Applying Fair Information Principles to Political Parties – Discussion Paper 3: The Protection of Electors' Personal Information in the Federal Electoral Context

The fair information principles are based on guidelines developed by the Organisation for Economic Cooperation and Development in 1980. These guidelines serve to harmonize privacy laws, uphold individual rights and facilitate the free flow of information across borders. They also served as the basis for the Canadian Standards Association's Model Code for the Protection of Personal Information. The voluntary model code set out minimum privacy standards to assist organizations in managing personal information. The model code was incorporated into Schedule 1 of PIPEDA in 2000. Ongoing reviews of PIPEDA and the Privacy Act acknowledge that the fair information principles may need to be reformed to protect privacy in the digital age.

In Canada, it has been widely recommended that political parties be required to adhere to fair information principles. The Office of the Privacy Commissioner of Canada (OPC) issued guidance that encourages parties to comply with the principles as outlined in PIPEDA.^{Footnote 29}

Moving beyond whether the fair information principles should apply to parties, this section poses questions in order to generate discussion on how the principles could be applied in practice to political parties. Consideration should be given to how these principles may apply to parties given their unique role in Canada's democracy, and to the amount and level of resources they may have.

Registered Third Parties

Third parties may also be organized to build and, in some cases, be capable of building complex databases that contain information on large numbers of Canadian electors–even though they do not receive lists of electors or statements of electors who have voted during the electoral period, and may reach these electors through micro-targeting.^{Footnote 30}

The CEA regulates certain activities of third parties during pre-election and election periods. A third party could be any person or group that wants to participate in or influence the election (other than political parties, electoral district associations, nomination contestants or candidates that are otherwise regulated). While the CEA does not contain any provisions restricting the collection, use and disclosure of personal information by third parties in the election context, third parties may be subject to restrictions in this regard under other legislation, depending on their particular context. This would be the case, for example, of private-sector agencies whose commercial activities are regulated under the Personal Information Protection and Electronic Documents Act (PIPEDA).

Questions to consider:

• Should registered third parties be subject to privacy requirements as regulated entities under the CEA?

Accountability

Organizations subject to PIPEDA are responsible for personal information under their control, which includes information they transfer to a third-party partner. They must establish policies and procedures to give effect to the principles under PIPEDA and designate a person accountable for the organization's compliance. Organizations should be transparent about their practices for handling personal information, including informing individuals of any breach of personal information that poses a significant risk of harm.^{Footnote 31}

As noted above, amendments to the CEA require political parties' privacy policies to indicate the name and contact information of someone responsible for privacy matters. Policies must explain what information is being collected, why, under what circumstances it would be sold, and employee training and practices related to collection of online information.

While privacy policies are notorious for being lengthy and unreadable, political parties' policies, while somewhat challenging to find on their websites, are written in lay terms. This is positive from an openness perspective. However, informing the electorate may require more than a link to a policy, which may not be useful when canvassing or when sending automated texts.

Questions to consider:

• Besides publishing their privacy policies, what other requirements could parties be subject to in order to make them accountable for how they collect, use and disclose personal information?
• When political parties share information with a third-party partner, should they continue to be held accountable for the use of that information?

Consent

Under PIPEDA, knowledge and consent are required for the collection, use and disclosure of personal information, except where inappropriate. According to the OPC, "consent is considered meaningful when individuals are provided with clear information explaining what organizations are doing with their information."^{Footnote 32} Consent is important because it contributes to a trusting relationship between organizations and individuals.

The type of consent may vary. Explicit or express consent means that a person is informed of the purpose for collecting, using and disclosing their information and actively agrees to it. The OPC recommends that express consent be sought when the information being collected, used or disclosed is sensitive, outside what would be considered a reasonable expectation, or could result in the risk of significant harm.^{Footnote 33} In other instances, consent may be implicit or implied, such as when the purpose is obvious.^{Footnote 34} In some instances it may not be appropriate to collect, use or disclose personal information even with consent.^{Footnote 35} Consent may also be withdrawn.

