Introduction: all roads lead to Victoria, British Columbia

As the Information and Privacy Commissioner for British Columbia, I am entrusted with enforcing the province’s two pieces of privacy legislation – BC’s Freedom of Information and Protection of Privacy Act (FIPPA) and the Personal Information Protection Act (PIPA). When these laws came into force, “Big Data” was not a term in public discourse. All that of course has changed irrevocably.

In late summer 2017, I left the Office of the Information and Privacy Commissioner for BC (OIPC) to take on an assignment with the UK Information Commissioner’s Office (ICO), under the former BC Commissioner, Elizabeth Denham. I had temporarily stepped aside from my role as Deputy Commissioner at the OIPC to help lead the ICO’s investigation of how the UK’s political parties collected and used the personal information of voters (Information Commissioner's Office, United Kingdom, 2018). Their enquiry came on the heels of media reports concerning the potential misuse of data during the country’s European Union referendum (Doward, 2017). At the time, I had no idea that I would find myself standing, two years later, full circle from the world’s most notorious data breach - the Facebook/Cambridge Analytica scandal, which affected more than 80 million users worldwide (Badshah, 2018).

Soon after my arrival, I interviewed the key data strategists of UK’s two largest parties. With their significant resources, these parties were able to gather volumes of voter data and make predictions about voting intentions. They also had the means to target specific classes of voters in pursuit of their support. Those party representatives were very nervous about sharing the mechanics of their work. This reluctance intersects with one of modern democracy’s great challenges, and it was why the ICO launched its investigation: citizens know very little about what information political parties collect about them – and how that information is being used.

The public was concerned about the opacity of political campaign systems even before the ICO began its work. But their concern was soon to grow exponentially. In early 2018, UK’s Information and Privacy Commissioner Elizabeth Denham and I met a young man in a lawyer’s office in London. He was from, of all places, Victoria, BC, and his name was Christopher Wylie.

We were the first regulator or law enforcement agency to talk with Wylie, and his story was sweeping and shocking in its breadth. Many weeks later, the rest of the world would learn the details of how Cambridge Analytica extracted psychological profiles of millions of Facebook users for the purposes of weaponising targeted political messages. Many of those revelations were reported exclusively by The Guardian journalist Carole Cadwalladr, who wrote extensively about the whistleblower beginning in March 2018 (Cadwalladr, 2018).

Suddenly the whole world was paying attention to the explosive mix of new technologies and personal information and how it was impacting political campaigns. The paired names of Cambridge Analytica and Facebook became seared on the public’s consciousness, providing a cautionary tale about what can go wrong when people’s personal information is abused in such a nefarious manner (Meredith, 2018). The Facebook/Cambridge Analytica breach has, without question, shaken the public’s confidence in our democratic political campaigning system.

It is no doubt purely coincidental that so many storylines of this scandal trace their way to Victoria, BC. Adding to the regulatory connection and the whistleblower Christopher Wylie, is the Victoria-based company AggregateIQ Data Services (AIQ), which analysed the data on behalf of the Cambridge Analytica’s parent company, SCL Elections. Victoria is also home to Dr. Colin Bennett. He has long been a leading global authority in pursuing the study of these matters, work that has now taken on an even greater urgency. For this reason, the OIPC teamed up with the Big Data Surveillance project coordinated by the Surveillance Studies Centre at Queen’s University, and headed by Dr David Lyon. Our office was pleased to host the workshop in April 2019 on “Data-Driven Elections: Implications and Challenges for Democratic Societies,” from which the papers in this collection originated.

Privacy regulators, along with electoral commissioners, are on the frontline of these questions about the integrity of our democratic institutions. However, in some jurisdictions, regulators have very few means to address them, especially as it concerns political parties whose appetites for the personal information of voters is seemingly insatiable. How then does a regulator convince the politicians to regulate themselves?

Home, and another Facebook/Cambridge Analytica investigation

Following the execution of the warrant on Cambridge Analytica’s office in London, I returned home to accept my appointment as BC’s fourth Information and Privacy Commissioner. However, there was no escaping the fallout of the issues I investigated in the UK and their connections to Canada.

As it turned out, the personal information of more than 600,000 Canadian Facebook users had been vacuumed up by Cambridge Analytica (Braga, 2018). But this wasn’t the only Canadian connection to the breach. After acquiring that personal information, Cambridge Analytica (CA) and its parent company SCL Elections needed a way to make the data ready for practical use for potential clients of CA. That requirement would eventually be filled by AIQ.

With a BC and a Canadian connection to this story it became clear that coordinated regulatory action would be required. The Privacy Commissioner of Canada, Daniel Therrien, and I decided to join forces to look at both the Facebook/CA breach and the activities of AIQ (OIPC news release, 2018).

This joint investigation found that Facebook did little to ensure its users’ data was properly protected. Its privacy protection programme was, as my colleague Daniel Therrien called it, an “empty shell.” We recommended, among other things, that Facebook properly audit all of the apps that were allowed to collect their users’ data (OIPC news release, 2019b). Facebook brazenly rejected our findings and recommendations, which of course underscores another huge obstacle.

How can society hold global giants like Facebook to account? Many data protection authorities, like my office, lack the enforcement tools commensurate with the challenges that these companies pose to the public interest. Moreover, my office and that of the federal commissioner have far fewer powers than those available to our European counterparts. I have order-making power, but I cannot levy fines. My federal counterpart does not even possess order-making power; he investigates in response to complaints, or on his own initiative, and he makes recommendations. The only real vehicle he has at his disposal to seek a remedy, is through an unwieldy court application process, which is ongoing as I write. So one can understand why we look with some envy to the European DPAs, which now have the power to impose administrative fines of up to 20 million euros, or 4% of the company’s worldwide annual revenue.

