The federal Conservatives, Liberals and NDP are in court in British Columbia arguing for worse protection of Canadians’ personal information.
They are trying to overturn an order by the province’s information and privacy commissioner’s office that required federal political parties to comply with the B.C. private sector privacy law, the Personal Information Protection Act (PIPA).
The commissioner’s office has already used the law to investigate provincial political parties for deficiencies in their handling of personal information. The resulting report describes in detail how parties collect, use and share personal information. The practices range from buying information from data brokers; to collecting information from social media; and to giving voter information to Facebook to find and target individuals who may share similar attributes or political leanings.
The federal parties, which prefer laxer federal privacy laws, are hoping to avoid having to meet B.C.’s more stringent requirements regarding personal information without actually saying that they are opposed to better protection of personal information.
Protecting our information in the age of data-driven politics
To achieve that aim, the parties argue that if they were subject to the more stringent privacy requirements in British Columbia, it would create a patchwork of rights across the country. In their petition for judicial review, they argue that the division of powers and other provisions of the Constitution mean they can be regulated only by the federal government. In short, provincial privacy laws do not apply to them.
Unsurprisingly, the requirements the federal government has set out are significantly less arduous than what the parties would be required to do under the B.C. law.
Canadians’ primary privacy protection in relation to the federal parties is contained in the Canada Elections Act (CEA). It is pretty basic. It requires registered political parties to have a privacy policy, post it on the internet and give a copy to Elections Canada. That policy has to include the following elements:
- What information it collects;
- How it uses that information or sells it;
- How it protects that information;
- How it trains employees;
- How it collects and uses personal information created from online activity and how it uses cookies.
Contact information is also required to be posted along with the privacy policy.
There are no standards whatsoever about what level of privacy protection is required. This means that a political party could have a privacy policy that consists of the statement: “we collect everything we legally can about you, use it as we see fit, and disclose it to whoever we feel like.” As long as that policy were posted on the web and sent to Elections Canada, it would meet the Canada Elections Act’s requirements. There is no body to complain to or to investigate at the federal level, and there is no way to force a party to do a better job of protecting your privacy.
Two other federal laws, the Telecommunications Act (which includes the ”do not call” lists) and Canada’s anti-spam legislation (regarding unsolicited electronic messages) exempt federal political parties.
Former B.C. information and privacy commissioner David Loukidelis was the adjudicator in this case, and he rejected the constitutional arguments put forward by the federal parties.
First, the parties tried to use the doctrine of federal paramountcy. That is invoked where a valid provincial statute creates an operational conflict with an equally valid federal statute, in which case the provincial law is inoperative to the extent of the conflict.
Loukidelis rejected this, saying in part “While the CEA and PIPA policy requirements are not framed identically, I am not persuaded that an organization cannot fashion a policy that complies with both statutes.” He also noted that where the Canada Elections Act is silent, “(t)here is no conflict between a regulation on the one hand and the absence of a regulation on the other.”
He also rejected the contention that interjurisdictional immunity applied. That doctrine prevents an otherwise valid law enacted by one level of government from applying where it would impair a core power of the other level of government.
The parties had argued that PIPA’s provisions protecting personal information impaired the core federal power of running federal elections. Loukidelis rejected this argument as well.
He did point out that this would not necessarily result in a patchwork of different privacy requirements across the country, because “it is open to Parliament to legislate in respect of federal political parties’ collection, use and disclosure of personal information in a manner that creates uniform rules for all parties and unequivocally ousts provincial legislation.”
The federal government could short-circuit the current litigation by making the federal parties subject to the federal private sector privacy law. That would also align with a recommendation from the House access to information, ethics and privacy committee.
In its 2018 report on digital privacy vulnerabilities and threats to Canada’s electoral processes, the committee recommended that the government take measures to ensure privacy legislation applies to political activities in Canada. This could be done by either amending existing legislation or by enacting new legislation.
Sadly, it looks like the federal Liberal government (and presumably the Conservatives and NDP) prefer to watch the B.C. case wind its way slowly up to the Supreme Court of Canada.
Before the House of Commons rose for its summer recess, the federal government introduced Bill C-27, a modified version of the wide-ranging private sector privacy law it introduced (but didn’t pass) before the last election.
Neither C-27 nor its predecessor (Bill C-11) made any attempt to regulate the activities of the federal political parties.
Conveniently, the current lack of restrictions will allow them to continue their current information harvesting until all appeals are exhausted many years from now.