In the case of political parties in British Columbia that are subject to the PIPA, the BC Privacy Commissioner has recommended that when canvassing door to door, parties obtain express consent to collect information about gender, religion and ethnicity.^{Footnote 36} He also notes that parties do not have implied consent to develop voter profiles or predict voting behaviour, because this data analysis would not be obvious to a reasonable voter.^{Footnote 37}

As highlighted in a joint investigation into a firm in British Columbia that delivered micro-targeted ads on behalf of several Canadian political campaigns, appropriate consent must be obtained at the time of collection for all uses by the organization that originally collected the information or by any organization the information may be shared with. For example, if a party collected contact information for the purposes of keeping an elector up to date on a campaign, it should not share the information for the purposes of conducting data analysis or profiling without express consent.^{Footnote 38}

Canada's Anti-Spam Legislation is instructive regarding where a party/candidate has "implied consent" to send messages to persons with whom it has an existing non-business relationship. For example, if a person is a donor or a volunteer or attended a meeting organized by a party/candidate, they are considered to have provided implied consent to a political party or candidate to receive a message. Implied consent is only valid if the relationship is established within the two years preceding the message.^{Footnote 39}

How organizations obtain consent may vary depending on how they interact with individuals (i.e., online consent may be provided by checking a box or by continuing to peruse a website, whereas in person it may be provided in writing, verbally or by voluntarily providing information). In certain circumstances, obtaining consent may not be possible in practice. For example, information can be collected in greater volume and velocity than before, as is the case with search engine indexing websites and big data analytics.^{Footnote 40}

In its September 2017 report on consent consultations, the OPC notes that achieving meaningful consent in the digital age has become increasingly difficult; the OPC recommends making consent more meaningful, providing alternatives to consent and improving governance. Similarly, in its recent PIPEDA paper, Innovation, Science and Economic Development Canada notes that the current consent model is challenged and may need to change.^{Footnote 41}

There are several exemptions^{Footnote 42} to the requirement to seek consent, including when collecting, using or disclosing the information is in the interests of the individual; to investigate the contravention of a law or the breach of an agreement or fraud; or for journalistic, artistic or literary purposes. Consent is not required when the information is publicly available, as defined by the regulations.^{Footnote 43} While some would appreciate that the regulations be updated to reflect today's digital reality (much of the information on the Internet is public), the OPC cautions that just because information is public does not mean there is no interest in protecting the information from misuse.^{Footnote 44} The OPC recommends that Parliament consider modernizing the rules on publicly available information and consider examining the possibility of introducing exceptions where consent cannot be given or where societal benefits outweigh privacy incursions.^{Footnote 45}

The BC Privacy Commissioner has recommended that parties collect publicly available personal information without consent only if there is a "reasonable connection" between the purpose of collection and the purpose for which the information is publicly available.^{Footnote 46}

Consent is also not required if authorized by law for collection or disclosure such as for the lists of electors and the statements of electors who voted, which are provided to political parties and candidates pursuant to the CEA.

Questions to consider:

• Under what circumstances should an elector's consent be implicit or explicit? Should consent be required for the collection and use of publicly available information?
• Would any uses or disclosures of personal information be unacceptable, even with consent? Should such areas be expressly delineated by law?
• Should there be any regulation about how information that Elections Canada provides to parties can be combined with other sources of information?
• Should electors' consent be obtained for providing lists of electors and statements of electors who voted to political parties and candidates?

Identifying Purposes, Limiting Collection and Limiting Use, Disclosure and Retention

At or before the time it is collected, organizations subject to PIPEDA must identify why they collect personal information; organizations must also limit its use, collection and disclosure to those identified purposes; and retain the information only as long as necessary to fulfill those purposes.^{Footnote 47}

Parties have a legitimate need to collect and use personal information in order to better understand the electorate's needs, communicate with them and increase their own chances of electoral success. However, based on the breadth of information that may be collected, directly or indirectly, there may be a risk that voter profiles contain information that is beyond what is necessary for campaigning purposes, and that such information is shared for unrelated purposes. Limiting collection also reduces the impact of potential security breaches, and inaccurate data. In British Columbia, sensitive information such as religion, gender or ethnicity must not be collected (unless there is express consent to do so).^{Footnote 48}

Recent amendments to the CEA require parties' privacy policies to be published online and to specify what information is collected and how it is used. However, not all transactions with parties, candidates or their volunteers occur online, and not all electors may be aware that policies exist. As such, and closely aligned to the principles of openness and consent, it is particularly important to identify why information is collected if the purpose is not directly linked to campaigning. For example, when signing a petition, individuals should be informed that their information may subsequently be used for any other purposes.^{Footnote 49}

Some have suggested that parties should delete data after every election^{Footnote 50}; however, the ability to communicate with electors for political purposes may be necessary between elections. Collecting data again from scratch would pose an organizational burden and does not align with the fact that federal parties receive the voters' lists annually (for electoral districts where they ran a candidate). In addition, requiring deletion could hinder any enforcement measures after an election. However, there may be some instances, such as when a party is deregistered or ceases to exist, where deletion, or other measures to ensure personal information is protected, may be warranted.

