The Canadian government has once again sidestepped public debate by embedding broad privacy exemptions for political parties into a piece of unrelated legislation.
Bill C-4, framed as a response to economic challenges, includes clauses that effectively remove political organizations from the reach of both federal and provincial privacy laws. The changes are not just forward-looking; they apply retroactively to May 31, 2000.
If passed in its current form, Bill C-4 will entrench a system where political parties have free rein to mine personal information with minimal transparency and zero independent oversight. The retroactive nature of these changes adds a further layer of concern, effectively erasing any liability for past misuse. Canadians deserve better than opaque policy maneuvers that trade their privacy for partisan convenience.
According to Professor Michael Geist, this move appears designed to pre-empt a legal challenge in British Columbia where provincial privacy rules were applied to federal political parties. That case is currently under appeal. Rather than allow the court process to unfold, the federal government has taken steps to undercut it entirely by granting all parties legal immunity from most data protection statutes outside the Elections Act.
Although a previous attempt to implement similar measures, Bill C-65, failed to pass during an earlier session of Parliament, it at least introduced some checks, such as breach notifications and limits on selling personal information.
Those provisions are nowhere to be found in Bill C-4, which takes a more aggressive approach by eliminating safeguards and reaching back a quarter-century to retroactively legitimize any privacy violations.
At the core of the exemption is a clause that authorizes political parties and anyone acting on their behalf, whether candidates, staffers, or volunteers, to collect, share, retain, and dispose of personal information as they see fit, so long as their own internal policies permit it.
The bill states:
“In order to participate in public affairs by endorsing one or more of its members as candidates and supporting their election, any registered party or eligible party… may… carry out any activities in relation to personal information… in accordance with the party’s policy for the protection of personal information.”
Not only are political parties excluded from provincial privacy laws, but they also cannot be compelled to disclose what personal data they hold, provide access to it, or correct inaccuracies, even if individuals request it. The legislation makes clear that such responsibilities simply do not apply.
One provision reads:
“For greater certainty, the registered party, eligible party or person or entity acting on the party’s behalf cannot be required to provide access to personal information… or to correct — or receive, adjudicate or annotate requests to correct — personal information…”
The only formal requirement is that each party must publish a privacy policy. That document must list the type of information the party collects, offer examples of how it is used (such as cookie tracking or online outreach), identify a privacy officer, and describe what training staff and volunteers receive. Beyond that, there are no limits on what can be collected or how it can be used.
There is also no role for privacy commissioners. No oversight body is empowered to investigate misuse or enforce the few obligations that do exist. Political parties are left to self-regulate, with no consequence for failing to meet even their own stated policies.
