Appearance on Bill C-47 Issue Sheets

Bill C-47 Amendments

Key Messages

• Bill C-47 amends the Canada Elections Act to authorize political parties to collect, use, disclose, retain, and dispose of personal information in accordance with the party’s own privacy policy – this is essentially self-regulation.
• Unfortunately, the amendments do not establish standards for political parties to follow in their handling of personal information, nor do they provide for independent oversight of the privacy practices of political parties.
• Given much of the personal information gathered by political parties on electors, such as political views and voting intentions, is sensitive, parties should be subject to privacy requirements, based on internationally recognized privacy principles, including an independent third party with authority to verify and enforce compliance.

Background

• Bill C-47 contains three provisions that would be added after section 385.1 of the Canada Elections Act:
  • A definition of personal information stating that personal information means information about an identifiable individual.
  • A provision stating that political parties and their affiliates (candidates, district associations, officers, agents, employees, volunteers and representatives) may collect, use, disclose, retain and dispose of personal information in accordance with the party’s privacy policy.
  • A purpose statement noting that the purpose of the section is to provide for a national, uniform, exclusive and complete regime applicable to registered parties and eligible parties respecting their collection, use, disclosure, retention and disposal of personal information.
• Completeness of the regime: no specific standards are set in the amendments (for privacy policies or the data handling practices of parties), nor are there mechanisms for redress, remedies, or third-party review of complaints.

Prepared by: PRPA

---

2019 Complaint Investigation

Key Messages

• In 2019 a complaint was submitted to the OPC alleging Federal Political Parties violated PIPEDA regarding their collection, use and disclosure of personal information for the purpose of creating voter profiles and conducting political advertising.
• After a thorough analysis, my Office concluded in 2021 that PIPEDA did not apply to the activities of the Federal Political Parties raised in the complaint, as they were not commercial in character.
• Although we believe Federal Political Parties should be covered by privacy legislation and Canadians offered basic privacy protections in that regard, the OPC was required to apply the law as it was drafted.

Background

• Part 1 of PIPEDA applies to every organization in respect of personal information that “the organization collects, uses or discloses in the course of commercial activities” (s. 4(1)(a)).
• Federal Political Parties collect, use and disclose “personal information” of supporters, members, volunteers, general voters and others in the course of their activities. That said, regular activities of the Federal Political Parties, are not considered to be commercial in character within the meaning of PIPEDA.
• In the former Commissioner’s response to the complainant, he noted:
  

  “Although I strongly believe that privacy laws should govern political parties to better protect both privacy and democratic rights, I must apply the law as it is today. As you know, as Privacy Commissioner I have often called on the need to expand privacy laws to ensure that political parties are subject to legislation and fully respect the privacy rights of Canadians. As I told Parliament, “what matters are that internationally recognized privacy principles … be included in domestic law and that an independent third party … have the authority to verify compliance.”

Prepared by: Compliance

---

2018 Amendments to the Canada Elections Act

Key Messages

• In 2018, Bill C-76 amended the Canada Elections Act to require federal political parties to develop written privacy policies and to publish these online in the process of official registration.
• While those requirements represented important first steps, we believe the lack of minimum privacy standards, effective recourse, clear remedies, and oversight represent serious shortcomings.
• My Office appeared before the House of Commons Procedures and House Affairs Committee on the amendments and recommended the regime be strengthened to provide for recourse and independent review.

Background

• Bill C-76: The 2018 Bill inserted a new paragraph 385(2)(k) in the Canada Elections Act requiring parties to develop policies for the protection of personal information, to submit these to the Chief Electoral Officer (CEO), and to publish the policies on their websites.
• Policies and standards: While there are specific content requirements for privacy policies, such as to include a statement indicating the types of personal information that the party collects, how it collects that information, and how information is safeguarded, there are no requirements for how any of these are to be done in practice. The Bill does not set out specific privacy norms directly but arguably do so in a limited fashion indirectly (e.g., the requirement to list a contact person matches up with an accountability requirement under PIPEDA).
• Oversight: In terms of oversight, this would appear to fall to the CEO and the Commissioner of Canada Elections (CCE), although their ability to oversee compliance by parties with the terms of their policies would seem to be limited.
• The CEO can refuse to register a party if it does not submit a privacy policy and can also deregister an existing party if it fails to submit a privacy policy, fails to notify the CEO of any updates (s. 412(1)(f)), fails to publish an updated version of its policy online (s. 412(2)).
• However, the CEO does not have any express power to verify that a political party is complying with its policy, or the adequacy of the policy to protect privacy.