Parties may transfer personal information to organizations for a number of reasons such as supporting provincial parties in their electoral campaigns, processing donations, making automated phone calls, targeting ads on social media or analyzing data. While parties may share information for different purposes with a spectrum of organizations, the recent amendments to the CEA require only that parties indicate whether they sell data. At the time of writing, none of the policies of parties currently represented in the House of Commons indicate to whom parties may disclose personal information.^{Footnote 51} Given that parties now receive electronic statements of the vote in addition to lists of electors, their ability to share data, conduct data matching and target electors is increased.

Questions to consider:

• Should there be mandatory restrictions on what type of information parties collect, including sensitive information such as religion or sexual orientation?
• Should there be restrictions on how long parties can retain personal information? How might that vary depending on the type of information (i.e., political opinions, financial information and address information)?
• To what extent should parties be subject to clarifying the purposes for which personal information is collected, used and disclosed?
• Should the CEA be amended to require that party privacy policies indicate under what circumstances a party may share personal information with a third party, such as provincial political parties?

Accuracy and Individual Access

Organizations subject to fair information principles are responsible for ensuring that personal information is as accurate, complete and up to date as is necessary for the identified purposes, including by allowing individuals to challenge the information and have it amended, as appropriate. Upon request, an individual must be informed of the existence, use and disclosure of their personal information and must be given access to it.^{Footnote 52}

In order to communicate with electors, there is a strong incentive for parties to maintain accurate, up-to-date information on their supporters and non-supporters.^{Footnote 53} It could be argued that parties' information is very accurate because parties obtain lists of electors and their candidates and volunteers have connections to the local community and go door to door collecting information. However, parties may not have perfect data and, as such, they may also have an interest in allowing individuals to have access to their own information and to correct it.

PIPEDA requires that a refusal to provide access to information must be explained in writing. Schedule 1 states that "exceptions to the access requirement should be limited and specific ... [and] may include information that is prohibitively costly to provide, information that contains references to other individuals, information that cannot be disclosed for legal, security or commercial proprietary reasons, and information that is subject to solicitor-client or litigation privilege."^{Footnote 54}

Unlike PIPEDA, British Columbia's PIPA, which applies to provincial parties in British Columbia, contains a clause that permits organizations with commissioner approval to disregard frivolous and vexatious access requests.^{Footnote 55} Such a provision could limit the risk that the right to access is used by political opponents to inundate their rivals' operations.

Lastly, the concepts of a right to data portability and the right to be forgotten have emerged following the passage of the GDPR. While there are complex challenges related to implementing either approach in the Canadian context, the right to access is the starting point for each. Through a right to access, individuals may obtain and move their data to a competitive organization or they may request that their data be deleted (or deindexed). However, political parties do not operate as private sector competitors or search engines. They have a legitimate need to retain information on persons who are not their members or even supporters to compete effectively in the electoral process.

Questions to consider:

• Should Canadians have the right to access their personal information from political parties?
• Are there circumstances when it would be legitimate for political parties to decline access?

Safeguarding Personal Information

Organizations subject to PIPEDA are required to employ safeguards to protect personal information against loss or theft and from unauthorized access, disclosure, copying, use or modification. Safeguards should be proportionate to the sensitivity of the information.^{Footnote 56}

Following reports by the Communications Security Establishment, as well as increased funding in Budget 2019 to assist parties with cyber security efforts, it is clear that protecting against security risks to party databases is a priority of the government. It is also in parties' best interests not to be subject to a cyber attack or breach that could result in embarrassment or appearance of mismanagement, as mitigating such risks upholds the integrity of the electoral process. Privacy policies must include statements about how parties protect personal information they collect. As noted above, Elections Canada (EC) has issued guidelines for safeguarding the lists of electors, whereas many of those guidelines are enshrined in provincial and territorial election laws.

Aside from foreign cyber threats, inappropriate access and use of data may happen via party insiders. Improper communication with electors during the 2011 federal election allegedly stemmed from unauthorized access to a party database.^{Footnote 57} On the other hand, broad access to personal information by their volunteers enables parties to connect with and mobilize voters.

