A conventional way to look at the government-related collection of data is through the Privacy Act lens, which successive commissioners, going back well before even the creation of PIPEDA, have argued is insufficient and inadequate. Government has consistently failed to hold itself to the same standard that it expects of the Privacy Commissioner. We know the reason why privacy commissioners have regularly raised it, but it has rarely risen to the level of actual reform.
If the question is more around political parties and their potential application—we've had several witnesses raise this—I think if we're honest about it, it's pretty obvious why they're not included. It's because political parties have grown addicted to access to that data. They value that data and, quite frankly, they fear that if they had to actually get the same level of consent that they are expecting businesses to obtain from users, they wouldn't get that consent and it would put that data at risk.
For me, this highlights two things. First, I just think it's so obvious: If you claim that there's a fundamental right to privacy and you're going to elevate the expectations for businesses, please put up the mirror and have that same expectation for yourselves as political parties.
It also highlights why there are real challenges with the law with respect to the private sector. Just as political parties don't want to have any sort of limitations on the collection and use of the data outside of some bare bones sort of legislation, so too for lots of businesses. They would also say that they are super innovative and acting in the public interest or have a legitimate interest. We know all the kinds of language that comes out of this. Fundamentally, they don't want to have to ask for actual, informed consent because they know they might not get it.
We can see why you need to ensure in these rules that we hold those businesses to a higher standard. I'd argue that we ought to be doing the same thing for political parties.