Thursday Thinkpiece: Bennett & Bayley on Political Parties and Privacy Legislation

Each Thursday we present a significant excerpt, usually from a recently published book or journal article. In every case the proper permissions have been obtained. If you are a publisher who would like to participate in this feature, please let us know via the site’s contact form.

Canadian Federal Political Parties and Personal Privacy Protection: A Comparative Analysis
Colin J. Bennett & Robin M. Bayley
Commissioned by the Office of the Privacy Commissioner of Canada
Privacy Research Papers, March 2012

Excerpt chosen by Slaw.

[Footnotes are omitted. They are available in the full version via the hyperlink above.]

Federal and Provincial Privacy Legislation

Political parties fall between the cracks of a national privacy regime that grew up pragmatically, and with necessary sensitivities to the constitutional division of powers. The 1982 Privacy Act regulates government institutions, explicitly referenced in Section 3 of that Act, which does not include political parties. The only real consideration for political issues in this legislation is the provision that federal ministries are authorized to disclose personal information “to a member of Parliament for the purpose of assisting the individual to whom the information relates in resolving a problem” (S. 8 (2)(g)).

Political parties are not covered by the federal private sector legislation (PIPEDA), either. Part 4 (1) of PIPEDA stipulates that “This Part applies to every organization in respect of personal information that:

(a) the organization collects, uses or discloses in the course of commercial activities; or

(b) is about an employee of the organization and that the organization collects, uses or discloses in connection with the operation of a federal work, undertaking or business.

Political parties do not meet the definition of “federal work, undertaking or business.” Moreover, it is likely a stretch to suggest that the political activities of political parties are “commercial activities” with the exception of the small aspect of their operations relating to the sale of party merchandise, and perhaps where fees are charged for database access within the Conservative party and possibly others. But general fund-raising by political parties is not considered a commercial activity. By extension, the recently proposed amendment to PIPEDA (Bill C-12, Safeguarding Canadians’ Personal Information Act.), including the new requirements for the notification to the Office of the Privacy Commissioner of data breaches, would not apply either.

Neither are political parties covered under Canada’s new Anti-Spam legislation, designed to prevent unsolicited email. Political parties and charities are explicitly exempted if their email communications do not involve selling or promoting a product. Further exemptions apply when organizations engage in commercial activities with people who have made a donation or gift in the last 24 months, volunteered or performed volunteer work in the last 24 months, or were a member of the organization in the last 24 months. These exceptions would also apply, therefore, to political parties and to candidates in federal, provincial, territorial or municipal elections.

Political parties and other political entities are also exempted from the “Do not Call List” procedures implemented through the CRTC. As provided for in section 41.7 of the Telecommunications Act, the National DNCL Rules do not apply in respect of a telecommunication:

(c) Made by or on behalf of a political party that is a registered party as defined in subsection 2(1) of the Canada Elections Act or that is registered under provincial law for the purposes of a provincial or municipal election; (d) made by or on behalf of a nomination contestant, leadership contestant or candidate of a political party described in paragraph (c) or by or on behalf of the official campaign of such contestant or candidate; (e) made by or on behalf of an association of members of a political party described in paragraph (c) for an electoral district;

Although political parties are exempt from the prohibition against calling numbers on the do not call list maintained by the CRTC, some of their calling practices are regulated. Under CRTC Automatic Dialing-Announcing Device (colloquially known as “robo-call”) Rules, they are limited by time of day and required to identify the person on whose behalf the call is made and provide contact information, and display the originating phone number. They must also maintain an internal do not call list, but are not obliged to disclose this to callers.

The only provincial privacy legislation, substantially similar to PIPEDA, that has been held to cover political parties is BC’s Personal Information Protection Act (PIPA), which unlike its equivalents in Alberta and Quebec, defines an organization to include “a person, an unincorporated association, a trade union, a trust or a not for profit organization” and does not limit application to commercial activities. The recent case involving the BC NDP, described above, confirms the jurisdiction of the BC Information and Privacy Commissioner over political parties. As far as we know, this is the first time that a Canadian commissioner has formally investigated the internal operations of a Canadian political party. A precedent has therefore been set, at least in BC. A further interesting dimension of the issue is raised with respect to federal political parties, to the extent that they are collecting personal information in British Columbia. The law is untested, but it can be argued that the federal parties are also acting as non-profit organizations under BC PIPA and would be subject to the various requirements of the BC legislation with regards to their personal information practices within British Columbia.

However, it should also be noted that BC’s PIPA does not apply to “the collection, use or disclosure by a member or officer of the Legislature or Legislative Assembly of personal information that relates to the exercise of the functions of that member or officer.” Similar exemptions for provincial politicians appear in other provincial information and privacy statutes relating to the public sector. In 2007, the former BC Information and Privacy Commissioner explicitly refused to investigate a complaint that the constituency office of a federal member of parliament had improperly disclosed personal information contrary to PIPA, on the grounds that he did not have jurisdiction. Thus the distinction between information collected by elected officials, and that collected by federal and/or provincial political parties will sometimes be difficult to define, and will presumably raise interesting questions of jurisdiction for information and privacy commissioners.

…….

Conclusions

Canadian federal privacy protection law does not cover federal political parties. Parties do not engage in much commercial activity and are therefore largely unregulated under PIPEDA, or substantially similar provincial laws, with the exception of PIPA in BC, which applies to personal information practices of all organizations acting within the province. The Privacy Act does not cover political parties. The only federal law that governs their practices is the CEA. But this legislation only applies to those voter registration data collected and shared with parties and candidates under the authority of that legislation. It leaves unregulated the collection of personal data captured by parties from other sources.

As Canadian parties continue to capture and process personal data, there are likely to be further incidents and media coverage of data breaches, non-consensual use and disclosure of personal information and unsolicited marketing practices. Presumably, there will continue to be pressure on the Office of the Privacy Commissioner to respond, despite the Commissioner’s lack of jurisdiction.

There is now a commonly accepted understanding in Canada of what it means for an organization to process personal data responsibly. Essentially, those responsibilities are outlined in the code of fair information practices embodied within Schedule I of PIPEDA. Canadians have gradually grown to expect that they have certain personal information rights, and that organizations have certain responsibilities.

Yet, the current reality is that the parties are managing vast databases within which a variety of sensitive personal information from disparate sources is processed. For the most part, individuals have no legal rights to learn what information is contained therein, to access and correct those data, to remove themselves from the systems, or to restrict the collection, use and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, and to control who has access to it.

This report has presented information drawn from a large range of public sources about the nature and scale of these issues. It is, however, only an overview and there is clearly need for some more comprehensive research. It is also obvious that the questions concerning the personal information practices of Canada’s federal political parties are ongoing and will continue as long as they need and use this information. There is therefore a need for further engagement with the various stakeholders, and for a broader public debate.