Nothing restores confidence in a surveillance bill quite like the government telling everyone to shut up about it.
The government is no doubt really upset that I’m talking about this. So, naturally, that means I’ll be happy to talk about this. Back in March, the Mark Carney Liberal government was pushing, and ultimately passed, legislation that would make political parties immune from all of those pesky provincial privacy laws. Why? Because fuck you, that’s why. Well, that and that whole litigation to stop the collusion of Liberals and Conservatives undermining everyone’s privacy thing. That also kind of played a role in that as well.
So, while the political parties are more or less free to pillage everyone’s personal information, the legislation that granted legal immunity to political parties didn’t go unnoticed. The Canadian Senate did try to implement a sunset clause to Bill C-4’s political party surveillance program, but the Mark Carney Liberal government vetoed the sunset clause and rushed it through to Royal Assent. This, in part, so the major political parties can get to feasting on all of that data broker dubiously obtained personal information without worry that they would be subject to a whole lot of oversight.
Still, the controversy surrounding this whole ridiculous affair did cause the government to catch flack. How much? Apparently enough for the government to table Bill C-25 – a so-called “elections” bill. Naturally, the reforms were buried well into the bill. From what I could find in the bill, the legislation would carve out some exceptions to the rule that federal political parties can largely do whatever the heck they want with people’s personal information. This is what I was able to find at least:
36 (1) Section 446.6 of the Act is amended by striking out “and” at the end of paragraph (d), by
adding “and” at the end of paragraph (e) and by adding the following after paragraph (e):(f) require the party to protect the personal information that is under its control through physical, organizational and technological security safeguards with a level of protection proportionate to the sensitivity of the personal information;
(g) require the party to take appropriate steps in the case of the loss of, unauthorized access to or unauthorized disclosure of personal information that is under its control as a result of a breach of its security safe-
guards, including by, as soon as feasible, informing the individual whose personal information has been lost, accessed or disclosed if it is reasonable in the circumstances to believe the breach creates a real risk of significant harm to the individual;(h) require the party to ensure, by contract or otherwise, that any person or entity to which it transfers personal information provides a level of protection of the personal information equivalent to that which the party is required to provide under the policy;
(i) require the privacy officer or their delegate to attend at least one meeting per calendar year relating to the protection of personal information held by the Chief Electoral Officer; and
(j) prohibit the party, as well as any person or entity acting on the party’s behalf, including the party’s candidates, electoral district associations, officers, agents, employees, volunteers and representatives, from
(i) providing false or misleading information to individuals about the purposes for which the party collects personal information,
(ii) selling personal information under the party’s control, or
(iii) disclosing personal information under the party’s control to the public for the purpose of causing harm.
Basically, if the unauthorized disclosure means that said disclosure is about to result in you getting killed, then, yeah, political parties will go ahead and give you the heads up that they might have had a little whoopsie with your personal information. This while saying that political parties can’t take your personal information and just willy nilly sell it on the dark web for a handsome profit because that kind of thing would be frowned upon. I know, what a bunch of party poopers!
For reasons that should be extremely obvious, these half-hearted measures weren’t good enough for experts. Last month, university law professor, Michael Geist, had this to say about it:
While adding these provisions to the current bare bones framework is a positive step, the reality is that political parties still face the least onerous privacy obligations in Canada. Indeed, this is not a modernized privacy law in any meaningful sense, as the parties demand far stronger compliance measures for the private sector than they are willing to impose on themselves.
The most glaring gap is what the bill omits. There is no purpose limitation requirement, meaning the parties have no obligation to identify the purposes for which they collect personal information at or before collection. There is no consent requirement or meaningful limits on collection, use, or disclosure. There is no right of access, meaning Canadians are not legally entitled to find out what data the parties hold about them. There is no right of correction. There are no retention or disposal limits. Most of these rules have been part of Canadian privacy law for decades, and they form the core elements of fair information practices recognized by every major privacy framework worldwide. Their absence from a bill introduced in 2026 immediately flags this as an unserious attempt to fully address the issue.
The bill also fails to establish a modernized oversight system, leaving the Privacy Commissioner of Canada with no role whatsoever in the regime. The Commissioner told the Senate that political parties should be subject to rules that provide meaningful standards and independent oversight. The government ignored both recommendations. The breach notification provisions are a case in point. Bill C-25 requires parties to notify affected individuals when there is a real risk of significant harm, but there is no obligation to report breaches to any independent regulator. The Privacy Commissioner recommended that a report be made to his office within seven calendar days. The bill includes no fixed timeline for notification and no regulatory reporting at all.
