In light of growing concerns about whether political parties are doing enough to safeguard the information they collect on Canadian voters, Privacy Commissioner Daniel Therrien says both he and the chief electoral officer should be given the authority to ensure parties follow their own rules.
Therrien made that argument to members of the House of Commons access to information, privacy and ethics committee on Tuesday. His appearance came in the wake of a scandal sparked by news that Facebook allowed the political analysis firm Cambridge Analytica to harvest the data of roughly 87 million users. The firm used the personal information in support of work it did for the election campaign of now-U.S. President Donald Trump, and for the campaign to push Britons to vote to leave the European Union.
NOTEBOOK: In 240 Facebook ads, the Conservatives take aim at 16 Liberal MPs
In Canada, political parties maintain vast databases of voter information but are not subject to privacy regulations, except for the internal rules they set for themselves. Therrien said it’s high time for that to change. The privacy commissioner and the chief electoral officer should both have the authority to investigate whether political parties are adhering to their own policies on voter data, he argued.
“Ideally, I would say the two institutions would be able to verify what is happening,” Therrien said.
The past several weeks have seen escalating concerns and questions around the process of how political parties and companies gather and analyze the information they collect either on voters or consumers.
The intensity of focus on the matter is a result of former Cambridge Analytica employee and now whistleblower Christopher Wylie speaking publicly to the media earlier this year. The revelations have prompted a global backlash against both Facebook and Cambridge Analytica, as well as a slew of investigations by privacy authorities around the world.
WATCH BELOW: Cambridge Analytica Canadian whistleblower alleges Vote Leave ‘cheating’ may have affected Brexit result
Therrien is currently in the middle of his own investigation into the scandal. He is looking at whether Facebook failed to protect the personal information of Canadians by allowing it to be harvested by Cambridge Analytica.
As well, concerns also escalated domestically last month, following reports that Wylie had been briefly contracted by the Liberal Caucus Research Bureau for a pilot project involving social media monitoring.
Wylie had also worked in the offices of both former Liberal Party leaders Stephane Dion and Michael Ignatieff.
It was news to no one in political circles that all parties maintain extensive databases on voter information. But the reports raised questions. Wylie was not hired for further work over concerns his proposals were considered too invasive.
Specifically, concern focused on where, exactly, political parties draw the line when it comes to collecting, using and analyzing voter data — and whether there are enough rules in place to restrict them from going too far.
Therrien made it clear to the committee that he thinks the answer is no, and that clear oversight is needed.
READ MORE: A chronological look at the evolution of data mining in Canadian politics
In Canada, political parties are not subject to privacy protection laws and can collect vast stores of data on voter preferences and political views. They can then use those databases to profile and micro-target voters.
This has led to situations like Conservative MP Cheryl Gallant sending birthday cards in 2006 to constituents based on data obtained through applications they had made for passports. Canadians have no right to know what data political parties have on them or to ask for it to be removed.
Political parties maintain their own codes of conduct around the handling of personal information in their voter databases, but there is no external oversight to make sure a party is actually following the rules it has set up for itself.
“These are voluntary codes and no one independent from the parties examines whether they are actually living up to the promises they made,” Therrien said.
WATCH BELOW: Canada’s political parties using Facebook to target you
Therrien also flagged concerns about privacy laws more broadly, and said his office needs greater powers to proactively investigate the activities of companies to make sure they are abiding by privacy regulations, given persistent cases of leaks of personal information in recent years.
Giving Canadians greater control and say in how their information can be used by companies is also essential, and Therrien said recent sweeping changes to privacy laws in Europe aimed at cracking down on companies that fail to protect personal information could provide a good standard for Canada to create new rules of its own.
“It is more than time that Canada legislate,” he said.
Last year, the European Union approved the General Data Protection Regulation (GDPR), which will come into force next month.
The GDPR essentially overrides the patchwork system of privacy regulations previously implemented among various European states and replaces them with a single cohesive system for the bloc as a whole.
READ MORE: New European privacy regulation will impact Canadian businesses
Legal experts analyzing that legislation have noted that among its provisions is a stricter requirement on how companies can collect and use personal information. It does away with the notion of implied consent, which is generally how many businesses in Canada collect and use information for purposes, including those beyond the original purpose for the collection of the information.
Under the GDPA, companies must obtain different types of consent for different uses of the information they collect and are also required to delete the data they hold on an individual if the individual asks them to do so.
READ MORE: Federal election 2015: How data mining is changing political campaigns
Chris Vickery, director of cyber risk research at the Australian cyber-resilience firm Upguard, said changing the concept of consent in how information is collected and shared will be one of the most important considerations for any discussions around modernizing privacy protection laws.
He used the example of a charity that collects information about a donor in his explanation.
“I don’t think it’s unreasonable to expect that charity you shared the information with sends you an email and says, ‘We are planning on sharing your information with other charities that might be of interest to you, click here to opt in.’”
Requiring that kind of approach would ensure citizens have control over the information that fundamentally belongs to them.
“Nothing is done in the darkness, nothing is done under the table,” he said. “There is a paper trail and there is consent.”