Hon. Colin Deacon: Honourable senators, I am rising to speak to Bill C-47, the budget implementation act, 2023, no. 1. You might expect me to focus on the billions intended to spur business investment, but I think Senators Loffreda and Marshall have done a great job there, and I will move on to something else that I am a little bit more focused on, and that is Division 39 of Part 4, at the very end of this 430-page bill.

It appears innocuous enough, introducing what seems to be a reasonable amendment to the Canada Elections Act, the stated purpose being:

. . . to provide for a national, uniform, exclusive and complete regime applicable to registered parties and eligible parties respecting their collection, use, disclosure, retention and disposal of personal information.

When I read this, however, a couple of thoughts came to mind. One, using a budget bill to change the Canada Elections Act challenges the long-standing practice of openly debating these changes in Parliament and arguably sets a troubling precedent. Two, given that there is actually no national, uniform and complete privacy regime governing how federal political parties currently collect, use, disclose, retain and dispose of personal information, what’s going on?

You may recall that we passed the Elections Modernization Act in December 2018. It allowed political parties to self‑regulate their collection and use of personal information linked to Canadian voters as long as they published their privacy policies. This is what the Privacy Commissioner was referring to when he spoke to our Legal Committee — that it was a good first step that they publish those privacy policies, but that those policies don’t live up to the 10 principles under PIPEDA. He also stated that he has no jurisdiction in which to investigate or comment on those privacy policies.

These voluntary policies are not uniform and they are not complete, especially when compared to any reasonable international norms. These voluntary policies don’t reflect the privacy protections that corporations or governments must follow, particularly as it relates to the areas of consent, transparency and accountability. Looking back, I was a bit naive to think any group should be entirely free to regulate their privacy policies, but that’s where we are; no uniform and complete privacy policies govern federal political parties at this time.

In their study of Bill C-47, our Legal and Constitutional Affairs Committee noted that privacy safeguards, or the lack thereof, can impact Canadians’ trust in political parties and, by extension, the electoral process. They recommended that amendments to the Canada Elections Act should follow consultations with the Chief Electoral Officer and the Privacy Commissioner and be introduced in a separate bill to allow for thorough study, noting that neither occurred in this case.

Well before the Facebook–Cambridge Analytica scandal, which was the non-consensual use of private information of tens of millions in a malicious way to influence voters in various elections, Canada’s Privacy Commissioner and Chief Electoral Officer were speaking about voter privacy. For example, in 2012, they raised serious concerns about the lack of privacy protections for Canadian voters.

Two years later, in 2014, then-Minister of State (Democratic Reform) Pierre Poilievre introduced Bill C-23, which was called the Fair Elections Act. It offered no privacy protection to Canadian voters.

Another four years passed. In 2018, Karina Gould, then Minister of Democratic Institutions, testified in defence of Bill C-76, the Elections Modernization Act, before our Legal Committee. When asked about self-regulated privacy protection, she pointed to the need for:

. . . a study to be conducted for parliamentarians, to examine how political parties could be a part of a system to protect personal information.

Interestingly, just as Bill C-76 received Royal Assent, the House of Commons Standing Committee on Access to Information, Privacy and Ethics published just such a study called Democracy under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly. The House Ethics Committee study was in direct response to the Facebook–Cambridge Analytica scandal. This group of elected MPs from across the political spectrum recommended urgent action, including subjecting political parties to the Personal Information Protection and Electronic Documents Act, along with their contractors, like social media platforms, data brokers, polling firms and consultants. Another recommendation read:

. . . grant the Office of the Privacy Commissioner and/or Elections Canada the mandate and authority to conduct proactive audits on political parties . . . regarding their privacy practices and to issue orders and levy fines.

The authors also suggested that the government enact legislation requiring social media companies to create publicly searchable databases of online political advertising; label political advertising; label content that is produced automatically or algorithmically; remove accounts that impersonate others for malicious reasons; and remove harassing, threatening or maliciously manipulated content like “deep-fake” videos, among other recommendations.

To date, Canada’s federal political party leadership has ignored these recommendations from their own caucus colleagues on the House Ethics Committee.

Soon thereafter, the Privacy Commissioner and the Chief Electoral Officer issued a joint statement requesting that our federal political parties voluntarily adopt privacy policies that align with international privacy law standards and that are based on the principles of consent, transparency and accountability. Little or nothing has changed.

I encourage you all to read the various privacy policies of our federal political parties to find evidence that any party has voluntarily implemented the recommendations I have just cited. I did not.

So why is Division 39 even in this budget bill? It seems to be that in 2022, British Columbia’s Information and Privacy Commissioner ruled that federal political parties must adhere to B.C.’s privacy regime governing political parties, and I suspect that is in response to persistent inaction.

The commissioner listed the array of personal data collected without voter consent. It’s eye-opening. Political party privacy policies give voters the right to correct inaccurate information, but those voters have no right to access that information. It includes information from the voter registry but also information scraped from the internet, gathered through apps and social media and by door-to-door canvassers. You currently have no right to ask political parties to stop sharing your information with a third party, like a consultant, polling firm or social media platform. If they suffer a cyber breach, like the government database breach that affected 100,000 Nova Scotians this past week, they have no obligation to let anyone know. Corporations and governments are obligated, and for good reason.

