Voter Data and the Impact of Privacy Legislation Gaps on Cybersecurity of Elections

In Canada, there are both legislative gaps and ambiguity around the privacy obligations of political parties with respect to voter data. Despite the highly sensitive nature of political preferences, political parties have been largely exempt from formal obligations to protect personal information. Privacy legislation requires that entities adhere to fair information principles, which require notice and consent and limit the use, storage, and disclosure of personal information. However, Canadian political parties are not covered by the two main privacy statutes. Political parties are explicitly excluded from the Privacy Act, which regulates the public sector, and have been treated as exempt from PIPEDA, which regulates the private sector. Two recent bills by the federal government and Quebec have been proposed to strengthen the political parties’ privacy obligations, but lack clear minimal standards and enforcement mechanisms. This paper analyses the voter data privacy framework and identifies legislative gaps with respect to political parties. It explains how weak privacy law supports the lax marketing of voter data and permits voter data to be transferred to foreign actors. It argues that the privacy gaps raise cybersecurity risks for Canadian elections.

The slides of the presentation are also available here.

About the speaker

Dr. Elizabeth F. Judge is Professor of Law and a member of the Centre for Law, Technology and Society at the Faculty of Law at the University of Ottawa. She specializes in intersections of law, technology, and policy.