Last month, just a day before the formal start of Canada’s federal election campaign, the CBC reported that the official websites of 99 Canadian members of parliament have trackers that can collect visitors’ data and target them with political advertisements. The tools can catalogue users’ information, such as their IP addresses, and use that data to identify individuals and present them with tailored content online, including on social media sites like Facebook.
The use of website trackers isn’t illegal, but, especially in the lead up to the October 21 vote, it does highlight the relevance of a dialogue surrounding privacy and political parties. Since the writ drop on September 11, parties have heightened efforts to collect voter information and target Canadians with personalized messages. In some cases, inadequate data protection efforts have led to worrying privacy violations, including the inadvertent publication of voters’ personal details online.
Canadian political parties’ management of personal data is largely unregulated in comparison to the collection and use of such information in the private and public sectors. And the operation of these tools is inconsistent with statements from the Privacy Commissioner of Canada, Daniel Therrien. “Canadians expect and deserve to have their privacy rights respected as they exercise their democratic rights,” he said earlier this year.
Therrien has proposed that Canadian political parties be governed by privacy legislation based on international standards and overseen by an independent third party. At the provincial and territorial level, British Colombia is the only jurisdiction that regulates parties’ personal data practices, and the province’s courts have faced challenges from national parties on their authority to do so.
In an increasingly digital world, lax privacy protections for voters can limit the electorate’s trust in political parties and candidates, and weaken the strength of democratic institutions. Such concerns should prompt a look outside Canada’s borders to explore how voter privacy is protected in other countries, and what lessons Canadian legislators can learn from their international counterparts.
Lessons from the EU: Security, Enforcement and Voter Rights
In the European Union, the General Data Protection Regulation (GDPR), which came into effect in May 2018, has strengthened the bloc’s protections around personal data. These obligations extend to European and national parties, which are required to process personal information “lawfully, fairly and in a transparent manner, for specified purposes only.” Many of the ideals embedded in this regulation, including parties’ responsibilities around security, access and transparency, are worthy of study.
For one, the GDPR obliges parties to promptly notify users of data breaches that are “likely to result in a high risk to [individuals’] rights and freedoms,” use secure operational systems and process information according to specific conditions, among other responsibilities. Voters are also granted strong rights under the legislation, including the right to access their data, to request the deletion of their data under certain circumstances and to have inaccurate data corrected.
To be sure, this legislation hasn’t been uniformly interpreted across the union. The GDPR allows some flexibility in member states’ application of the EU regulation into national law, and this leniency has been exploited by some countries. Open Rights Group, a digital rights organization based in the United Kingdom, highlights, for instance, that Romania allows political parties “to process personal data from special categories without explicit consent and without implementing appropriate safeguards.” The group also points out concerning allowances in Spanish and British laws.
And the GDPR faces other threats, including, as the University of Victoria’s Colin Bennett puts it, “continuing pressure from technological, political, and social forces that will demand the freer flow of information about the behaviours and attitudes of voters.” Yet, broadly, the regulation offers modernized rules for an increasingly connected citizenry and in ways that give voters more control over how their data is collected, stored and used. Canadian law makers should take note.
The EU can also be lauded for its tough approach to oversight and rule-breaking in the area of voter privacy, both with respect to the GDPR and other privacy rules. For example, according to recent legislation from the bloc, European political parties can face sanctions for trying to influence the outcome of European Parliament elections with illicitly collected data. An independent authority would verify and penalize potential violations.
Taking Caution from the Approaches in Australia and the US
But there are also countries whose regulatory approaches Canada shouldn’t emulate, like the United States and Australia. For nearly 20 years, Australia’s political parties have been exempt from federal privacy legislation “on the basis of the importance of freedom of political communication.” The arrangement has regularly come to a head over the years, including in one recent example.
In Feburary 2019, Australia’s cyber intelligence agency discovered that a state actor had hacked the networks of the country’s three major political parties, just months before a federal election. The hacker, which was later identified as China, gained access to policy papers and “private email correspondence between lawmakers, their staff and other citizens.” Critics charged that the incident was in part due to parties’ permissive security measures and highlighted the potential for other hacks to go undisclosed, given that parties are not required to publicize breaches.
The situation also underscored the prospect that foreign hackers could use stolen voter data to interfere with Australia’s democratic processes. Given that Canada’s political parties are similarly exempt from federal privacy laws, these anxieties shouldn’t be overlooked.
In the US, experts suggest that political parties’ lax data protection practices are an upshot of the lack of broad privacy laws, the existence of strong freedom of speech and association protections, and permissive campaign finance rules. This confluence of factors has contributed to the immense prevalence of microtargeting in US political campaigns, alongside other troubling uses of personal data.
In politics, microtargeting describes parties’ use of voters’ personal information to segment the populace into groups, which can then be targeted with tailored political content. The practice has been at the heart of a number of privacy scandals in the US in recent years. The most prominent of these is the extensive use of microtargeting by data profiling company, Cambridge Analytica, which, alongside other projects, worked on the 2016 Trump campaign. While in operation, the firm collected data from more than 87 million people globally, including about 620,000 Canadians.
While microtargeting is used by some parties in Canada, it’s nowhere near as pervasive a strategy. Yet, recent examples, coupled with the constrained limitations on Canadian political parties’ activities, could signal an increase in the practice.
The Case for Reform in Canada
One of the greatest challenges facing an expansion to the privacy rules governing Canada’s political parties is that politicians who benefit from limited regulations are effectively gatekeepers to such legislative changes. And certainly, many political candidates may rightly suggest that access to citizens is a critical part of an informed and healthy democracy. But recent violations of voter privacy by parties in Canada, and around the world, show that this access needs to be duly checked. A balance between access to, and protections for, citizens is necessary.
Alternatively, Canadian legislators should consider the opportunities provided by such reform. In December 2018, a survey from Nanos Research found that 36 percent of Canadians are concerned about how political parties use voters’ personal information, and 37 percent are somewhat concerned. Advocating for strengthened legislation in this area would only be a boon to federal party platforms, especially in such a crowded field.
Some have made the case for stronger oversight. The Green Party of Canada includes the issue in its 2019 platform document, which affirms that parties should follow the Privacy Act, the legislation that sets out the privacy rules for the public sector, “without exception.” The three major federal parties, meanwhile, haven’t made any similar affirmations.
Applying learnings from international counterparts, and from the EU especially, should be a first step in the reform process. Earlier this year, Canada’s Office of the Privacy Commissioner and Chief Electoral Officer outlined 10 principles to guide Canadian political parties’ privacy polices, including consent, accountability, limited collection and use of data, and openness. These ideals, many of which are championed by the GDPR, should also inform reform efforts. At the same time, the approaches of countries like the US and Australia, which have weak regulations and histories of privacy contraventions, should serve as warnings.
There’s limited time for political candidates running in the upcoming federal election to bring these lessons to Canadians’ doorsteps — but even if changes are not made in this campaign, they can certainly guide elections to come.
This article first appeared on OpenCanada.org.