Issue sheets on Bill C-4 – Appearance before LCJC

Effective regulation of political party use of personal information (PRPA)

Speaking Points

• Although political parties have been required to have a privacy policy since 2018, they are not required to adhere to specific privacy rules.
• My Office has repeatedly recommended that political parties be subject to privacy rules similar to those set out in the Privacy Act and PIPEDA.
• Given the sensitive personal information collected, used and disclosed by political parties, they should be subject to a comprehensive privacy regime that goes beyond self-regulation.

Background

• April 2018: Bill C-76 introduced to amend the Canada Elections Act (at s. 385) to require parties to develop, register, and publish their own privacy policies, but with no substantive protections or limitations on use of personal information.
• December 2018: C-76 receives Royal Assent.
• April 2019: OPC and Elections Canada issue joint guidance, tied to C-76 coming into force.
• September 2019: OPC receives complaint against federal political parties.
• March 2021: OPC declines complaint against federal political parties owing to lack of jurisdiction under PIPEDA.
• May 2023: Privacy Commissioner appearance before Senate Committee on Legal and Constitutional Affairs on Bill C-47, the Budget Implementation Act. Bill C-47 would authorize political parties and their affiliates to collect, use, retain, disclose, and dispose of personal information in accordance with the party’s own privacy policy – which they would develop and revise at their own discretion.
• June 2023: C-47 receives Royal Assent.
• March 2024: Bill C-65, the Electoral Participation Act introduced but legislation dies on Order Paper with Parliament’s prorogation in January 2025. Privacy Commissioner makes submission in November 2024, issuing three recommendations for enhancements.
• June 2025: Bill C-4 is tabled. Privacy Commissioner makes submission to the Standing Committee on Finance in June 2025, recommending ways in which the Bill could be strengthened to better protect electors’ personal information.

Importance of reporting breaches to a regulator (Compliance)

Speaking Points

• Breaches of personal information must be addressed swiftly to reduce the risk of harm to affected individuals.
• Requiring that breaches be reported to a regulator allows for a better assessment of what happened and whether safeguards were adequate. It also helps to ensure that there was appropriate and timely remedial action, including notifications to affected individuals.
• Under PIPEDA, commercial organizations are currently required to report breaches involving personal information as soon as feasible where there is real risk of significant harm to an affected individual.
• I have recommended that the legislation be amended to require organizations to report a privacy breach within 7 days of detection.
• While federal government institutions are currently required to report privacy breaches that present a real risk of significant harm to affected individuals within 7 days, this is not a legal obligation. Indeed, as it stands, it is only required pursuant to a Treasury Board Secretariat policy requirement. I am of the view that the Privacy Act should be amended to make it a legal requirement.

Background

• An explicit requirement in C-4 to report breaches to the OPC and an ability to engage with other regulators where personal information is involved, could bolster privacy breach reporting and facilitate investigations.
• For this fiscal year to date, the average length of time between a breach incident and the time that organizations subject to PIPEDA have submitted their breach reports to the OPC has been four months.
• Bill C-65 would have required political parties to notify individuals of breaches in specific circumstances. In a November 2024 letter to the House Standing Committee on Procedure and House Affairs, you recommended that the Bill be amended to broaden the privacy breach notification provisions to include reporting to a relevant, independent body such as the Privacy Commissioner of Canada, Elections Canada and/or the Commissioner of Canada Elections.

BC Court of Appeal: application of PIPA to federal political parties (Legal)

Speaking Points

• I have been monitoring this litigation concerning the application of provincial privacy law to Federal Political Parties (FPPs) with interest.
• While the BC OIPC determined that BC’s Personal Information Protection Act (PIPA) does apply to FPPs, the Liberal Party of Canada, Conservative Party of Canada and New Democratic Party of Canada challenged that decision before the BC Supreme Court, which dismissed the FPP’s applications.
• I understand that the BC Court of Appeal will hear this matter at the end of May 2026, regardless of whether C-4 passes.

Background

• In 2019, the BC OIPC received complaints alleging that four FPPs provided insufficient access to the complainants’ personal information, contrary to section 23 of BC’s Personal Information Protection Act (PIPA).
• In 2022, the BC OIPC concluded that BC’s PIPA applies to FPPs.
• Three of the four FPPs subject to the complaint brought a judicial review application of this decision: the Liberal Party of Canada, the Conservative Party of Canada and the New Democratic Party of Canada.
• They argued that it was unconstitutional to apply PIPA to them because of paramountcy and interjurisdictional immunity and argued that federal electoral law, rather than provincial privacy laws, apply to them.
• In May 2024, in Liberal Party of Canada v. The Complainants, 2024 BCSC 814, the BC Supreme Court dismissed the applications and found it reasonable for the BC OIPC to extend the definition of “organization” to FPPs given its plain meaning.
• The Court held that PIPA requirements do not impact FPPs’ authority to collect, use, and disclose personal information under the Canada Elections Act; both Acts complement each other and showcase co-operative federalism in action.
• The FPPs appealed to the BC Court of Appeal. The FPPs have previously obtained adjournments and argued that C-4 may render the issue moot; however, the BC Court of Appeal has issued a Direction that the appeals must be heard, along with arguments on mootness, before the end of May 2026, regardless of the effect of C-4 on the appeals.