Prepared by: PRPA

---

Guidance for Federal Political Parties

Key Messages

• In 2019, the OPC and Elections Canada published guidance for political parties following new requirements contained in Bill C-76 (Elections Modernization Act) relating to privacy policies.
• While applications for party registration must be accompanied by a privacy policy with basic details, the substance does not have to comply with specific privacy requirements.
• Our guidance outlines best privacy practices – aligned with the ten fair information principles – to encourage political parties to better protect personal information in their care and help engender trust among Canadians.
• This includes recommended practices on accountability, outlining clear purposes for collection, obtaining valid consent for the collection of personal information, including inferred and predictive data, and minimizing collection.

Background

• In December 2018, Parliament enacted Bill C-76, the Elections Modernization Act. Bill C-76 amended the Canada Elections Act (CEA) to require political parties to develop privacy policies to protect personal information, to submit those policies to Elections Canada and to publish them online.
• s. 385(2)(k) of the Canada Elections Act requires that applications for registration include the party’s privacy policy with details regarding the types of information collected, how information is protected, how information is used and sold, training to be given to employees who could have access, among other details.
• Our 2019 guidance recommends best practices for parties to adhere to aligned with the fair information principles to help ensure parties treat personal information in a manner that respects the privacy rights of Canadians (Accountability; Identifying purposes; Consent; Limiting collection; Limiting use, disclosure and retention; Accuracy; Safeguards; Openness; Individual access; and, Challenging compliance).

Prepared by: PRPA

---

Approaches in Other Jurisdictions

Key Messages

• Privacy laws in the UK and EU apply to political parties.
• In March 2022, the BC OIPC concluded that British Columbia’s Personal Information Protection Act applies to federal political parties’ collection, use and disclosure of information about BC voters, although the political parties have judicially reviewed this decision.
• Quebec is another jurisdiction that will soon have laws in force which expressly regulate the handling of personal information of voters in that province. Political parties will be subject to various penalties for failing to adhere to these requirements.

Background

• In the UK, political parties and candidates are subject to several privacy laws which govern the “processing” of personal data: the UK General Data Protection Regulation, the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. These laws ensure that political parties only process personal data lawfully, fairly and transparently (Article 5(1)(a) UK GDPR); and enable individuals to object to using their personal data for political profiling purposes (Article 22, UK GDPR). A failure to abide by these laws can result in significant financial penalties and serious reputational harm.
• Political parties in EU member states are subject to the EU General Data Protection Regulation, on which the UK GDPR is based. It contains similar requirements regarding the processing of personal data. Article 9 of the EU GDPR defines political opinions as “sensitive data” and severely restricts the processing of such data without appropriate safeguards.
• Bill 64 amends the Quebec Elections Act by adding a new s. 127.22. Through this amendment, all but a few provisions of Quebec’s private sector privacy legislation (the Act Respecting the Protection of Personal Information in the Private Sector) will apply to the personal information of voters held by political parties. As a result, Quebec will make political parties subject to administrative monetary penalties for failing to abide by that legislation (s. 90.1 et seq.), as well as criminal prosecution (s. 91 et seq.) or actions in damage (s. 93.1) for contraventions and unlawful infringements.

Prepared by: Legal

---

BC Court Case

Key Messages

• In August of 2019, the BC OIPC received a series of complaints alleging that four federal political parties provided insufficient access to the complainants’ personal information, contrary to section 23 of BC’s Personal Information Protection Act (PIPA).
• The federal political parties took the position that PIPA does not apply to them, principally on the basis that federal legislation exclusively governs their collection, use and disclosure of personal information, and that applying PIPA to them was unconstitutional.
• In March 2022, the OIPC concluded that it would not be unconstitutional to apply PIPA to federal political parties.
• In April 2022, three of the parties initiated a judicial review application of the OIPC’s decision, claiming the procedure adopted by the OIPC to hear the jurisdiction issue was unfair, and that the OIPC’s findings were legally wrong.