Since 2018, in cases where a breach of security safeguards creates a real risk of significant harm, PIPEDA requires not only that organizations report the breach to the OPC, but also that they notify all affected individuals. Breach notification requires striking the right balance between organizational flexibility and how prescriptive regulations should be.^{Footnote 58} Depending on how they are formulated, breach notification requirements could pose an organizational burden to smaller parties. There are also penalties for organizations that knowingly fail to report a breach, which could be ruinous for a smaller party. Also, in contrast to PIPEDA, EC guidelines for the lists of elections encourage parties and candidates to report privacy breaches of the lists of electors to EC, not to concerned individuals.

Questions to consider:

• Should the CEA impose mandatory security requirements on parties/candidates who receive the lists of electors?
• Beyond legislating safeguards, what can be done to protect personal information held by political parties? How can parties manage their information holdings to safeguard information while also enabling campaign workers or volunteers to use that information to communicate with electors?
• Could there be any challenges when applying PIPEDA's breach notification requirements to political parties? Should there be variations for political parties and/or candidates?

Challenging Compliance

Under PIPEDA, individuals should be able to contact someone within an organization who is accountable if they have a complaint about its compliance with these principles or to lodge a complaint with a regulatory body that regulates the organization.^{Footnote 59} Further to amendments to the CEA, contact information of the person accountable is to be made public in parties' privacy policies. However, it is not clear whether parties have instituted complaints or grievance procedures should an individual contact them about how their personal information was or is being handled.^{Footnote 60}

This principle is reflective of PIPEDA's compliance model in which, prior to a formal investigation, individuals are encouraged to resolve complaints with the organization directly. Should a dispute not be resolved independently, the OPC conducts an investigation and issues a decision. However, the OPC cannot order an organization to comply. It largely relies on public shaming, audits, compliance agreements and, for certain violations, the courts.^{Footnote 61}

In order to promote compliance with the fair information principles, the Standing Committee on Access to Information, Privacy and Ethics, privacy commissioners, the CEO and academics have recommended that parties be subject to some form of external oversight. While EC receives parties' privacy policies to maintain their registered status, the CEO has noted that the OPC is best suited to provide oversight over whether parties are indeed following the claims made in their policies.

Related to oversight are the potential penalties for non-compliance. Under PIPEDA, many have recommended that enforcement powers be enhanced to protect privacy in the digital age.^{Footnote 62} Under the CEA, penalties range broadly, depending on the nature of the offence. Administrative monetary penalties were recently introduced to promote compliance, instead of punishing offenders for minor violations. In other instances, such as the voter contact registry, the CRTC's enforcement options range from warning letters to negotiated undertakings or financial penalties.^{Footnote 63} It is also an offence to knowingly use the lists of electors for unauthorized purposes (that is, anything other than communicating with electors, soliciting contributions or recruiting members); the penalty is a fine of not more than $10,000 or one year in prison, or both.^{Footnote 64}

Another option may include voluntary codes of practice.^{Footnote 65} A voluntary code may be more palatable to political parties than legislated change, while at the same time moving towards increasing electors' privacy.

This is not to say that oversight cannot be shared, but that it is important to determine whether one or a mix of existing or new regimes is best suited to protect electors' privacy so that Canadians can continue to trust their electoral process.

Questions to consider:

• What type of privacy compliance model is best suited for political parties? Which body should provide oversight? Should parties be audited? What is the appropriate role for electoral management bodies, data protection authorities or other regulators?
• What should the nature of offences and penalties be, if any?
• Should there be recourses for individuals when their personal information is not treated in accordance with fair information principles?
• Would a code of practice that political parties have agreed to be more appropriate than legislative action? Who should lead the development of such a code?

Footnotes

Return to source of ^{Footnote 29} Office of the Privacy Commissioner of Canada. "Guidance for Political Parties on Protecting Personal Information." April 1, 2019. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_pp_201904/

Return to source of ^{Footnote 30} Such concerns were expressed before the Standing Committee on Access to Information, Privacy and Ethics on November 1, 2018. https://www.ourcommons.ca/Content/Committee/421/ETHI/Evidence/EV10151086/ETHIEV124-E.PDF

Return to source of ^{Footnote 31} Personal Information Protection and Electronic Documents Act, c. 5, Schedule 1 (S.C. 2000). https://laws-lois.justice.gc.ca/eng/acts/P-8.6/; Office of the Privacy Commissioner of Canada. "Guidance for Political Parties on Protecting Personal Information." April 1, 2019. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_pp_201904/

