Letter to the Standing Committee on Finance on Bill C-4, the Making Life More Affordable for Canadians Act
June 16, 2025
BY EMAIL
The Honourable Karina Gould, P.C., M.P.
Chair, Standing Committee on Finance
Sixth Floor, 131 Queen Street
House of Commons
Ottawa ON K1A 0A6
Dear Madam Chair:
I am writing to present my views on the privacy implications of Bill C-4, the Making Life More Affordable for Canadians Act, tabled on June 5, 2025, Part 4 of which amends the required elements for existing privacy policy obligations of federal political parties.
As Privacy Commissioner of Canada, my mandate is to protect and promote individuals’ privacy rights in the public and private sectors, and to ensure that organizations respect their privacy obligations. Currently, the Privacy Act governs how the federal government handles personal information, and the Personal Information Protection and Electronic Documents Act (PIPEDA) governs how personal information is handled by the private sector. However, political parties are not currently covered under either the Privacy Act or PIPEDA.
In my view, political parties should be subject to privacy rules substantially similar to requirements set out for the public and private sectors in the Privacy Act and PIPEDA, while at the same time being adapted to the unique role played by political parties in the democratic process.
Given the importance of privacy and the sensitive nature of the information being collected, Canadians need and deserve a privacy regime for political parties that goes further than self-regulation and that provides meaningful standards and independent oversight to protect and promote electors’ fundamental right to privacy.
Recommendations
I believe that Bill C-4 should be strengthened to better protect electors’ personal information. My proposed amendments would help to ensure that voter participation can be maximized while at the same time protecting Canadians’ fundamental right to privacy.
Minimum Privacy Standards
Unlike the key provisions and principles that underpin the federal Privacy Act and PIPEDA, the rules proposed for federal political parties do not include statutory requirements for parties to:
- Identify the purposes for which personal information is collected at or before the time the information is collected,
- Obtain individual consent,
- Limit the collection of personal information to identified purposes,
- Limit the use and disclosure of personal information to those purposes for which it was collected,
- Provide means for individuals to seek access to their information, or
- Allow individuals to exercise a right of correction.
In Canada and abroad, obtaining consent, limiting collection, use and disclosure, ensuring accuracy, and provision of access are basic elements found in both public and private sector data protection laws.
Recommendation 1: Bill C-4 should establish requirements for political parties to identify the purposes for which personal information is collected, seek consent (subject to express authority in the legislation), limit collection, use and disclosure, and provide a mechanism for access and correction to personal information under their control.
Privacy Breach Reporting
Incident reporting is also an important aspect of privacy protection, in both the public and private sector contexts.
A requirement to report privacy breaches to an independent regulator would provide Canadians with reassurance that incidents involving their personal information are being handled appropriately. Proactive breach reporting provides critical information to both regulators and individuals when sensitive information is at risk. Such a provision had been included in Bill C-65 of the previous Parliament, though it was limited to notifying affected individuals in certain circumstances.
To ensure meaningful oversight there should also be prescriptive wording on timeliness for breach reporting. In the context of the Privacy Act and PIPEDA, I have recommended that institutions should report breaches to my Office without unreasonable delay and no later than seven calendar days after the institution becomes aware of the breach. Clear, short timelines for reporting would allow for an effective response, provide certainty to political parties about what is legally required, and be consistent with modern international norms.
Recommendation 2: Bill C-4 should reintroduce previously proposed privacy breach notification provisions, expanding upon them to require that breaches be reported to affected individuals as well as to a relevant, independent body such as the Privacy Commissioner of Canada, Elections Canada and/or the Commissioner of Canada Elections without unreasonable delay and no later than seven calendar days after a political party becomes aware of the breach.
Improving Oversight
Effective oversight and redress are critical elements in improving data protection and ensuring clear, coherent regulation. Allowing inter-agency collaboration improves the work of regulators and brings clarity to complex issues that cut across sectors and jurisdictions. As a reference, section 509.21 of the Canada Elections Act currently allows the Commissioner of Canada Elections to consult the Chief Electoral Officer when they consider it appropriate to do so. Including a similar provision in the context of Bill C-4 allowing my Office, the Commissioner of Canada Elections and the Chief Electoral Officer to consult and collaborate would be valuable given that the issues in question touch upon matters that fall under all of our mandates.
Recommendation 3: Bill C-4 should allow for formal collaboration between my Office, the Commissioner of Canada Elections and Elections Canada.
Thank you once again for the opportunity to present the Committee with my views on this important Bill.
Sincerely,
(Original signed by)
Philippe Dufresne
Privacy Commissioner
c.c. Danielle Widmer, Clerk of the committee
- Date modified: