Commissioner submits recommendations on proposed amendments to the Canada Elections Act

Privacy Commissioner of Canada Philippe Dufresne has made recommendations to strengthen Bill C-65, an Act to amend the Canada Elections Act, in order to better protect electors’ personal information.

Commissioner Dufresne provided the following submission to the House of Commons Standing Committee on Procedure and House Affairs, which is studying Bill C-65.

---

November 18, 2024

BY EMAIL

Mr. Ben Carr, Member of Parliament
Chair, Standing Committee on Procedure and House Affairs
Sixth Floor, 131 Queen Street
House of Commons
Ottawa ON  K1A 0A6

Dear Mr. Chair:

I am writing to present my views on the privacy implications of Bill C-65, the Electoral Participation Act. As currently drafted, the legislation introduces new elements to the existing privacy obligations for federal political parties. For example, among other additions, it would require that the Chief Electoral Officer (CEO) determine (at the time of registration) if the privacy policies of parties meet all listed requirements in subsection 444.4(1).

C-65 also requires a registered or eligible party and those acting on the party’s behalf to comply with the party’s policy for the protection of personal information (subsection 444.3(1)). It additionally requires the CEO to convene at least one meeting annually on the issue of protecting personal information by registered and eligible parties (section 444.5). It also provides that a person that fails to comply with the policy commits a violation (section 444.3(2)). I welcome these additions to the existing regime, and believe that the new provisions around registration, policy compliance and training can help enhance privacy protection.

Summary of Privacy Issues

That said, I believe that the Bill could be strengthened further in order to better protect electors’ personal information.

Briefly, unlike the key provisions and principles that underpin the federal Privacy Act or the Personal Information Protection and Electronic Documents Act (PIPEDA), the rules proposed for federal political parties would not include statutory requirements for parties to:

• Obtain individual consent,
• Limit the collection of personal information,
• Limit the use and disclosure of personal information to those purposes for which it was collected,
• Provide means for individuals to seek access to their information, or
• Allow individuals to exercise a right of correction.

In Canada and abroad, limiting collection, use and disclosure, ensuring accuracy, provision of access and obtaining consent are basic elements found in both public sector and private sector data protection laws.

Recommendation 1: the Committee should amend Bill C-65 to set requirements for political parties to seek consent (subject to express authority in the legislation), limit collection, use and disclosure and provide a mechanism for access and correction in connection with their handling of personal information.

Privacy Breach Reporting

Incident reporting is also an important aspect of privacy protection, in both the public and private sector contexts. While the proposed requirement in Bill C-65 (under subsections 444.4 (1) to (3)) for political parties to notify individuals of breaches in specific circumstances is positive, a requirement to also report to an independent regulator would provide Canadians with reassurance that incidents involving their personal information are being handled appropriately. Proactive breach reporting provides critical information to both regulators and individuals when sensitive information is at risk. As a reference, the current breach provisions under PIPEDA are found at ss. 10.1(1) et seq.

Recommendation 2: the Committee should amend Bill C-65 to broaden the privacy breach notification provisions detailed under subsections 444.4 (1) to (3) to include reporting to a relevant, independent body such as the Privacy Commissioner of Canada, Elections Canada and/or the Commissioner of Canada Elections.

Improving Oversight

Effective oversight and redress are critical elements in improving data protection and ensuring clear, coherent regulation in this area. In my experience, allowing inter-agency collaboration improves the work of regulators and brings clarity to complex issues that cut across sectors and jurisdictions.  

To cite precedent for this approach, provisions were introduced in 2019 to allow for the Privacy Commissioner to collaborate with the National Security and Intelligence Review Agency (under the Privacy Act, ss. 37(5)). Similarly, proposed amendments in C-27 (the Digital Charter Implementation Act, 2022) would allow for my Office to work with the Canadian Radio-television and Telecommunications Commission and Competition Bureau (under s. 118 in the new Consumer Privacy Protection Act). Including a similar provision in the context of C-65 would allow my Office to interact with the Commissioner of Canada Elections (CCE) on investigations, as warranted. As a reference, section 509.21 of the Canada Elections Act (CEA) currently allows the CCE to consult the CEO when they consider it appropriate to do so.

Recommendation 3: the Committee should amend Bill C-65 to allow for formal collaboration between my Office, Elections Canada and the Commissioner of Canada Elections.

Conclusion

In summary, political parties collect and use considerable amounts of sensitive personal information in the course of their activities. In this context, the regulation of political parties should ensure that voter participation can be maximized while at the same time protecting Canadians’ fundamental right to privacy. I hope that the options presented can assist in that regard.

Thank you once again for the opportunity to present the Committee with my views on this important Bill.

Sincerely,

c.c. Christine Holke, Clerk