2023 Canada Elections Act amendments (C-47) (PRPA/Legal)

Speaking Points

• Bill C-47, which received Royal Assent in June 2023, amended the Canada Elections Act to specifically authorize political parties to collect, use, disclose, retain, and dispose of personal information in accordance with the party’s own privacy policy.
• The amendments did not establish rules or standards for political parties to follow in their collection, use or handling of personal information, nor did they provide for independent oversight of parties’ privacy practices.
• Political parties collect a wide range of personal information about voters, much of which is sensitive in nature, from a variety of sources. Political parties should therefore be subject to privacy rules, based on internationally recognized privacy principles. These should include having an independent third party with authority to verify and enforce compliance.

Background

• Division 39 of Part 4 of Bill C-47 contained three provisions that were added to the Canada Elections Act:
• A definition of personal information stating that personal information means information about an identifiable individual. (385.2 (1))
• A provision stating that political parties and their affiliates (candidates, district associations, officers, agents, employees, volunteers, and representatives) may collect, use, disclose, retain and dispose of personal information in accordance with the party’s privacy policy. (385.2 (2))
• A purpose statement noting that the purpose of the section is to provide for a national, uniform, exclusive and complete regime applicable to registered parties and eligible parties respecting their collection, use, disclosure, retention, and disposal of personal information. (385.2 (3))

• No specific standards were set in the amendments for privacy policies or the data handling practices of parties, nor were there mechanisms for third-party review of complaints or for effective recourse.

2018 Canada Elections Act amendments (Bill C-76) (PRPA/Legal)

Speaking Points

• Bill C-76, which received Royal Assent in December 2018, amended the Canada Elections Act to require for the first time that federal political parties develop written privacy policies and publish them online as part of the official registration process.
• While those requirements represented important first steps, the lack of minimum privacy standards, effective recourse and oversight represented serious shortcomings.
• In 2018, my Office appeared before the House of Commons Standing Committee on Procedure and House Affairs on the amendments and recommended that the regime be strengthened to provide for recourse and independent review.

Background

• Bill C-76 inserted a new paragraph 385(2)(k) in the Canada Elections Act requiring parties to develop policies for the protection of personal information, to submit these to the Chief Electoral Officer (CEO), and to publish the policies on their websites.
• While the privacy policies must include specific elements, such as a statement indicating the types of personal information that the party collects, and how it collects, uses, and safeguards that information, there are no substantive requirements concerning the actual handling of personal information.
• In order to be registered, a political party must include a privacy policy as part of its application (s. 385(2)(k)); the CEO can deregister an existing party if it fails to maintain its privacy policy (s.412(3)), fails to notify the CEO of any updates to the policy (s. 412(1)(f)), or fails to publish an updated version of its policy online (s. 412(2)).
• The CEO does not have any express authority to verify that a political party is complying with its policy, or the adequacy of the policy to protect privacy.

2019 complaint on political parties to OPC (Compliance)

Speaking Points

• In 2019, a complaint was submitted to the OPC alleging that federal political parties were violating PIPEDA because they collect, use and disclose personal information for the purpose of creating voter profiles and conducting political advertising.
• In 2021, after a thorough analysis, the OPC concluded that PIPEDA did not apply to the activities of federal political parties as they are not commercial in character.
• Although I believe that federal political parties should be covered by privacy legislation and that Canadians should be offered basic privacy protections in that regard, the OPC is required to apply the law as it is drafted.

Background

• Part 1 of PIPEDA applies to every organization in respect of personal information that “the organization collects, uses or discloses in the course of commercial activities” (s. 4(1)(a)).
• Federal Political Parties collect, use and disclose “personal information” of supporters, members, volunteers, general voters and others during their activities. That said, regular activities of the Federal Political Parties are not considered to be commercial in character within the meaning of PIPEDA.
• In the former Commissioner’s response to the complainant, he noted:

Although I strongly believe that privacy laws should govern political parties to better protect both privacy and democratic rights, I must apply the law as it is today. As you know, as Privacy Commissioner I have often called on the need to expand privacy laws to ensure that political parties are subject to legislation and fully respect the privacy rights of Canadians. As I told Parliament, what matters are that internationally recognized privacy principles… be included in domestic law and that an independent third party … have the authority to verify compliance.

