Mike Larsen President, BC Freedom of Information and Privacy Association
Faculty, Criminology Department, Kwantlen Polytechnic University
Victoria May 7, 2026 – The wholesale violation of the privacy rights of millions of members of the Alberta electorate is, in part, a consequence of deliberate decisions made by government to exclude political parties from meaningful privacy laws.
This issue is not confined to Alberta, and while the actors at the centre of the egregious and harmful data breach are right-wing separatists, the failure to protect the political privacy of Canadians transcends partisan divisions. This failure is not a matter of accident or omission, but a matter of policy that emerges from the confluence of two positions:
First, the recognition that the collection and use of personal information is indispensable for political parties (and affiliated contractors and movement organizers) seeking to gain or retain power. Elections databases are an integral foundation for these efforts, but modern political campaigns make use of a wide array of data brokers, apps, and algorithms to connect with target audiences. Engagement and mobilization are data-intensive endeavours, and advances in artificial intelligence have the potential to bridge the gap between macro-level campaigns and micro-targeted influence.
Second, the belief that political parties should not be subject to the rules that govern the collection, use, or disclosure of personal information by public bodies or commercial organizations. Instead, they should be trusted to develop and follow their own privacy policies under loose frameworks set out in elections laws, and beyond the remit of independent commissioners with investigative or enforcement powers.
Taken together and enacted in law and policy, these positions create a recipe for the violation of privacy rights. Alberta provides an illustration of the potential consequences, but the latest legislative attack on political privacy is currently – and quietly – unfolding in Ottawa.
A ‘just trust us’ approach to privacy
This week, the House of Commons Standing Committee on Procedure and House Affairs is discussing Bill C-25, the Strong and Free Elections Act, which was introduced on March 26. C-25 comes on the heels of Bill C-4, An Act respecting certain affordability measures for Canadians and another measure, which passed earlier this year. That bill retroactively exempted federal political parties (FPPs) from any provincial privacy laws and made them responsible for developing and administering their own in-house privacy policies. This was a direct effort to short-circuit an ongoing court case that concerns the application of BC’s Personal Information Protection Act (PIPA) to FPPs. The bill also ensured that people in Canada have no legal right to request access to their own personal information held by FPPs and that Canada’s Privacy Commissioner has no authority to investigate FPP’s handling of personal information. This regime is similar to the situation in Alberta, where the provincial Personal Information Protection Actdoes not apply to political parties.
It is important to note that C-4 was supported by the federal Liberals, Conservatives, and NDP, and that it passed despite serious misgivings expressed by the Senate Legal and Constitutional Affairs committee (LCJC) that reviewed it.
The lack of partisan opposition, coupled with the embedding of the privacy provisions within what was ostensibly a finance bill, meant that C-4’s revisions received minimal attention from the media. The bill was initially reviewed by the Finance Committee, as opposed to the House Standing Committee on Ethics, Access to Information, and Privacy (ETHI), which would normally consider bills related to privacy. Despite this, a number of civil society organizations appeared before the Committee and submitted briefs that raised alarms about C-4’s erosion of political privacy rights. Representatives of the FPPs also appeared before the House and Senate committees, where they downplayed these concerns as alarmist and noted that the complete absence of meaningful privacy rules in C-4 did not preclude such measures from being added at a future date.
The official summary of the Strong and Free Elections Act, C-25, indicates that the bill will amend the Canada Elections Act to, among other things, “provide for new requirements relating to political parties’ policies for the protection of personal information”. In practice, however, the amendments hold FPPs to standards far lower than those associated with public bodies or businesses.
C-25 requires a political party to “protect the personal information that is under its control through physical, organizational and technological security safeguards with a level of protection proportionate to the sensitivity of the personal information”, but it does not set out any enforceable minimum standards or make reference to the internationally-recognized privacy principles associated with Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) or Privacy Act. In contrast with federal and provincial privacy laws, C-25 also sets no limits on the collection, use, disclosure, or retention of personal information. It does not require that individuals consent to the collection of their personal information, and it retains C-4’s lack of independent oversight.
The House of Commons completed its second reading of C-25 on April 24, at which time the bill was referred to the Standing Committee on Procedure and House Affairs for study. The Committee scheduled meetings on May 5 and May 7, made no effort to inform or invite submissions from any of the independent or civil society witnesses who appeared in relation to C-4, and left a window of 24 hours (ending Friday, May 1) for the submission of written briefs. Despite the ridiculously short window of opportunity, a coordinated push from a number of groups meant that a half-dozen written briefs were quickly drafted and filed, and a number of representatives requested to appear as witnesses. It remains to be seen whether the PROC members will have the time to consider the submitted briefs and if additional witnesses will be called.
The BC Freedom of Information and Privacy Association brief can be found here.
What now?
The way that political parties collect, use, and disclose – or, as the case may be, over-collect, misuse, and distribute for partisan purposes – personal information is fundamentally connected to the functioning of our democratic processes. As a general rule, the strength of privacy protections and the guardrails around the handling of personal information should ‘scale up’ according to the sensitivity of the data in question, and this means that we should have every right to demand clear, strong, and enforceable rules governing the handling of data that is directly related to democratic participation.
This means that the two positions outlined above – the recognition that personal information is indispensable for political parties and the belief that political parties should be held to a different and lesser standard in their handling of this information – are incompatible with participatory democracy.
If political parties wish to engage in datafied campaigning, they must be forced to adhere to strong privacy rules. It is difficult to find people who disagree with this position, save for the politicians and political party officials who directly benefit from a ‘light touch’ privacy regime.
If we want to avoid a repetition of the Alberta data breach and prevent the mishandling of personal information by political parties – provincial or federal – we need to push for law reform. Bad structures empower bad actors, and we are currently witnessing the entrenchment of a bad structure via C-25.
It doesn’t have to be this way. There are perfectly reasonable proposals that would bring political parties under the auspices of the laws that govern private sector organizations and nonprofit societies. Provincial and federal information and privacy commissioners have repeatedly called for this sort of framework, as have civil society groups. In BC and Quebec, provincial privacy law already applies to political parties.
There are opportunities to take action.
At the federal level, Canadians can sign and share House of Commons petition e-7237, initiated by the BC Freedom of Information and Privacy Association and sponsored by Green Party leader Elizabeth May. The petition calls upon “the House of Commons to oppose or repeal any changes to the Canada Elections Act, during the 45th Parliament, that have the effect of exempting political parties from privacy obligations that they are or were subject to; and impose enforceable privacy obligations equivalent to widely accepted Canadian fair information principles, including meaningful rights of access and independent oversight, prior to the next federal general election.” A coalition of civil society organizations, including FIPA, Open Media, and the Canadian Civil Liberties Association, supported by the Centre for Digital Rights, have launched a coordinated effort to promote this petition and support it with research and background material.
Provincially and federally, people can contact their elected representatives and ask them where they stand on the matter of political privacy. When doing so, it is important to not accept appeals to policy and rhetorical commitments to ideals. The question is simple: Do they believe that personal information protection laws should apply to political parties?
People can contact their Member of Parliament and call on them to amend C-25 to address the embedded political privacy gaps.