Return to source of ^{Footnote 32} Office of the Privacy Commissioner of Canada. "Consent." 2019. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/

Return to source of ^{Footnote 33} Office of the Privacy Commissioner of Canada. "Guidelines for Obtaining Meaningful Consent: Determining the Appropriate Form of Consent." 2018. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/consent/gl_omc_201805/#_determining/

Return to source of ^{Footnote 34} Personal Information Protection and Electronic Documents Act, c. 5, Schedule 1, s. 4.3 (S.C. 2000). https://laws-lois.justice.gc.ca/eng/acts/p-8.6/; McEvoy, Michael. Full Disclosure: Political Parties, Campaign Data, and Voter Consent. Report. Office of the Information and Privacy Commissioner for British Columbia. 2019. 9. https://www.oipc.bc.ca/investigation-reports/2278/; Office of the Privacy Commissioner of Canada. "Interpretation Bulletin: Form of Consent." 2014. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_07_consent/

Return to source of ^{Footnote 35} Office of the Privacy Commissioner of Canada. 2016–17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act. Report. 2017. 14–15. https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/201617/ar_201617/#heading-0-0-3-1/

Return to source of ^{Footnote 36} McEvoy, Michael. Full Disclosure: Political Parties, Campaign Data, and Voter Consent. Report. Office of the Information and Privacy Commissioner for British Columbia. 2019. 16. https://www.oipc.bc.ca/investigation-reports/2278/

Return to source of ^{Footnote 37} McEvoy, Michael. Full Disclosure: Political Parties, Campaign Data, and Voter Consent. Report. Office of the Information and Privacy Commissioner for British Columbia. 2019. 21–23. https://www.oipc.bc.ca/investigation-reports/2278/

Return to source of ^{Footnote 38} See Office of the Privacy Commissioner of Canada. Joint Investigations of AggregateIQ Data Services Ltd. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. November 26, 2019. Paras 63–66, 85–98 and 94. https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-004/

Return to source of ^{Footnote 39} The collection of personal information or contact information and the sending of commercial electronic messages (CEMs) (i.e., emails, texts or telephone calls that offer or promote goods or services for sale) are prohibited without consent. The regulations exempt CEMs sent by or on behalf of political parties, candidates and nomination contestants where the "message has as its primary purpose soliciting a contribution" as defined by the CEA. This means that parties and candidates do not need consent to send messages that, for example, request a donation or non-monetary contribution or promote a fundraising event.

Electronic Commerce Protection Regulations, SOR/2013-221, s. 3(h). https://laws-lois.justice.gc.ca/eng/regulations/SOR-2013-221/page-1.html#h-5/; Canadian Radio-television and Telecommunications Commission. "Frequently Asked Questions about Canada's Anti-Spam Legislation." (No date). https://crtc.gc.ca/eng/com500/faq500.htm/; An Act to promote the efficiency and adaptability of the Canadian economy by regulating certain activities that discourage reliance on electronic means of carrying out commercial activities, and to amend the Canadian Radio-television and Telecommunications Commission Act, the Competition Act, the Personal Information Protection and Electronic Documents Act and the Telecommunications Act, c. 23, s. 10(13)(a)(b) (S.C. 2010). https://laws-lois.justice.gc.ca/eng/acts/E-1.6/page-1.html/

Return to source of ^{Footnote 40} Office of the Privacy Commissioner of Canada. 2016–17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act. Report. 2017. 3–4. https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/201617/ar_201617/#heading-0-0-3-1/

Return to source of ^{Footnote 41} Office of the Information and Privacy Commissioner of Canada. "Results of Consent Consultation Highlighted in Commissioner's 2016–17 Annual Report." September 21, 2017. https://www.priv.gc.ca/en/opc-news/news-and-announcements/2017/bg_170921_consent/; Innovation, Science and Economic Development Canada. "Strengthening Privacy for the Digital Age: Proposals to Modernize the Personal Information Protection and Electronic Documents Act." 2019. https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html/

Return to source of ^{Footnote 42} See PIPEDA, s.7.

Return to source of ^{Footnote 43} According to the Regulations Specifying Publicly Available Information, publicly available information is defined as information contained in phone books (where the person may choose not to have their information listed), in a publication (where the person has provided their information), professional or business directories, publicly available registries, and judicial or quasi-judicial records (so long as the information is collected for the same purpose that it is in the directory, registry or records).