These federal political parties have ignored more than a decade of recommendations from the two officers of Parliament responsible for these issues. They’ve ignored the House Ethics Committee’s carefully researched recommendations. And when B.C. decided enough was enough, the Liberal, Conservative and NDP parties challenged that decision in B.C. Supreme Court. In these hyper-partisan times, I have to say it’s truly remarkable that this is the one issue that Conservatives, NDP and Liberals all agree on.

So why are they fighting so hard? One reason is that each party has an enormous database of granular data linked directly to identified voters. The Conservatives have their Constituency Information Management System, or CIMS; the Liberals have Liberalist; and the NDP has NDP Vote. Each party also has apps that gather extensive data and advanced information management systems to process all that data.

Canadian voter data has many uses, including enabling the micro-targeting of political messaging to like-minded voters within the broader population. When these political party databases are combined with the staggering amounts of highly personal data held by Facebook and other social media and big tech companies, their sophisticated methods can accurately predict who will respond to which type of political messaging with almost instant results.

I liken micro-targeting to digital gerrymandering, and it turbocharges highly divisive wedge politics.

Political organizers openly admit that voters no longer choose their political parties — political parties choose their voters. I, for one, find this troubling.

I first learned about micro-targeting 11 years ago while listening to “Under The Influence,” which is a CBC Radio One show hosted by Terry O’Reilly. I encourage you to listen to his 30-minute archived podcast from April 28, 2012. You will start to understand why the House of Commons Standing Committee on Access to Information, Privacy and Ethics titled their report Democracy Under Threat: Risk and Solutions in the Era of Disinformation and Data Monopoly. They saw the current political party privacy regime was posing a risk to our democratic and electoral reform process, and they recommended urgent action to protect Canadians and democracy.

What do Canadian voters think about political party privacy?

In their report on the 2021 election, Elections Canada found that 96% of Canadian voters want laws to regulate how political parties collect and use their personal information. Our current federal laws are completely at odds with Canadian voters on this issue of trust.

Regardless, the three political parties continue to defiantly ignore the repeated recommendations that they begin to adhere to international privacy standards and third party oversight; to obtain content prior to collecting personal information; and to inform citizens of a personal information breach that might cause them significant harm.

These risks are not hypothetical. In January of this year, the Green Party voluntarily announced the accidental release of names, addresses, phone numbers, birthdates and other data related to party members and supporters. Importantly, they were under no obligation to do so. Would other parties do the same? We may never know.

Does the highly personal data held by the other three national political parties benefit from some exceptional cybersecurity protections? I certainly hope so.

That’s because foreign adversaries could use these troves of detailed personal information to sow division right across Canada. There has been a lot of talk about foreign interference in our democracy this year, yet these parties continue to ignore the risks highlighted by their own MPs five years ago.

Just imagine how unprecedented volumes of granular data tied to identified Canadian voters could enhance the clandestine efforts of Canada’s adversaries, especially as we enter the era of generative artificial intelligence, or AI, built on large databases. This makes our political parties highly valuable cyberattack targets. If it happens, they are under no obligation to tell us.

Canadians are increasingly at the wrong end of a data vacuum. It is now estimated that each Canadian generates an average of about two megabytes of data every second. For perspective, the complete works of Shakespeare are five megabytes of data. That is about two and a half seconds’ worth of the data that each of us generates from our digital devices and activities. That is why citizens want control of their data. In most countries, they have it. We know that there is a lot of it, but we don’t know what is done with it.

Our Standing Senate Committee on Banking, Commerce and the Economy has been examining the issue of business investment in the digital era. We have heard from venture capital investors and founders of some of the most incredibly fast‑growing tech companies. Each one relies on data to create value that they export globally. They all emphasized that their company’s success demands that they establish and maintain a strong social contract with citizens — this being the right for individuals to control their data, and to have confidence and trust in how that data is used.

In the opinion of those globally successful investors and entrepreneurs, this social contract — this trust — is foundational to Canada’s future prosperity.

In a recent op-ed in The Hill Times, University of Victoria political science professor Colin Bennett, who has been researching this for a decade, wrote:

Political parties are regulated under privacy law in almost every other democratic country in the world, including those regulated under the European Union’s General Data Protection Regulation.

He also stated that the regulatory gap in Canada has become untenable and indefensible.

Where to from here?

Well, we know what has not worked. The leadership, executives and boards of the New Democratic Party, Liberal Party and Conservative Party have consistently ignored the will and advice of the two officers of Parliament responsible for privacy and elections. They have ignored the House of Commons Ethics Committee, and they have refused to voluntarily adopt privacy policies that align with global norms.

Instead of heeding this advice, the government is now including — in the budget implementation act of all places — a Band-Aid clause that allows the three parties to maintain the status quo. Perhaps we should invite the presidents of these federal political parties to explain the reasons and evidence behind their inaction. Maybe they have evidence that, somehow, democracy in Europe has been undermined by the General Data Protection Regulation’s voter privacy protections.

Hon. Colin Deacon: I’ll finish off my last two sentences now. Like corporations and governments, political parties need to start adhering to strong international norms and give individual Canadians control over their personal data and its use. Not only is this resulting trust central to individual and collective sovereignty of Canadians, it’s foundational to our future prosperity and democracy. Thank you, colleagues.