Appearance before Standing Committee on Procedure and House Affairs on the study about Bill C-76, Elections Modernization Act

June 5, 2018
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)


Introduction

Good morning Honourable Members.

I would like to thank the Committee for the invitation today to discuss the privacy implications of Bill C-76, Elections Modernization Act.

As you are well aware, citizens’ concerns have been voiced globally around how their personal information is being gathered from online platforms and used in the political process.

Allegations about the misuse of the personal information of 87 million Facebook users are a serious wake-up call that highlights a growing crisis for privacy rights.

Not only is consumer trust at risk, so too is trust in our democratic processes.

How Canada currently compares to other jurisdictions

As you know, no federal privacy law applies to political parties; British Columbia is the only province to cover them.

This is not the case in many other jurisdictions. In most regions of the world, laws provide that political parties are governed by privacy laws.

This includes jurisdictions such as EU, UK, New Zealand, Argentina and Hong Kong for example. Canada is becoming the exception.

How the standards set by C-76 falls short

We recently reviewed the privacy policies of political parties. While these policies have some positive features (for instance, all make provisions for people to update personal information or correct details that were out of date), they all fall way short of globally accepted fair information principles.

Similarly, the standards alluded to in Bill C-76 at clause 254, at page 150, also fall short. In fact, Bill C-76 does not prescribe any standards.

It simply says parties must have policies that touch on a number of issues, leaving it to parties to define the standards they want to apply. In terms of privacy protection, Bill C-76 adds nothing of substance.

For instance, the bill does not require parties to:

  • seek consent from individuals,
  • limit collection of personal information to what is required,
  • limit disclosure of information to others,
  • provide individuals access to their personal information
  • be subject to independent privacy oversight.

By contrast, in British Columbia, parties must apply all generally applicable privacy principles. Consent applies, but it is subject to other laws, such that consent is not required for the transmission of lists of electors under electoral laws.

How the political process has fared elsewhere – with privacy protections

I have heard much support, including from federal politicians, for the idea that political parties should be subject to privacy laws.

The government, meanwhile, appears to think that political parties are not similarly situated as private companies as it relates to privacy.

For instance, Ministers seem to be concerned that applying privacy laws would impede communications between parties and electors.

This is an interesting proposition, but I have not yet seen any evidence to that effect. It may exist, but it has not been presented for public discussion.

I would note, however, that in Europe, political parties have been subject to privacy laws for over 20 years, and I understand that such protections have now become part of the culture of how elections are run.

What we know is that democracy appears to still thrive in jurisdictions where parties must comply with privacy laws.

Political parties, their role and citizen trust

The precise law where privacy rules should be found does not much matter. It could be the Elections Act, PIPEDA or another Act.

What matters are that internationally recognized privacy principles (not policies defined by parties) be included in domestic law and that an independent third party, potentially my Office as we have expertise, have the authority to verify compliance.

Independent oversight is necessary to ensure that privacy policies or principles are not just empty promises but actual safeguards applied in practice.

Together with Elections Canada, we have developed amendments that would achieve these goals, which we are providing to you today. If you wish, I can explain them during the question period.

Conclusion

In conclusion, the integrity of our democratic processes is clearly facing significant risks.

In my view, the time to act is now.

Thank you again and I would welcome your questions.


Recommended amendments to Bill C-76, An Act to amend the Canada Elections Act and other Acts and to make certain consequential amendments

Clause 2 is amended by adding the following after subsection (7):

(7.1) Subsection 2(1) of the Act is amended by adding the following in alphabetical order:

“policy for the protection of personal information” means a policy that is consistent with the principles set out in the National Standard of Canada entitled Model Code for the Protection of Personal Information, CAN/CSA-Q830-96 found in Schedule 1 of the Personal Information Protection and Electronic Documents Act.

“Privacy Commissioner” means the Privacy Commissioner appointed under section 53 of the Privacy Act.

Subclause 254(1) is replaced with the following:

254 (1) Subsection 385(2) of the Act is amended by striking out “and” at the end of paragraph (i) and by adding the following after paragraph (j):

(k) the party’s policy for the protection of personal information;

(l) the address of the page — accessible to the public — on the party’s Internet site where its policy for the protection of personal information is published under subsection (4).

The following clause is added after clause 258:

258.1. The Act is amended by adding the following after section 407:

407.1 (1) A registered party shall comply with its policy for the protection of personal information referred to in paragraph 385(2)(k).

(2) A registered party may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.

(3) An individual may file with the Privacy Commissioner a written complaint against a registered party for contravening subsection (1) or (2).

(4) If the Privacy Commissioner is satisfied that there are reasonable grounds to investigate a matter under subsection (1) or (2), the Privacy Commissioner may initiate a complaint in respect of the matter.

(5) The Privacy Commissioner may, on reasonable notice and at any reasonable time, audit the personal information management practices of a registered party if the Privacy Commissioner has reasonable grounds to believe that the registered party has contravened subsection (1) or (2).

(6) For the purposes of this section, Divisions 1.1 to 4 of Part 1 of the Personal Information Protection and Electronic Documents Act, and any regulations made with respect to those divisions, apply, with any modifications that the circumstances require.

(7) Notwithstanding anything in this Act, the Privacy Commissioner has the exclusive responsibility for investigating complaints with respect to contraventions of subsection (1) or (2) and for auditing the personal information management practices of a registered party.

Clause 350 is replaced by the following:

350. The Act is amended by adding the following after section 508:

Violations

Violation

508.‍1 Every person or entity that contravenes section 281.‍3,281.‍4 or 281.‍5 or a provision of any of Parts 16,17 and 18, other than section 407.1 — or that fails to comply with a requirement of the Chief Electoral Officer under any of those Parts, with a provision of a compliance agreement or with a provision of an undertaking that has been accepted by the Commissioner — commits a violation and is liable to an administrative monetary penalty in an amount established in accordance with the provisions of this Act.

[remainder of text of clause 350 remains unchanged]

Report a problem or mistake on this page
Please select all that apply (required): Error 1: This field is required.

Note

Date modified: