New legislation marks a step in the right direction, but accountability appears to fall short when it comes to data collected by political parties
Next year’s federal election in Canada has made security a top priority, as the country looks to modernize its electoral system and safeguard critical infrastructure to mitigate the threat of cyber-attacks and misinformation.
Putting a stamp on that commitment is the Trudeau government’s $508 million National Cyber Security Strategy.
It has so far yielded a state-of-the-art cybersecurity center and renewed policing efforts to tackle cybercrime, but has provided no motivation for political parties to take privacy seriously.
At the beginning of this month, for instance, Canada amended its federal Personal Information Protection and Electronic Documents Act (PIPEDA), adding mandatory rules for businesses to follow in the event of a data breach.
PIPEDA, much like the EU’s General Data Protection Regulation (GDPR), requires all organizations to report to the Office of the Privacy Commissioner of Canada if a security incident carries “a real risk of significant harm” to consumers. Affected individuals should also be notified, and failing to do so can result of fines up to $100,000.
Yet with no time period given as to when companies must report a breach, and limited funding available for adequate enforcement, many have questioned whether the regulations bring digital safeguards far enough.
These critics include Canadian Privacy Commissioner, Daniel Therrien.
“The number and frequency of significant data breaches over the past few years have proven there’s a clear need for mandatory reporting,” he said in a statement released last week, following his call to increase his $24 million annual budget by 50%.
“Mandatory breach reporting and notification will create an incentive for organizations to take security more seriously and bring enhanced transparency and accountability to how organizations manage personal information.”
Yet despite this step in the right direction – one that, according to a survey by the Canadian Internet Registration Authority (CIRA), 38% of businesses still remain unaware of – mandated accountability appears to fall short when it comes to data collected by political parties.
“It’s entirely window dressing,” David Fraser, a privacy lawyer for McInnes law firm in Halifax, Nova Scotia, told The Daily Swig.
“There is really no meaningful limit on how political parties and their supporters can use political information, and that was at the core of what was happening in Cambridge Analytica.”
More than 600,000 Canadians are estimated to have had their data misused by Cambridge Analytica, after it was revealed that the British company was mining Facebook accounts to influence voters in the 2016 US Presidential election.
While Canadian citizens accounted for a small number of the millions affected globally by what proved to be the biggest data privacy scandal since Edward Snowden, an all-party committee was still formed to grill Facebook executives and to form policy defending the democratic process from online disinformation and data manipulation.
The Access to Information, Privacy and Ethics Committee strongly recommended that political parties should either adhere to existing privacy legislation, or create a new code of conduct.
However, this has been rejected by the Liberal government on several occasions.
“Political parties should be held to the same standard as any business,” Fraser said, explaining how Canada’s federal privacy law, enacted in 2001, did allow for individuals to request businesses to share any information which they might hold on them.
“But there doesn’t seem to be a big appetite from the government to overhaul these laws.”
Political parties are required to provide a standard privacy policy, but the government still falls short by not having to follow the same rules as businesses and other organizations across Canada.
In September, Therrian reiterated the public interest in holding government to account over its use of data.
“Canadian political parties’ lack of oversight is unfortunately becoming an exception compared to other countries, and it leaves Canadian elections open to the misuse of personal information and manipulation,” he said.
“The bottom line is that without proper data regulation, there are important risks to a fair electoral process; and this applies to the next federal election in Canada.”
A federal election is scheduled to take place next year. Michael Fenrick, an advisor to Prime Minister Justin Trudeau, has said enacting privacy laws before then will deter campaign volunteers due to the complexities of cybersecurity measures. Not all think that this is the best way to build trust with government.
“Ultimate transparency is when you can go to an organization and say what information do you have about me, and what have you done with this information?” said Fraser.
RELATED Cybersecurity in Canada: The best offense is a good defense