The government’s treatment of political party privacy has been one of the most dispiriting digital policy stories in recent memory. Last year, it buried political party privacy provisions in Bill C-4, an “affordability measures” bill, that required far less of political parties than of virtually any other type of organization in Canada. The rules were designed primarily to shut down litigation in British Columbia that opened the door to applying the provincial privacy law to federal political parties. Bill C-4 ensured that provincial law would not apply and, for good measure, added a clause making the new rule retroactive to the year 2000. The Senate found the bill so outrageous that it sent it back to the House with a sunset clause that would give the government three years to develop something better. But the government rejected that too and rushed the bill to royal assent in a matter of hours with virtually no debate.

Two weeks later, the government introduced Bill C-25, an Elections Act reform bill that includes updated privacy provisions for political parties and which dropped just before Parliament took a holiday break. The government has framed this as delivering on its commitment to strengthen political party privacy protections. The bill does restore some elements that C-4 had stripped away from prior proposals such as security safeguards proportionate to the sensitivity of the information, breach notification to affected individuals when there is a real risk of significant harm, contractual protections when personal information is transferred to third parties, and three specific prohibitions (on providing false information about collection purposes, selling personal information, and disclosing personal information to the public to cause harm). These were all features of the earlier Bill C-65 that died in a previous Parliament or were recommended by the Privacy Commissioner of Canada.

While adding these provisions to the current bare bones framework is a positive step, the reality is that political parties still face the least onerous privacy obligations in Canada. Indeed, this is not a modernized privacy law in any meaningful sense, as the parties demand far stronger compliance measures for the private sector than they are willing to impose on themselves.

The most glaring gap is what the bill omits. There is no purpose limitation requirement, meaning the parties have no obligation to identify the purposes for which they collect personal information at or before collection. There is no consent requirement or meaningful limits on collection, use, or disclosure. There is no right of access, meaning Canadians are not legally entitled to find out what data the parties hold about them. There is no right of correction. There are no retention or disposal limits. Most of these rules have been part of Canadian privacy law for decades, and they form the core elements of fair information practices recognized by every major privacy framework worldwide. Their absence from a bill introduced in 2026 immediately flags this as an unserious attempt to fully address the issue.

The bill also fails to establish a modernized oversight system, leaving the Privacy Commissioner of Canada with no role whatsoever in the regime. The Commissioner told the Senate that political parties should be subject to rules that provide meaningful standards and independent oversight. The government ignored both recommendations. The breach notification provisions are a case in point. Bill C-25 requires parties to notify affected individuals when there is a real risk of significant harm, but there is no obligation to report breaches to any independent regulator. The Privacy Commissioner recommended that a report be made to his office within seven calendar days. The bill includes no fixed timeline for notification and no regulatory reporting at all.

The Chief Electoral Officer’s role is limited to checking whether a party’s privacy policy document contains the required elements. If a party violates its own policy, the Commissioner of Canada Elections can treat it as a violation under the Canada Elections Act and has investigative powers to pursue it. But this is a general elections enforcement mechanism, not a dedicated privacy oversight body with the expertise, complaint processes, or audit powers that the Privacy Commissioner would bring. There is no individual complaint process specific to privacy, and no body empowered to conduct privacy audits or issue compliance orders. The result is that privacy enforcement is treated as an afterthought within an elections regulatory framework rather than as a modernized, standalone regime.

Bill C-25 has another problem that is subtle but significant. The new substantive provisions, such as the security safeguards, breach notification, and the prohibitions on selling information, misleading individuals about collection purposes, and malicious public disclosure, are framed merely as required elements of a party’s privacy policy rather than as statutory obligations. The distinction matters. Under this structure, the party must include these elements in its policy and comply with it. Failure to comply with the policy constitutes a violation under the law. However, the practical effect is that enforcement depends on a two-step process: the policy must contain the provision, and then the party must be found to have breached its own policy. A direct statutory prohibition, by contrast, would apply regardless of what any particular policy says. Every other privacy statute in Canada, whether PIPEDA, the Privacy Act, or provincial legislation, imposes its core obligations directly. The choice to route these obligations through party-drafted policy documents rather than imposing them as standalone legal requirements weakens their force and creates unnecessary ambiguity about their application.

The Canadian Civil Liberties Association captured the problem in its initial response to the bill, noting that while it provides some protection against third parties who might maliciously access personal information, it fundamentally fails to impose meaningful restrictions on what parties themselves can do with the vast troves of personal information used to target digital political messaging. Meanwhile, Bill C-4’s provincial law override and the retroactive application to 2000 remain entirely untouched. The government had an opportunity to respond to the Senate’s concerns, the Privacy Commissioner’s recommendations, and the near-universal criticism from civil society and privacy experts. Instead, it offered incremental improvements to a framework that was fundamentally flawed from the start. Given a choice between genuine privacy protection for Canadians and maintaining the parties’ unfettered access to personal data, the government once again is choosing the data.

Enjoyed this post? Get every post plus the Law Bytes podcast delivered to your inbox – subscribe on Substack.