Regulations Specifying Publicly Available Information, s. 1 (SOR/2001-7). https://laws-lois.justice.gc.ca/eng/regulations/SOR-2001-7/page-1.html#h-679226/; Office of the Privacy Commissioner of Canada. "Publicly Available Information." 2014. https://www.priv.gc.ca/en/privacy-topics/privacy-laws-in-canada/the-personal-information-protection-and-electronic-documents-act-pipeda/pipeda-compliance-help/pipeda-interpretation-bulletins/interpretations_06_pai/

Return to source of ^{Footnote 44} Office of the Privacy Commissioner of Canada. 2016–17 Annual Report to Parliament on the Personal Information Protection and Electronic Documents Act and the Privacy Act. Report. 2017. https://www.priv.gc.ca/en/opc-actions-and-decisions/ar_index/201617/ar_201617/#heading-0-0-3-1/

Return to source of ^{Footnote 45} Office of the Information and Privacy Commissioner of Canada. "Results of Consent Consultation Highlighted in Commissioner's 2016–17 Annual Report." September 21, 2017. https://www.priv.gc.ca/en/opc-news/news-and-announcements/2017/bg_170921_consent/; Innovation, Science and Economic Development Canada. "Strengthening Privacy for the Digital Age: Proposals to Modernize the Personal Information Protection and Electronic Documents Act." 2019. https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00107.html/

Return to source of ^{Footnote 46} McEvoy, Michael. Full Disclosure: Political Parties, Campaign Data, and Voter Consent. Report. Office of the Information and Privacy Commissioner for British Columbia. 2019. 21, 24. https://www.oipc.bc.ca/investigation-reports/2278/

Return to source of ^{Footnote 47} Personal Information Protection and Electronic Documents Act, c. 5, Schedule 1, s. 4.6, 4.9 (S.C. 2000). https://laws-lois.justice.gc.ca/eng/acts/p-8.6/; Office of the Privacy Commissioner of Canada. "Guidance for Political Parties on Protecting Personal Information." April 1, 2019. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_pp_201904/

Return to source of ^{Footnote 48} McEvoy, Michael. Full Disclosure: Political Parties, Campaign Data, and Voter Consent. Report. Office of the Information and Privacy Commissioner for British Columbia. 2019. 15–16. https://www.oipc.bc.ca/investigation-reports/2278/

Return to source of ^{Footnote 49} McEvoy, Michael. Full Disclosure: Political Parties, Campaign Data, and Voter Consent. Report. Office of the Information and Privacy Commissioner for British Columbia. 2019. 19. https://www.oipc.bc.ca/investigation-reports/2278/

Return to source of ^{Footnote 50} Élections Québec. Partis politiques et protection des renseignements personnels: Exposé de la situation québécoise, perspectives comparées et recommandations. Report. 2019. 87. https://www.electionsquebec.qc.ca/english/news-detail.php?id=6299/

Return to source of ^{Footnote 51} OpenMedia. Canada's Political Parties' Privacy Policies: An Assessment Against Best Practices Defined by Elections Canada and the Office of the Privacy Commissioner. Report. 2019. 2. https://act.openmedia.org/sites/default/files/Political%20party%20policies_%20scorecard%20analysis.pdf

Return to source of ^{Footnote 52} Personal Information Protection and Electronic Documents Act, c. 5, Schedule 1, s. 4.2, 4.4, 4.5 (S.C. 2000). https://laws-lois.justice.gc.ca/eng/acts/p-8.6/; Office of the Privacy Commissioner of Canada. "Guidance for Political Parties on Protecting Personal Information." April 1, 2019. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_pp_201904/

Return to source of ^{Footnote 53} Of the five parties represented by more than one member in the House of Commons, all make statements in their privacy policies that individuals can contact them to keep their information up to date.