OPC guidance for federal political parties (2019) (PRPA)

Speaking Points

• In 2019, the OPC and Elections Canada published guidance for political parties following new requirements contained in Bill C-76 (Elections Modernization Act) relating to privacy policies.
• While applications for party registration must be accompanied by a privacy policy with certain specific details, the substance does not have to comply with widely accepted privacy requirements.
• Our guidance outlines best privacy practices, aligned with the ten fair information principles, to encourage political parties to better protect personal information that they collect.
• This includes recommended practices on accountability, outlining clear purposes and obtaining valid consent for collection, including inferred and predictive data, and data minimization.

Background

• In December 2018, Parliament enacted Bill C-76, the Elections Modernization Act, which amended the Canada Elections Act to:
• require political parties to develop privacy policies to protect personal information; (s. 385 (1))
• submit those policies to Elections Canada; (s. 385.1(1)) and,
• publish them online. (s. 385 (4))

• Subsection 385(2)(k) of the Canada Elections Act requires that applications for registration include the party’s privacy policy with details regarding the types of information collected, how information is protected, how information is used and sold and training to be given to employees who could have access, among other details.
• Our 2019 guidance outlines best practices aligned with the fair information principles to assist parties in handling personal information so that privacy rights of Canadians are respected.
• Those principles include Accountability; Identifying purposes; Consent; Limiting collection; Limiting use, disclosure and retention; Accuracy; Safeguards; Openness; Individual access; and Challenging compliance.

Potential Amendments to the Canada Elections Act (Legal)

Speaking Points

• The Canada Elections Act ought to be amended in a way that ensures that political parties protect the privacy of individuals from and about whom they collect, use, or disclose personal information.
• I maintain that political parties should be subject to rules substantially similar to those in PIPEDA. At a minimum, the Canada Elections Act should require that
• Privacy policies be consistent with the principles set out in Schedule 1 of PIPEDA.
• Divisions 1 to 4 of Part 1 of PIPEDA apply with any modifications that the circumstances require; and,
• I be authorized to receive and investigate privacy complaints dealing with registered political parties.

Background

• Clause 47 of Part 4 of Bill C-4 could specify the following:
• Clarify that “registered or eligible parties” under the CEA be made subject to PIPEDA under s.4(1.1) of that Act (with the result that the Privacy Commissioner would have jurisdiction to investigate complaints regarding their collection, use, or disclosure of personal information);
• Remove references to “a national, uniform, exclusive and complete regime” in proposed s.446.2 CEA and include specific references to PIPEDA’s applicability to federal political parties;
• Make consequential amendments to PIPEDA’s Schedule 4 (as provided for under s.4(1.1) PIPEDA) to include “registered or eligible parties” under the CEA;
• In s.2 CEA, for the definition of “personal information”, remove the reference to the Privacy Act and incorporate the definition from s.2 of PIPEDA; to avoid confusion, also remove the alternate definitions of personal information found in other parts of the CEA (e.g., s.358.2(1) and proposed s.446.1).

The PIPEDA Option (Legal)

Speaking Points

• While federal political parties are currently not explicitly made subject to PIPEDA, the Act could be extended to cover them.
• Under PIPEDA, subsection 4(1.1) and paragraph 26(2)(c) provide a mechanism by which the Governor-in-Council can list any organization as being subject to the Act by including them in Schedule 4.
• My Office recommended that Parliament consider this in our 2021 submission on the former Bill C-11, and I maintain that this is a feasible option for extending the application of privacy rules to political parties.

Background

• Organizations currently listed under Schedule 4 of PIPEDA: at present there is only one organization in Canada, the World Anti-Doping Agency (WADA) based out of Montreal, that has been made subject to the Act in this manner.
• Political parties as analogous to WADA: Like political parties, WADA is not a commercial organization nor a for-profit entity. It is funded by the Olympic Movement and governments from around the world. However, given that WADA handles the drug-testing regime for Olympic and other athletes, it does collect, use, and process sensitive personal information.
• The full text of our recommendation was provided to ETHI in our Submission of the Office of the Privacy Commissioner of Canada on Bill C-11, the Digital Charter Implementation Act, 2020 (May 2021). In it, we recommended using the Schedule to bring political parties under the proposed Consumer Privacy Protection Act.
• Schedule 4 of PIPEDA could reference “registered or eligible party” as defined under the Canada Elections Act (CEA) instead of individually listing each political party to avoid continuous updating.
• If PIPEDA were amended to apply to federal political parties, consequential amendments to the CEA would be required, including amending s.385.2(3) of that Act, which indicates that the CEA privacy regime is intended to be a “national, uniform, exclusive and complete regime”.

