In The News This Week: The GDPR vs. Canada

The EU’s Gold Standard GDPR Compels us to Reflect on the Substandard Canadian Context

After seven years in the making, the EU’s brand new data privacy legislation – the General Data Protection Regulation (GDPR) – came into effect last week. For those of us living within the EU, this legislation change was made apparent by the countless emails sent out by companies about their updated privacy policies. For us here at mPolitics, this landmark legislation change also offered the perfect opportunity to reflect on the current legislative framework in Canada, and how it compares to the new gold standard implemented by the EU.

The GDPR replaces the 1995 Data Protection Directive, and significantly strengthens a number of consumer rights. Most notably, individuals will now have substantially more power over companies, as the GDPR makes it easier to request that companies share, or delete, their personal data. Unlike Canada, these new data laws cover both politicians and political parties, and have forced political parties to send out ‘re-consent’ emails; to reconsider their use of external data sources; and to ensure appropriate data protection safeguards are in place within every single company they work with. The GDPR also scraps the £10 access request fee, and has cut down the company response time to 30 days. (The Guardian, BBC, Huffington Post UK)

On the far, opposite end of the spectrum sits Canada, where political parties are situated in a hybrid position with respect to privacy protection laws. In Canada, political parties and associations are neither regulated by the 1982 Privacy Act, which regulates government institutions, nor by PIPEDA, the federal private sector privacy legislation. Whereas privacy protection laws in the majority of other democratic countries, the United States being a noteworthy outlier in this case, regulate political parties, Canada’s regulatory framework does not. Furthermore, each of Canada’s main federal political parties maintains distinct privacy policies and a distinct voter database, all of which operate with the complete absence of an oversight authority that is authorized to audit or investigate these systems. British Columbia, however, has unilaterally taken a leadership position on this issue, as all provincial political parties are regulated by the Personal Information and Protection Act (PIPA).

Considerable research has been commissioned in this area, and the recent revelations regarding the controversial data harvesting practices undertaken by Cambridge Analytica and Aggregate IQ have prompted renewed debates on this issue. Recommendations published by the Chief Electoral Officer following the general election in 2011, titled Preventing Deceptive Communications with Electors, explicitly endorse extending the application of privacy protection principles to political parties (2012, pg. 32). Additionally, a 2016 review of the Privacy Act undertaken by the House of Commons Standing Committee on Access to Information, Privacy and Ethics contained similar recommendations. The report included recommendations to “set clear rules governing the collection and protection of personal information that is collected on the internet and through social media” (2016, pg. 27), and, to “explore extending the scope of the Privacy Act to all government institutions” (2016, pg. 60).

So, where will we go from here? I would argue that reform in this area is imminent, and it is simply a question of which political party will choose to take ownership of this issue and when. It is evident that regulatory exemptions for political parties in Canada’s privacy legislation contributes to opaque, incoherent data harvesting practices across political parties, and that our regulatory framework is noticeably out of touch with the stringent regulations imposed elsewhere. While it may not be in the strategic interest of any party to institute such reform, it is in the strategic interest of the voting public to ensure that our privacy laws adequately address the challenges posed by ‘Big Data’, micro-targeting, and the digital age.

Authored By: Emma McKay, Co-Founder & Editor, mPolitics

GDPR
Facebook’s Lulea Data Center in Sweden. Source: The Guardian

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s