Return to source of ^{Footnote 54} Personal Information Protection and Electronic Documents Act, c. 5, Schedule 1, s. 4.9 (S.C. 2000). https://laws-lois.justice.gc.ca/eng/acts/p-8.6/

Return to source of ^{Footnote 55} Alberta's PIPA, which does not apply to political parties but applies to some non-profit organizations, contains a similar provision. Note that the BC Information and Privacy Commissioner is determining whether PIPA applies to federal parties that campaign in BC. Personal Information Protection Act, c. 63, s. 37 (S.B.C. 2003). http://www.bclaws.ca/civix/document/id/complete/statreg/03063_01#section37/

Return to source of ^{Footnote 56} Personal Information Protection and Electronic Documents Act, c. 5, Schedule 1, s. 4.7 (S.C. 2000). https://laws-lois.justice.gc.ca/eng/acts/p-8.6/; Office of the Privacy Commissioner of Canada. "Guidance for Political Parties on Protecting Personal Information." April 1, 2019. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_pp_201904/

Return to source of ^{Footnote 57} R. v. Sona. (ONCJ 2014). Para 5, 9–11. https://www.canlii.org/en/on/oncj/doc/2014/2014oncj365/2014oncj365.html/

Return to source of ^{Footnote 58} Innovation, Science and Economic Development Canada. "Canada's Digital Charter in Action: A Plan by Canadians, for Canadians." 2019. https://www.ic.gc.ca/eic/site/062.nsf/eng/h_00109.html/

Return to source of ^{Footnote 59} Personal Information Protection and Electronic Documents Act, c. 5, Schedule 1, s. 4.10 (S.C. 2000). https://laws-lois.justice.gc.ca/eng/acts/p-8.6/; Office of the Privacy Commissioner of Canada. "Guidance for Political Parties on Protecting Personal Information." April 1, 2019. https://www.priv.gc.ca/en/privacy-topics/collecting-personal-information/gd_pp_201904/

Return to source of ^{Footnote 60} Of the five parties represented by more than one member in the House of Commons, only the CPC and Bloc Québécois privacy policies refer to contacting them if there are "complaints"; the NDP refers to questions or concerns; the Green Party of Canada and LPC refer to questions.

Return to source of ^{Footnote 61} Personal Information Protection and Electronic Documents Act, c. 5, s. 12 (1)(a); see also Office of the Privacy Commissioner, Enforcement of PIPEDA, https://www.priv.gc.ca/biens-assets/compliance-framework/en/index#/. For a recent example of the OPC commencing court proceedings, see Office of the Privacy Commissioner of Canada. Joint Investigation of Facebook, Inc. by the Privacy Commissioner of Canada and the Information and Privacy Commissioner for British Columbia. Report of findings. 2019. https://www.priv.gc.ca/en/opc-actions-and-decisions/investigations/investigations-into-businesses/2019/pipeda-2019-002/; Office of the Privacy Commissioner of Canada. "Facebook Refuses to Address Serious Privacy Deficiencies Despite Public Apologies for 'Breach of Trust.'" April 25, 2019. https://www.priv.gc.ca/en/opc-news/news-and-announcements/2019/nr-c_190425/

Return to source of ^{Footnote 162} For example, see Scassa, Teresa. Reforms to PIPEDA Must Give the Privacy Commissioner Real Enforcement Powers. June 7, 2018. https://policyoptions.irpp.org/magazines/june-2018/enforcement-powers-key-pipeda-reform/; Recommendation 15: That the Personal Information Protection and Electronic Documents Act be amended to give the Privacy Commissioner enforcement powers, including the power to make orders and impose fines for non-compliance. ETHI Report, Towards Privacy by Design: Review of the Personal Information Protection and Electronic Documents Act. February 2018. https://www.ourcommons.ca/DocumentViewer/en/42-1/ETHI/report-12

Return to source of ^{Footnote 63} CRTC. Voter Contact Registry. https://crtc.gc.ca/eng/phone/rce-vcr/guide-pol-en.pdf; CRTC's maximum administrative monetary penalties (AMPs) range from $1500 for individuals to $15,000 for corporations. In the CEA, AMPs range from $1500 for individuals to $5000 for corporations or entities.

Return to source of ^{Footnote 64} See Canada Elections Act, s. 485(1), s. 56(e), s. 110 and s. 500(3). Note that under 110(3), candidates may use the lists only for fair authorized purposes during election periods.

Return to source of ^{Footnote 65} Information Commissioner's Office. Guidance on Political Campaigning: Draft Framework Code for Consultation. 2019. https://ico.org.uk/media/about-the-ico/consultations/2615563/guidance-on-political-campaigning-draft-framework-code-for-consultation.pdf; Elections Canada. A Code of Ethics or Code of Conduct for Political Parties as a Potential Tool to Strengthen Electoral Democracy in Canada. 2018. https://www.elections.ca/content.aspx?section=res&dir=rec/tech/cod&document=p1&lang=e/

• Previous
• Table of Contents