I thank you for the opportunity to appear before your committee and to speak about this important issue.
I am a professor of political science at the University of Victoria and have been studying privacy protection issues for nearly 30 years in Canada and internationally. I've written or edited six books on the subject and numerous articles. I'm currently in receipt of a grant from the Social Sciences and Humanities Research Council to study privacy protection of social media. I'm also working on this same subject under a contributions grant from the Office of the Privacy Commissioner of Canada.
The privacy questions raised by social networking services are broad and dynamic, as you've no doubt discovered. Social networking challenges some of the traditional approaches and assumptions behind our privacy protection laws. As you've just heard, it requires extensive education.
The Privacy Commissioner of Canada has already outlined the privacy principles that should apply to social media. Her office has been at the forefront of global efforts to ensure that big data companies abide by established privacy rules and practices. But social media is not just out there, and it's not just about Facebook, it's also about our own organizations and our own practices.
Rather than discuss social networking in all its manifestations, I want to address an area of social networking and privacy that is far closer to your own experiences and lives as politicians. I want to raise a set of questions about how your own political parties use social networking services, and indeed, other sources of personal information to build databases about Canadian citizens.
I have just co-authored a report on privacy in Canada’s political parties for the Office of the Privacy Commissioner. This work was started back in 2011 and was published earlier this year. I'd like to take this opportunity to summarize the main findings, because I think this relates closely to the subjects of your inquiries.
Canada’s federal political parties can and do collect a large amount and variety of information on Canadian citizens: on voters, volunteers, donors, members, and supporters. A disparate and fluctuating number of employees and volunteers might also have access to these data, individuals who may have no privacy and security training. Increasingly, these data are communicated through highly mobile and dispersed electronic formats, and increasingly, they are captured through the observation of social networking activity.
Canadian parties now operate extensive voter management databases; they have been doing so for some time. There are the Conservatives' constituent information management system, CIMS, Liberalist, and NDP Vote. The foundation of these databases is the electoral list provided under the authority of the Elections Act by Elections Canada, but upon that framework, a large and increasing range of other data about voters is added and analyzed.
These data come from a variety of sources: telephone polling, traditional canvassing methods, petitions, letters, commercially available geo-demographic and marketing databases, and indeed, from social networking services. Overall, however, for a variety of reasons, the contents of those systems are shrouded in some secrecy.
As new technologies pioneered in U.S. elections increasingly play a role in modern campaigning, so the range and variety of personal data available to parties will increase, and so will the concerns about the protection of personal privacy.
Here are some examples: smart phone applications for political canvassers; targeted online advertisement software; targeted e-mail campaigns, which match IP addresses with other data sets showing party affiliation, donation history, and socio-economic characteristics; sophisticated market segmentation strategies aligning online and offline behaviour; extensive use of robocalling and robotexting; and, of course, the use of social networking and social media to plan campaigns, to target likely voters and donors, and to measure impact and engagement.
Social media not only provide a convenient method to target likely supporters, but also to capture increasingly refined information about the preferences and behaviours of voters, and their contacts and their friends. These developments have received much attention in the current U.S. election cycle. One of the most notable trends is the increasing use of customized and targeted political advertisements based on the digital trails individuals leave through their social networking activities. A recent report suggests there were no fewer than 76 different tracking programs that were observable on www.barackobama.com.
Surveillance during Canadian elections is less extensive and is less intrusive—well, so far. Nevertheless there have been a number of recent controversies that have raised concerns about the practices of political parties and have raised the profile of this issue.
The Privacy Commissioner has also received a number of complaints and inquiries about the activities of our political parties over the last several years, and they've also been raised to some extent in the provinces. However, she can do little to address these inquiries because, unlike in most other democratic countries, Canadian federal privacy protection law does not cover our political organizations.
Parties do not engage in much commercial activity and are therefore largely unregulated under the Personal Information Protection and Electronic Documents Act, PIPEDA, or substantially similar provincial laws. They're not government agencies and therefore are unregulated by the Privacy Act. The only federal law that really governs their privacy practices is the Canada Elections Act, but that legislation only applies to those voter registration data collected and shared with parties and candidates under the authority of that legislation.
Parties are also exempt from the new anti-spam legislation, Bill C-28, as well as from the do not call regulations administered through the CRTC. Thus, for the most part, individuals have no legal rights to learn what information is contained in party databases, to access and correct those data, to remove themselves from the systems, or to restrict the collection, use, and disclosure of their personal data. For the most part, parties have no legal obligations to keep that information secure, to only retain it for as long as necessary, and to control who might have access to it.
Virtually every other public or private organization in Canada must abide by these basic rules, so why should political parties be different? Of course, I concede that political parties play a critical role in our democracy. Parties need personal information to mobilize and to educate voters and for a variety of other reasons, and it has been claimed that these important functions outweigh the arguments for regulation and that therefore voluntary self-regulation will suffice, but as our report demonstrates, the current voluntary policies of our main federal political parties are incomplete, and they are inadequate.
From the point of view of an ordinary supporter or contributor, or potential voter who wishes to exercise control over his or her personal information, the existing voluntary privacy commitments of Canada’s main federal parties are often difficult to find, often inconsistent, and often somewhat vague.
No party is any better or worse than any other here—I'm not picking winners or losers—but there's little evidence, frankly, that any of your parties has given sustained consideration to privacy and to the risks associated with amassing vast amounts of personal data. For example, there's no link to privacy on the home pages of either the Liberals or the NDP, the last time I checked. There is a link on that of the Conservative Party, which is fairly prominent, but their policy is also somewhat incomplete, and it contains vague assertions and exemptions.
It would be my preference for Canadian federal political parties to be brought within the statutory requirements of PIPEDA and therefore under the authority of the Privacy Commissioner of Canada. I would urge the committee to consider that. However, in the meantime I think more can be done on a voluntary basis.
I think it would be a good idea—and I have read that some political parties have already done this, but it's not necessarily prominent—that all federal political parties declare that they voluntarily abide by the obligations in PIPEDA. It would be a good idea for them to revise their privacy policies and base them on the 10 privacy principles upon which PIPEDA is based, and to publish these more prominently. I think all parties should appoint a responsible official, the equivalent of a chief privacy officer, who would have overall responsibility for the collection, use, and dissemination of personally identifiable information. All political parties should adopt appropriate risk management strategies in case of data breaches. Data breaches are seen in many other areas of our life, in the public and the private sector. I think there should be training of staff and volunteers on privacy and security issues.
It may be that some of those activities are already occurring. I don't wish to be too critical, but my point is that it's not necessarily obvious, and therefore it's very difficult for individuals and ordinary voters and supporters, etc., to find out what their rights are.
These questions are not just about privacy. Lack of attention to the protection of personal information can erode the trust that Canadians have in the political parties and in our democratic system. In an age of social networking, being more proactive about privacy protection and providing those necessary assurances is also good organizational practice.
In summary, I applaud the committee’s attention to these challenging issues concerning social media and to the practices of big data companies such as Facebook and Google. There's been a great deal written about that subject, and I can certainly talk about those wider issues. At the same time, little attention has been given to the questions that I raise here, which I think are very much related to the topic of your inquiry and, of course, to your own individual work.
I would encourage you, therefore, to think about what I've said and to work within your own organizations to get your own houses in order and to encourage your respective parties to follow the same set of information privacy principles that apply to most other Canadian organizations.
I fear that controversies about parties and privacy protection of voters will only continue. The appropriate management of personal data in an era of extensive online social networking is not only in the interests of individual citizens, but also in the interests of your own parties and of the long-term health of our political system.
Thank you very much for your attention.
