Fresh off Bill C-2 and lawful access provisions buried in a border safety bill, the government has now quietly inserted provisions that exempt political parties from the application of privacy protections in Bill C-4, an “affordability measures” bill. The provisions, which come toward the end of the bill, are deemed to be in force as May 31, 2000, meaning that they retroactively exempt the parties from any privacy violations that may date back decades. The ostensible reason for the provisions is a B.C. case that applied provincial privacy law to federal political parties. I discussed the case with Colin Bennett in this episode of the Law Bytes podcast in 2023. The government is now seeking to render that case moot and provide all political parties with an effective exemption from any privacy laws other than measures found in the Elections Act. An appeal of the B.C. case is scheduled to be heard later this month.
This is not the first time the government has tried to exempt political parties from standard privacy laws. Bill C-65, which failed in the last Parliament, contained similar provisions. However, the provisions were in a bill on the Elections Act, not buried among tax measures. Moreover, the previous approach was stronger. It included measures to address data breaches and the requirement to notify affected individuals as well as certain restrictions, including the sale of personal information. This iteration removes the data breach notification requirements, drops the sale restrictions, and renders the entire exemption retroactive to the year 2000.
The Bill C-4 removal of privacy rules starts by stating that political parties may carry out any activities in relation to personal information:
In order to participate in public affairs by endorsing one or more of its members as candidates and supporting their election, any registered party or eligible party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives, may, subject to this Act and any other applicable federal Act, carry out any activities in relation to personal information, including the collection, use, disclosure, retention and disposal of personal information in accordance with the party’s policy for the protection of personal information.
Having granted full rights to collect, use and disclose personal information – and knowing that PIPEDA does not generally apply to these activities – Bill C-4 then exempts the parties from any provincial privacy laws:
When participating in public affairs by endorsing one or more of its members as candidates and supporting their election, a registered party or eligible party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives, cannot be required to comply with an Act of a province or territory that regulates activities in relation to personal information, including the collection, use, disclosure, retention and disposal of personal information, unless the party’s policy for the protection of personal information provides otherwise.
In case there was any doubt, the bill for greater certainty states that parties cannot be required to disclose or correct personal information under their control.
For greater certainty, the registered party, eligible party or person or entity acting on the party’s behalf cannot be required to provide access to personal information or provide information relating to personal information under its control or to correct — or receive, adjudicate or annotate requests to correct — personal information or omissions in personal information under its control.
So what privacy safeguards are there with respect to political parties and personal information? The bill requires the parties to have and abide by a privacy policy. That policy must be in both official languages, written in plain language, and only include the following:
(a) designate a privacy officer who is responsible for overseeing the party’s compliance with the policy;
(b) include the name and contact information of the privacy officer;
(c) state the types of personal information in relation to which the party carries out its activities;
(d) explain, using illustrative examples, how the party carries out its activities in relation to personal information, such as by indicating whether it does so online or through the use of cookies; and
(e) describe the training related to the protection of personal information that is offered to the party’s employees and volunteers who may have access to the personal information that is under its control.
There are no other requirements and no limitations on the collection, use and disclosure of information. Privacy commissioners do not have the power to address violations that might arise and – as noted above – the government wants to backdate these rules by 25 years.
The combination of Bill C-2 and C-4, both introduced this week, represent a stunning assault on the privacy of Canadians. Bill C-4 significantly undermines the privacy of Canadians with respect to political parties, who have become addicted to acquiring as much data as possible. These provisions should be removed from the bill and the B.C. case permitted to proceed. The privacy rights of millions of Canadians is at stake.