Privacy regulation for political parties – other jurisdictions (Legal)

Speaking Points

• Privacy laws in Quebec, BC, the EU and UK apply to political parties.
• Since 2023, Quebec’s private sector privacy legislation applies to provincial political parties; failure to comply can lead to administrative monetary penalties or fines.
• The BC Supreme Court recently concluded that BC’s Personal Information Protection Act applies to federal political parties’ collection, use and disclosure of information about BC voters. That decision is under appeal.
• In the EU and the UK, political parties are covered by the GDPR and UK GDPR respectively. The UK also has other laws that impose additional privacy obligations on political parties.

Background

• Quebec: Many provisions of Quebec’s private sector privacy legislation (Loi sur la protection des renseignements personnels dans le secteur privé) (LPRPSP) apply to personal information handled by political parties via s.127.22 of Quebec’s Loi électorale. Certain provisions are excluded (e.g., access). Political parties (including independent members or candidates) may be subject to administrative monetary penalties (s. 90.1 et seq. LPRPSP), fines (s. 91 et seq. LPRPSP), or punitive damages (s. 93.1 LPRPSP) for certain contraventions of the Act.
• BC: The federal political parties have appealed the March 2024 BC Supreme Court’s decision to the BC Court of Appeal (litigation ongoing).
• EU: Political parties in EU member states are subject to the GDPR. Among other obligations, political parties must process personal data lawfully, fairly and transparently (art. 5(1)(a)); provide a right to access personal data they hold (art. 15); and enable individuals to object to use of their personal data for political profiling purposes (art. 21).
• UK: In the UK, political parties and candidates are subject to several privacy laws: the UK General Data Protection Regulation (which largely incorporates the GDPR into UK law), the Data Protection Act 2018, and the Privacy and Electronic Communications Regulations 2003. Failure to abide by these laws can result in significant financial penalties.

Bill C-2 – Strong Borders Act (PRPA)

Speaking Points

• Several elements of Bill C-2 have significant implications for privacy rights and interests.
• When assessing the reasonableness of such provisions, key questions include: do they strike an appropriate balance between privacy rights and state interests? Do they provide for adequate oversight, accountability, and transparency? Are thresholds for the exercise of investigative powers appropriate in light of their potential invasiveness?
• The OPC’s assessment is also guided by the principles of necessity and proportionality: in other words, is the intrusion on privacy demonstrably necessary to achieve a legitimate objective, and is the degree of intrusiveness proportional to the benefits to be gained?
• I agree with the Minister of Public Safety’s acknowledgement that Bill C-2 fails to achieve the necessary balance between privacy and law-enforcement objectives.
• My office remains open to working with Public Safety on any privacy-enhancing amendments they may be contemplating, and are meeting with Public Safety officials later this week to that end.

Background

• Bill C-2 was introduced in the House by the Minister of Public Safety in June 2025. In October 2025 the Minister introduced Bill C-12, which consists of 11 parts originally put forward in Bill C-2 but excludes some of its most controversial elements, notably:
• amendments to the Canada Post Corporation Act to permit the demand, seizure, detention, or retention of anything in the course of post in accordance with an Act of Parliament and to enable Canada Post to open letter mail (Part 4);
• amendments to the Criminal Code, the CSIS Act, and a number of other statutes to create or modify a range of investigative powers (including a warrantless “information demand”) (Part 14);
• the proposed Supporting Authorized Access to Information Act, which would require electronic service providers to have the technical and operational capabilities to facilitate access to information by authorized persons (Part 15); and,
• amendments to the PCMLTFA that would establish a framework for public-to-private information-sharing whereby reporting entities may collect and use personal information disclosed to them by the RCMP or government entities (Part 16).

Bill C-8 – An Act Respecting Cybersecurity (PRPA)

Speaking points

• The OPC supports the objective of Bill C-8 to protect systems and services that are vital to national security or public safety from cybersecurity threats and vulnerabilities.
• Stronger cybersecurity protections can also promote privacy by reducing the likelihood and impact of breaches involving personal data.
• At the same time, new powers and authorities granted in the name of cybersecurity must be appropriately scoped and subject to suitable guardrails in order to limit the risk of unintended privacy impacts.
• Bill C-8 is currently at clause-by-clause consideration in the other place, where a number of amendments have been adopted in this spirit, including a more consistent standard of necessity and proportionality for the collection, use, or disclosure of personal information.