Background

• Only three of the four political parties subject to the complaint made submissions before the OIPC: the Liberal Party of Canada, the Conservative Party of Canada, and the New Democratic Party of Canada.
• The parties argued that PIPA was constitutionally inapplicable to them by operation of two constitutional doctrines: paramountcy and interjurisdictional immunity. These doctrines essentially help to determine how overlapping federal and provincial legislation should be analyzed to determine which should prevail.
• The OIPC also had to consider submissions that the political parties were not “organizations” within the meaning of PIPA by virtue of s. 3(2)(c) because they were federal works, undertakings or businesses, as defined in PIPEDA.
• The judicial review of the BC OIPC’s decision was scheduled to be heard on May 8, 2023, but was adjourned with the consent of all parties and an agreement to schedule a new hearing of the judicial review before December 31, 2023.

Prepared by: Legal

---

Could OPC Provide Guidance under Regime in C-47?

Key Messages

• The amendments to the Canada Elections Act proposed by Bill C-47 do not directly contemplate the OPC providing guidance to Elections Canada.
• The Chief Electoral Officer may consult the Privacy Commissioner, but this is not expressly provided for and the OPC has no oversight role in relation to the obligations imposed on political parties in the Canada Elections Act. The role of the OPC is not affected by the amendments proposed in Bill C-47.
• In 2019, the CEO chose to consult with the OPC on the development of guidance leading to the two offices collaborating on and publishing guidance for political parties following new requirements contained in Bill C-76 (Elections Modernization Act) relating to privacy policies.

Background

• The OPC provides guidance to federal government institutions and the private sector on protecting and promoting privacy rights.
• This guidance is informed by the two federal privacy laws which the Commissioner is empowered to enforce: the Privacy Act and the Personal Information Protection and Electronic Documents Act.
• While the OPC can provide informed guidance on best practices as it relates to privacy, this guidance can only have legal effect if there are rules underpinning these practices.
• The Canada Elections Act rules regarding protecting personal information held by federal political parties are limited to ensuring that parties have privacy policies that speak to this. Furthermore, the OPC has no oversight role with respect to the obligations imposed by the Canada Elections Act.
• As a consequence, the OPC’s ability to provide meaningful guidance where it is consulted by the CEO is similarly limited.

Prepared by: Legal Services

---

Other Information Sharing Regimes

Key Messages

• The OPC is not the exclusive regulatory body that must consider the privacy interests of Canadians and engages with other regulators on privacy matters.
• Of note, Parliament has specifically authorized the OPC to disclose information it would normally have to keep confidential to the CRTC, the Competition Bureau, and the National Security and Intelligence Review Agency.
• Parliament recognizes that regulators should be able to share information and expertise where their mandates intersect to ensure effective collaboration and to protect the rights of Canadians. For example, the Online Streaming Act (C-11) will amend the Broadcasting Act to make specific provisions for the CRTC to consider protection of privacy while interpreting the Act and issuing regulations.

Background

• The OPC shares responsibilities for enforcing Canada’s anti-spam legislation (CASL) with the CTRC and the Competition Bureau. The OPC is responsible for investigating the harvesting of electronic addresses and the collection of personal information through illicit access to computer systems, such as via spyware.
• Subsection 20(7) of PIPEDA was amended to specifically authorize the OPC to intervene in proceedings initiated by an individual under CASL (s. 50(c)) and it has done so before the CRTC where privacy has been a central issue. It is also authorized to disclose information to the Commissioner of Competition and the CRTC for those matters falling under their CASL respective responsibilities (ss. 58(3) & 60(1)).
• Subsection 64(3) of the Privacy Act allows the OPC to share information with NSIRA relating to its investigations of government institutions’ compliance with sections 4 to 8 of the Privacy Act (s. 37(1)). Complementary provisions are contained in the NSIRA Act authorizing the Review Agency to share information relating to its review function.
• Pursuant to these provisions, the OPC and NSIRA conducted a successful joint investigation of Security of Canada Information Disclosure Act disclosures in 2020.

