Data breaches are commonplace — in Canada and around the world. They can result from deliberate attacks, from snooping, or just from carelessness. They can be massive, or they can be trivial. They often pose severe risks to individuals in the form of identify theft, discrimination or harassment.
They can also hurt organizational reputations and brands, and sometimes share prices. Just ask LifeLabs, eBay, Equifax, Target, Sony, Home Depot or LinkedIn. According to the Office of the Privacy Commissioner of Canada (OPC) in 2019, the number of Canadians affected by a data breach in the past year was well over 28 million.
Under the Personal Information Protection and Electronic Documents Act (PIPEDA), most commercial organizations (large and small) in Canada now have to report serious data breaches to the OPC if there is a “real risk of significant harm” to individuals. They also have to inform the individuals concerned directly, and as soon as feasible.
These same obligations, however, do not apply to our political parties. If a federal political party suffered a serious data breach during this election, it would have no obligation to report it either to the OPC, to Elections Canada or to any other regulatory body. And it would have no obligation to report it to the individual Canadians affected. The damage would be done, and nobody would be any the wiser.
This is not a hypothetical problem. There has been a steady stream of news stories over the last several years about the abuse of personal data in party databases — illegal hacking, careless leaks, nefarious use of lists for non-political purposes such as sending birthday cards, and a general sloppiness in data-handling practices during the frenzy of a campaign. A 2020 poll reported that only 36 percent of candidates in the last federal election kept the voters list in a secure place. Only 24 percent ensured that it was destroyed after the election.
Political parties capture and store vast quantities of highly sensitive personal data on Canadian voters. They get this data from a number of sources: from the voters list provided by Elections Canada; from the responses of voters on the doorstep, over the phone and from their websites; from polling data; from third parties such as list brokers; and from social media.
The parties then profile Canadian voters and score them according to how likely they are to support the party. They use these profiles to prioritize their get-out-the-vote operations in particular ridings, and to target them with relevant political messaging.
The main federal political parties operate vast and integrated voter relationship management systems that have grown in scale and sophistication over different election cycles. This growth has been fuelled by technological development, but also by the natural competitiveness of our party system. Perceptions of losing the data race in one election have prompted the main parties to play catch-up.
This is not a hypothetical problem. There has been a steady stream of news stories over the last several years about the abuse of personal data in party databases.
After two elections cycles, in 2015 and 2019, where the general perception was that the Liberal Party’s data operation was far superior, the Conservative Party invested lots of money in a new system called Medallion — a “one-stop shop for all your online services” — that automatically imports data from the Conservative database, the Constituency Information Management System. In 2021, we will see whether this system operates more effectively than the Liberal equivalent (Liberalist) based on the same Voter Activation Network software operated by Democratic and progressive campaigns in the United States. The payments from the Liberal Party to the US company NGP VAN, as well as to the Canadian company Data Sciences, to manage constituency data operations and outreach was the subject of media scrutiny earlier this summer.
Canadian elections, like those in many countries, have become “data-driven.” And the parties, and their consultants, have gotten it into their heads that elections (especially in close ridings) can be won with more comprehensive and complete data on voters’ attitudes and intentions.
During a 2021 election campaign in which face-to-face campaigning is necessarily more difficult because of the pandemic, the digital campaign has assumed even greater importance.
Thus, if a data breach were to originate from one of these voter databases, who could do anything about it? The answer is nobody.
The OPC would like to be able to oversee our federal political parties, but it has recently ruled that PIPEDA (covering organizations engaged in commercial activities) does not cover political parties — even though much of what they do can barely be distinguished from commercial marketing practices: purchasing lists, advertising on social media, running ads and so on.
If a breach involved data from the voters list provided by Elections Canada, the Commissioner of Canada Elections, Yves Côté, could investigate, but he has rarely, if ever, done so. Moreover, he has steadfastly refused to go any further and look into the larger systems that parties operate, even though they are based on, and inextricably linked to, the voters list.
The Canadian Radio-television and Communications Commission has some authority to regulate the parties’ telemarketing practices, but no authority to investigate a breach or mandate a data breach notification.
The only provincial commissioner who can investigate the activities of political parties is that in British Columbia. The BC Information and Privacy Commissioner, Michael McEvoy, investigated BC provincial parties and issued a report in 2019 that revealed the range of personal data captured and also uncovered a number of practices that contravened BC’s Personal Information Protection Act (PIPA). A code of practice is currently being developed.
Whether or not he would have the authority to investigate a data breach from a federal political party is, however, an open question. In a further report in 2019, McEvoy did conclude that the local riding association of a federal party was subject to the BC law and rejected the argument of the party (the New Democratic Party in this case) that federal law is paramount. The question of the application of the BC PIPA to federal political parties is still being adjudicated.
Political parties have strenuously opposed regulation under privacy law and oversight by the privacy commissioners. The Liberal government’s recent and now defunct bill to reform Canadian privacy law, Bill C-11, said nothing about political parties, to the disappointment of many critics. The Ontario government issued a white paper on privacy reform this summer — again containing nothing about provincial political parties. There has been some progress in covering provincial political parties in Quebec’s new Bill 64, but it is still unclear whether the reforms will really shift the needle.
The different political parties have tended to act in unison in opposing any reform in this area. With the exception of the Green Party, no federal political party is clearly on record as saying that their operations should be subject to Canadian privacy law.
Essentially, Canada’s political parties regulate themselves.
The level of hypocrisy here is stunning, especially as the parties have been quite ready to assert the importance of privacy in their platforms. The Conservative Party’s platform, for example, states: “Canada’s Conservatives believe that digital data privacy is a fundamental right that urgently requires strengthened protection through legislation and enforcement. Canadians must have the right to understand and control the collection, use, monitoring, retention, and disclosure of their personal data.” Indeed — but for every organization in Canada except themselves, it seems.
Essentially, Canada’s political parties regulate themselves. Under the Elections Modernization Act of 2018, they are obliged to have a privacy policy and submit it to Elections Canada. These policies should include a statement on the types of personal information collected, and its sources; a statement about how the information is protected; and a statement about how it uses that information, and the circumstances under which it might be sold. It should include a commitment that it trains staff on privacy and security, and indications on how it captures data online. According to the act, political parties should also publish the name and contact information of a person to whom concerns can be raised.
There is nothing about only capturing personal data with consent, nothing about granting voters rights to access and correct their data, nothing about controls on the purchase of lists and nothing about how personal data might be shared or disclosed. In fact, there is nothing to stop a political party from selling personal data — provided it is transparent about the circumstances in which it does so.
And there is nothing, critically, about data breaches — the crux of the notorious scandal concerning Facebook and Cambridge Analytica.
If a political party were not to publish a privacy policy, then theoretically Elections Canada could deregister that party. And that is the only sanction — which, of course, is extremely unlikely.
This massive gap in our regulatory privacy regime cannot be allowed to continue. In a poll in 2018, 86 percent of respondents stated that political parties should be subject either to the same laws as private companies, or should be governed by greater restrictions. Support for extending privacy law to political parties has broad support across partisans from all political groups.
Sooner or later, a Canadian political party will experience a data breach that nobody will be able to ignore. If such a breach were to occur during an election campaign, the consequences could be devastating, both for the party involved and for the individuals affected.