Background

• Part 1 of Bill C-8 would amend the Telecommunications Act (TA) to add promoting the security of Canada’s telecommunications system as a policy objective and to provide the GIC and Minister of Industry with order-making powers to that end.
• It would also amend the TA to create new authorities for the collection and disclosure of information by the Minister of Industry, Public Safety, Foreign Affairs, National Defence, the Chief of the Defence Staff, the Communications Security Establishment, CSIS, and the CRTC.
• Part 2 would enact the Critical Cyber Systems Protection Act (CCSPA), which would authorize the GIC to designate certain services or systems in federally regulated sectors as “vital” (e.g., energy, finance, transportation, and telecommunications); to identify classes of operators that would be subject to cybersecurity directions and regulations; to issue cybersecurity directions; and to require designated operators to establish and implement cybersecurity programs, mitigate supply-chain, and report cybersecurity incidents.
• The Commissioner appeared before the House Standing Committee on Public Safety and National Security (SECU) on C-8 in October 2025 and sent the Committee a follow-up letter shortly thereafter. The Office subsequently received questions on potential amendments to the bill from the offices of a number of MPs. Clause-by-clause consideration is underway.

Bill C-12 – Strengthening Canada’s Immigration System and Borders Act (PRPA)

Speaking points

• Bill C-12 omits some of the most controversial elements of Bill C-2, but certain provisions still engage privacy interests in that they would create or expand authorities to collect, use, or disclose personal information.
• From a privacy perspective, the real risk of significant harm that might arise from such amendments is, in my view, relatively low.
• I am also pleased to say that when I appeared before Committee in the other place, my recommendation to amend one of the bill’s more concerning provisions, which might have allowed customs officers to enter the dwelling house of a small business owner who operates out of their home without prior judicial authorization, was taken up.

Background

• Bill C-12 was passed by the House in December 2025 and is now being considered by the Senate Social Affairs, Science and Technology Committee and the Senate Standing Committee on National Security, Defence and Veterans Affairs.
• As originally drafted, Part 1 would have amended the Customs Act to require any person who “transports or causes to be transported within Canada goods destined for export” to give CBSA or RCMP officers free access to “any premises or place under the person’s control” where any goods destined for export are “reported, loaded, unloaded or stored” (s. 97.01).
• Following the Commissioner’s November 2025 appearance before the Standing Committee on Public Safety and National Security, the Committee amended Part 1 to specify that if any premises or place referred to in s. 97.01 is a dwelling-house, an officer may not enter without consent, except under the authority of a warrant issued by a judge on reasonable grounds to believe.

Bill C-16 – Protecting Victims Act (deepfakes) (PRPA)

Speaking Points

• Tabled in December 2025, Bill C-16 was referred to the Standing Committee on Justice and Human Rights in the other place last week.
• Bill C-16 would criminalize the non-consensual distribution of certain deepfakes. The Bill also contains other privacy-impactful criminal law amendments that my office is presently reviewing. I am supportive of many of the elements of this Bill.
• However, an effective response to the issue of deepfakes must extend beyond the criminal law. My office needs stronger enforcement tools, in particular order-making powers to more effectively hold organizations to account.
• I also support the need for comprehensive online harms legislation, and look forward to sharing my views with Parliament when called upon.

Background

• Scope of s. 162.1: this offence applies to “intimate images”, which includes deepfakes that depict a person as either “nude”, “exposing their sexual organs”, or “engaged in explicit sexual activity” (s. 164.1(2) of the Criminal Code). Other categories of deepfakes would not be covered, including for example deepfakes of children that do not meet the above criteria.
• Other privacy protective features: Bill C-16 places new limits on evidence of a complainant’s past sexual history, as well as on the production of private records, including therapeutic records, in the prosecution of sexual offences under the Criminal Code (ss. 276-276.13 and 278.1-278.38). These amendments may limit the proliferation of highly sensitive information during the prosecution of sexual offences.
• Areas of potential concern: Bill C-16 contains broad information-sharing authorities for Correctional Services Canada (see proposed ss. 25.1-25.4 of the Corrections and Conditional Release Act).
• Other online harms bills:
• Former Bill C-63 proposed the Online Harms Act, which would have regulated “social media services” and set out an arms-length regulatory structure. A new online harms bill is expected soon.
• Private Members Bill C-216, (currently at first reading in the House), which would apply exclusively to minors, regulates Internet “operators.” Rather than creating a new regulatory structure, it would extend the role of the Canadian Radio-television and Telecommunications Commission (CRTC).