Prepared by: Legal Services

---

Potential Amendments to Canada Elections Act

Key Messages

• In 2018, in the context of Parliament’s consideration of Bill C-76, my Office and Elections Canada developed amendments on how political parties could be made subject to privacy rules.
• Our proposed amendments included that:
  • Privacy policies be consistent with the principles in the Model Code for Protection of Personal Information that already exist in Schedule 1 of PIPEDA;
  • Divisions 1.1 to 4 of Part 1 of PIPEDA apply with any modifications that the circumstances require;
  • The OPC receive and investigate privacy complaints dealing with registered parties.
• We maintain political parties should be subject to privacy rules.

Background

• Main text of recommendation regarding application of PIPEDA:
  
  For the purposes of this section, Divisions 1.1 to 4 of Part 1 of the Personal Information Protection and Electronic Documents Act, and any regulations made with respect to those divisions, apply, with any modifications that the circumstances require.
• Main text of recommendation to allow for privacy complaints:
  
  407.1 (1) A registered party shall comply with its policy for the protection of personal information referred to in paragraph 385(2)(k).
  
  (2) A registered party may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances.
  
  (3) An individual may file with the Privacy Commissioner a written complaint against a registered party for contravening subsection (1) or (2).
  
  (4) If the Privacy Commissioner is satisfied that there are reasonable grounds to investigate a matter under subsection (1) or (2), the Privacy Commissioner may initiate a complaint in respect of the matter.

Prepared by: PRPA

---

The Consumer Privacy Protection Act (CPPA) Option

Key Messages

• While federal political parties are not explicitly subject to the CPPA as currently drafted in C-27, there is a potential avenue for extension of the Act to them.
• Under the CPPA, subsection 6(3) and paragraph 122(2)(c) provide a mechanism by which the Governor-in-Council can list any organization as being subject to the Act.
• My Office recommended that Parliament consider this option in our 2021 submission on the former Bill C-11 and maintain that this is a viable option for extending privacy rules to political parties.

Background

• Organizations listed currently under PIPEDA: at present there is only a single organization in Canada, the World Anti-Doping Agency (WADA) based out of Montreal, that has been made subject to the Act in this manner.
• Parties analogous to WADA: Like political parties, WADA is not a commercial organization nor a for-profit entity. It is funded by the International Organizing Committee for the Olympic Games. However, given that WADA handles the drug-testing regime of international Olympic athletes, it does collect, use, and process sensitive personal information.
• The full text of our recommendation was provided to ETHI in OPC Submission of the Office of the Privacy Commissioner of Canada on Bill C-11, the Digital Charter Implementation Act, 2020 (May 2021):
  • Subject federal political parties to the CPPA, for example by registering them in the schedule pursuant to subsection 6(3) and paragraph 119(2)(c) [now paragraph 122(2)(c)].

Prepared by: PRPA

---

Home Depot Follow up

Key Messages

• My office has contacted several companies identified in the media as having shared customer information with Meta in a manner similar to Home Depot.
• Letters were sent in early April highlighting the Home Depot Report outlining our compliance expectations and requesting confirmation by May 19 that any required changes have been implemented.
• While we have yet to receive final responses from all companies, some have confirmed that they have discontinued the sharing practices and will not reengage in the practice in the future without obtaining valid consent.

Background

• We found that Home Depot required express opt-in consent for disclosure to Meta of offline purchase information of its customers who had requested an e-receipt.
• The companies we followed up with were identified in a CBC article following the release of our findings in Home Depot.
• The following is the status for each of the companies contacted:
  • Sephora – [Redacted].
  • Best Buy – [Redacted].
  • Gap, Anthropologie, Hudson’s Bay, Lulu Lemon, Pet Smart – we are still awaiting their response.
  • Bed Bath n’ Beyond – no response received. Note: they are in the process of closing all stores in Canada.

Prepared by: PIPEDA Compliance