The Chief Electoral Officer’s role is limited to checking whether a party’s privacy policy document contains the required elements. If a party violates its own policy, the Commissioner of Canada Elections can treat it as a violation under the Canada Elections Act and has investigative powers to pursue it. But this is a general elections enforcement mechanism, not a dedicated privacy oversight body with the expertise, complaint processes, or audit powers that the Privacy Commissioner would bring. There is no individual complaint process specific to privacy, and no body empowered to conduct privacy audits or issue compliance orders. The result is that privacy enforcement is treated as an afterthought within an elections regulatory framework rather than as a modernized, standalone regime.
As is apparently the case, the Canadian government agrees there is a problem with all of this. That problem is the fact that people are talking about it at all. Apparently, the Carney Liberal government largely shut down debate surrounding this bill and limited study to a mere three meetings. From Michael Geist:
The first sign came from the second reading debate on April 24th, the last before the bill went to committee. Government MPs never raised the privacy provisions. Conservative and Bloc speakers were largely silent as well, with one notable exception. David Bexte, a Conservative MP from Bow River, included political party privacy in a list of concerns near the end of his speech, pointing to Rocky’s Bakery in Strathmore as a comparator. He noted that when a customer provides a credit card at his local bakery, a full set of privacy laws kicks in to protect that data. Political parties collect vastly more data on Canadians, including political views, demographic profiles, and behavioural data used for micro-targeting, yet operate outside any equivalent oversight. His obvious conclusion was that “we need real oversight of political party data by the Privacy Commissioner.”
The second sign comes from the Procedure and House Affairs Committee’s study schedule of Bill C-25, which suggests there is little appetite for genuinely revisiting the privacy questions. In fact, there is little interest in studying any aspect of the bill, which includes a complete overhaul of foreign interference rules, deepfake offences, third party financing reforms, expanded administrative monetary penalties, new investigative powers for the Commissioner of Canada Elections, the longest ballot reforms, and the political party privacy framework. The committee has set just three meetings on the bill, one with the minister and officials on May 5 and two with witnesses on May 7 and May 26, with clause-by-clause consideration to follow on May 28. The deadline for witness submissions is today at noon, leaving outside experts roughly a day’s notice to prepare and submit briefs. When the Finance Committee studied Bill C-4 last fall, it refused to hear a single witness on the privacy provisions despite briefs from the Privacy Commissioner of Canada and the Commissioner of Canada Elections, limiting its consideration of the entire privacy section to a thirty-second description from a government official. It looks like the PROC committee may be headed in much the same direction.
None of this reflects the views of those who actually work in privacy law. I participated this week in an Osler AccessPrivacy debate on political party privacy with Adam Kardash and Colin Bennett, and the conversation reinforced what has been evident since the Bill C-4 hearings, namely that the Canadian privacy community can find no rationale for treating Canadians’ privacy interests with respect to political parties so differently from how their privacy is treated in nearly every other context. Privacy commissioners, civil liberties organizations, academic experts, and the Commissioner of Canada Elections have all concluded that the present framework does not provide meaningful privacy protection. Only the political parties themselves seem to disagree.
Taken together, the two signs from the past two weeks tell Canadians how this will play out. The House debate generated almost no engagement and the committee’s compressed study schedule leaves little room for serious privacy review. The pattern from Bill C-4 is being repeated once again as both the government and the opposition bet that few Canadians will pay attention to the embarrassingly weak privacy rules and the efforts to short-circuit expert witnesses and public debate.
It’s ridiculous, though not unprecedented, that the government is trying to shut down debate on a bill it really doesn’t want to talk about. Indeed, when Bill C-11 was making its way through the legislative process, the Canadian government did everything to shut down debate as much as possible because they really really didn’t want Canadian’s talking about how Canadian content creators were facing massive censorship on their own platforms thanks to this bill. This isn’t the only other example out there, but it does further highlight the problem of the Canadian government pushing deeply unpopular bills and shutting down all debate so things don’t get too uncomfortable for them in their efforts to screw over Canadians.
It’s a frustrating thing to witness, but one I have grown all too familiar with over the years. Precious little is improving and the government is pushing to stop people from debating something rather important. All of this because they are embarrassed by the very things they are trying to implement into law.
Drew Wilson on Mastodon, Bluesky and Facebook.
Discover more from Freezenet.ca
Subscribe to get the latest posts sent to your email.
