can-learn-abroad/ Fraser Duncan, “Political Parties and Voter Data: A Disquieting Gap in Canadian Privacy Legislation”, Saskatchewan Law Review, June 21 2019, online: https://sasklawreview.ca/comment/political-parties-and-voter-data-a-disquieting-gap-in-canadian-privacy-legislation.php; Colin Bennett, “They’re spying on you: how party databases put your privacy at risk”, iPolitics, September 1, 2015, online: https://ipolitics.ca/2015/09/01/theyre-spying-on-you-how-party-databases-put-your-privacy-at-risk/.
[15] See: Office of the Information and Privacy Commissioner of British Columbia, “Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 25, online: https://www.oipc.bc.ca/investigation-reports/2278; OIPC BC, Courtenay-Alberni Riding Association of The New Democratic Party of Canada, Order No. P19-02, 28 August 2019, online: https://www.oipc.bc.ca/orders/2331.
[16] See: Rachel Aiello, “Major political parties under competition probe over harvesting of Canadians' personal info”, CTV News 15 January 2020, online: https://www.ctvnews.ca/politics/major-political-parties-under-competition-probe-over-harvesting-of-canadians-personal-info-1.4768501.
[17] Rachel Gilmore, “Privacy group going to court over alleged improper use of voters list by Liberals, Tories and NDP”, CTV News, 10 August 2020, online: https://www.ctvnews.ca/politics/privacy-group-going-to-court-over-alleged-improper-use-of-voters-list-by-liberals-tories-and-ndp-1.5058556.
[18] SC 2000, c 5, http://canlii.ca/t/541b8.
[19] SBC 2003, c 63, http://canlii.ca/t/52pq9.
[20] Investigation Report P19-01: Full Disclosure: Political parties, campaign data, and voter consent”, February 6, 2019, at 22, online: https://www.oipc.bc.ca/investigation-reports/2278.
[21] OIPC BC, Courtenay-Alberni Riding Association of The New Democratic Party of Canada, Order No. P19-02, 28 August 2019, online: https://www.oipc.bc.ca/orders/2331.
[22] Ministry of Government and Community Services, “Ontario Private Sector Privacy Reform: Improving private sector privacy for Ontarians in a digital age”, 13 August 2020, online: https://www.ontariocanada.com/registry/showAttachment.do?postingId=33967&attachmentId=45105.
[23] L119, 4 May 2016, p. 1–88; online: https://gdpr-info.eu/.
[24] See, e.g., PIPEDA, s. 3.
[25] SC 2000, c 9, http://canlii.ca/t/53mhm.
[26] Elections Canada, Guidelines for the Use of the List of Electors, https://www.elections.ca/content.aspx?section=pol&document=index&dir=ann/loe_2019&lang=e.
[27] Elections Canada, Discussion Paper 3: The Protection of Electors’ Personal Information in the Federal Electoral Context, May 2020, at 11, online: https://www.elections.ca/content.aspx?section=res&dir=cons/dis/compol/dis3&document=index&lang=e.
[28] Ibid at 16.
[29] Ibid at 17.