Good morning. I'm delighted to be with you again today and to appear with my colleague, Professor Giasson.
I am a professor of political science at the University of Victoria. I have been studying and publishing on privacy protection issues for around 30 years in Canada and internationally. In 2012, I co-wrote a report for the Office of the Privacy Commissioner on the use of personal data by Canadian political parties. Since then, I have been researching the nature and influence of data-driven elections in Canada and overseas, and I have been warning about the implications for privacy and other democratic values.
The current controversy that you are investigating raises a range of interrelated issues, and it is important to carefully distinguish them. There is the monopoly power of companies like Facebook in the platform economy, the harvesting of data on one's social network through third party applications, violations of campaign spending limitations, issues concerning the accountability of targeted political ads, cyber-threats to election integrity, the larger role of big data in our elections, and what I really want to talk about today, which is the role political parties play in data-driven elections and their relationship with our regime of privacy protection.
Cambridge Analytica and AggregateIQ are part of a larger voter analytics industry. There are many other companies, mainly American, that have taken advantage of more flexible privacy standards in the U.S. and the ability to process vast amounts of personal information from public and commercial sources, used to micro-target consumers in an increasingly granular manner.
There has been a lot of hype about the importance of big data in elections and recent scholarly work that sheds a skeptical light on the extent to which data analytics do indeed influence election outcomes. Nevertheless, the competitiveness of current elections continues to place enormous pressure on major political parties in most democracies to continue to use data analytics to gain any edge over their rivals. Thus, more data on voters are being captured, and those data are increasingly shared through a complicated and dynamic network of organizations involving some quite obscure companies that play important roles as intermediaries between the voters and their elected representatives.
This industry is not as extensive in Canada, but there is still a large variety of businesses that offer various services on polling, data analytics, software development, digital ad placement, social media outreach, and so on. We lack a comprehensive understanding of the role that personal data plays in the political process in Canada, and we lack an accurate picture of this industry. I'm going to let my colleague, Professor Giasson, speak more about this.
I have followed your hearings very carefully. The investigation is an important beginning, but it is only a beginning, and we need a lot more analysis. I would like to make three general points about policy development going forward.
My first point is the critical importance of bringing Canadian privacy law in line with the GDPR. The recent decision of Facebook to move the data on all its non-European users from Ireland to the United States is motivated in part by a desire to escape some of the more stringent rules inherent in the GDPR. To discourage this kind of jurisdiction shopping, it is critically important that Canada raise its privacy standards to make it more difficult for companies to engage in this kind of behaviour. Your February report is an excellent start.
Particularly critical for these issues about the processing of information on political opinions, which is defined as sensitive to data in the GDPR, is the need, first, to strengthen PIPEDA’s consent provisions; second, to implement provisions for algorithmic transparency, as you advise; third, to make privacy by design and default central legislative principles in PIPEDA; fourth, to strengthen the Privacy Commissioner’s audit and enforcement powers; and last, to clarify those categories of sensitive personal data, including those on political opinions.
My second point is that there is a pressing need to bring our political parties within Canada’s regime of privacy protection law. I have testified about this to you before. One of the keys to preventing the kinds of abuses we've seen in other countries is to establish some clearer and consistent rules on the kinds of data that political parties may use for campaigning purposes. We need to establish a level playing field that essentially prevents companies like Cambridge Analytica from engaging in the same practices in Canada that have been witnessed elsewhere.
We are one of the only advanced democratic countries where privacy protection law does not cover political parties. For the most part, they are not covered by PIPEDA. They are not government agencies. They are not covered by the Privacy Act. They are also largely and expressly exempt from the anti-spam legislation, as well as from some of the do-not-call list regulations administered through the CRTC. There are privacy and security rules within the Canada Elections Act, but these apply to the voters lists, not to other sources of personal information.
Thus, with respect to political parties, Canadians do not have the legal rights that they have with respect to both government agencies and commercial operations.
Moreover, whereas the Privacy Commissioner can investigate Facebook, he cannot investigate the practices of our political parties, so he cannot get the full picture in the way that the Information Commissioner in the U.K. can, and is, under her current investigation.
There are four legislative options with respect to regulating federal political parties: the Privacy Act, the Canada Elections Act, PIPEDA, and stand-alone legislation. There is a need for serious legal and constitutional analysis about the various legislative options, because each approach has its pros and cons. I could go into this in the Q and A, if you'd like.
However, it does appear to me that the status quo in this respect is untenable. First, there is going to be continuing publicity about the use of personal data in elections, which will only increase leading up to the federal election of 2019, particularly with respect to political micro-targeting on Facebook.
Second, it should be noted that political parties do have to comply with B.C.'s privacy law, the preferred Personal Information Protection Act. The commissioner in B.C. is currently investigating the practices of B.C.'s provincial parties. I believe, as do many, that federal political parties are also governed by this legislation to the extent that they are capturing information on voters in B.C. If federal parties have to comply with B.C.'s privacy legislation, which is consistent with PIPEDA, then there is no sensible reason why they should not extend those same good practices across the country.
Third, I do sense a growing recognition among parties that pursuing good privacy management practices is in their interests, as well as those of citizens.
Finally, therefore, my third point is that political parties should self-regulate as far as they can to improve their privacy policies and practices. Legislative change might take some time. In the meantime, though, there is much that parties can do to self-regulate and restore public confidence.
I have analyzed the privacy policies of federal and provincial political parties, and the commitments that have already been made. I've shared this paper with the committee, and I understand it's being translated.
There have been some improvements since our 2012 report, but they are still incomplete and, in my view, inadequate. None provide clear commitments against all 10 principles contained in the national privacy standard, which is at the heart of PIPEDA.
I don't see why all parties can't publicly endorse these principles and adhere to a common privacy code that comprehensively addresses the protections for all personal information under their control. It's not enough, but it would create a more level playing field. In 2013, the Chief Electoral Officer recommended that adherence to such a code be a condition for receiving the voters list. It's unlikely that one party would pursue such a course on its own, so leadership will be necessary, involving the CEO and the Privacy Commissioner.
In my view, in terms of what should change, there should be greater transparency on the sources of data, captured directly or indirectly, that enter parties' voter relationship management systems; a common commitment that parties do not and will not purchase commercial sources of personally identifiable information; an agreement on how social media platforms should, and should not, be used for electoral purposes, particularly with respect to automated bots; commitments to privacy accountability, including designated chief privacy officers, and better training of staff and volunteers on privacy and security; stronger commitments to provide rights of access and correction to individuals; better management and updating of internal do-not-call lists; a common commitment to provide unsubscribe options for email and text messages; better management of the access to party databases; and clearer policies about how to respond to data breaches.
None of this should be difficult or contentious, and I don't think it should be a party-political issue. Political parties have a responsibility to educate and mobilize the electorate, but there should also be an appropriate balance between their important interests and roles and the privacy rights of Canadians.
No organization likes data breaches—just ask Facebook. Just think of the ramifications of a major data breach for any political party in the course of an election campaign.
Thank you very much for your attention.