British Columbia’s political parties and privacy regulation

Responsibility for privacy legislation in Canada is divided between the federal government and the provinces (OPC, 2018). The federal regulator, the Office of the Privacy Commissioner of Canada, has no authority to hold political parties to account. Among the provinces that have their own privacy legislation, only one has regulatory oversight over political parties: British Columbia. Given all that was going on at home and around the world concerning political parties, we decided to exercise that authority and investigate how BC’s political parties were collecting and using voter information (OIPC news release, 2019a).

To varying degrees, the province’s three main political parties expressed concerns about how BC’s private sector privacy legislation, the Personal Information Protection Act (PIPA) (BC PIPA , 2019) might impact their ability to communicate with voters. Some argued that voter participation rates were in decline, and that it was already difficult enough to reach out to voters. Anything that further impaired methods of connecting with voters, like privacy regulation, would only make the problem worse, they said. My answer was this: can anyone seriously maintain that the Facebook/CA scandal has generated an increased desire on the part of citizens to participate in the electoral process? It is only when voters trust political parties to handle their data with integrity, and in a manner consistent with privacy law, that they will feel truly confident in engaging robustly in the political campaign system.

After some initial trepidation, these political parties, each with representatives in the legislative assembly, cooperated fully with my office’s investigation. It is important to stress we did not find abuses of personal data, of the kind exhibited in the Facebook/CA scandal. Nor did we find the sophisticated level of data collection and analytics associated with heavily funded US political campaigns. We did find, however, that the parties were collecting and using a lot of information about voters and had a clear appetite to do much more. So, our work was timely, and hopefully it will result in short-circuiting the worst excesses seen in other jurisdictions.

BC’s private sector privacy legislation is principle-based, and the predominant principle is consent. Consent was therefore the lens through which we assessed the parties’ actions. By that measure, many of their practices contravened our law and many others were at least legally questionable.

Like in many jurisdictions, BC’s political parties are entitled by law to receive a voters’ list of names and addresses from the Chief Electoral Officer (Elections BC, 2019). This information forms the basic building block upon which parties compile comprehensive voter profiles. We found what parties add to the voters’ list is sometimes done with consent, but in many cases, without. Door-to-door canvassing, the oldest and most basic method of gathering voter intelligence, is an example of this two-sided coin. The transparent element of this contact occurs when a voter voluntarily expresses support and provides a phone number or email for contact purposes. During the same visit, however, the canvasser might record, without permission, the voter’s ethnicity (or at least the canvasser’s best guess about the voter’s ethnicity). We found many instances of this type of information being downloaded in a party’s database.

We also found that parties used voter contact information in a way that was well beyond the voter’s expectation. The voter could expect to be called or emailed to be reminded to vote on election day. They would not expect, and did not consent to the party disclosing their personal information to Facebook. There is little question that Facebook has become the newest and best friend to almost all political parties. The company offers a rich gateway to parties to reach their supporters and potential supporters.

The problem is that neither the parties nor Facebook do very much to explain this to voters.

It starts with the fact that many, if not most, voters are Facebook users. The parties disclose their voters’ contact information to Facebook in the hope of matching them with their Facebook profiles. If successful, Facebook offers the party two valuable things. The first is the ability to advertise to these individuals in their Facebook newsfeed. Facebook gains revenue from this and is impliedly provided the opportunity to understand the political leanings of their users. The second use for matched voters contact information is Facebook’s analysis of the uploaded profiles to find common characteristics among them. When complete, it offers the party, for a price, the opportunity to advertise to these other Facebook users who “look like” the party’s supporters. This tool, which is also used by commercial businesses, provides an extremely effective means for political campaigns to reach an audience of potentially persuadable voters.

Reduced to its basics, what many parties do is gather voters’ contact information supposedly for direct communication purposes but instead disclose it to a social media giant for advertising and analytic purposes. It would understate things to say that these interactions with voters lack transparency.

All kinds of other data are also added and combined with basic voter information. Postal zone demographics and polling research for example are commonly deployed as parties attempt to attribute characteristics to voters with a view to targeting those they judge to be likely supporters. Most parties “score” voters on the likelihood of support.

Whether using these data sources to score voters is permitted by privacy law is a matter likely to be tested in the near future. What is clear, however, is that parties should be far more transparent about their actions, for no other reason than voters have a right to know what information parties have about them.

Political parties in BC and the UK have been slow to the realisation of this obligation. Parties in both jurisdictions told me that prediction data about a voter, for example their “persuadability score” was not, in fact, their personal information. In another instance, I was told that this score was a commercial secret that could be withheld from a voter. Such a stance does not breed public confidence and is contrary to privacy law in BC and most other jurisdictions.

What then does the future hold? Even the most cursory reflection on this question suggests the answers will come from multiple places. For my office, the first and most obvious ally in protecting the public interest is the province’s Chief Electoral Officer. He is not only the keeper of the voter list, he also tackles other immeasurably complex matters like election interference and disinformation campaigns. The need for us to work together is critical.

We have already embarked on a joint venture to develop a code of conduct for political parties which we hope BC political parties will adopt. Unlike the UK, which has a mechanism for the imposition of such codes, political parties in BC will have to voluntarily sign on. The benefit to parties is that everyone ends up playing by the same set of well-understood standards. It also means the public will have far greater confidence in their interactions with the parties, which hopefully will result in a far more robust campaign system. Thus far, the parties have accepted my investigation report’s recommendations and are working cooperatively with me and with the BC Chief Electoral Officer on developing the code.

The investigation into AIQ

Facebook is but one company political campaigns turn to. Of course, it is far from the only one. This brings us back to Victoria, BC, home base for AIQ (AggregateIQ, 2019). Among other things, AIQ developed “Project Ripon,” the architecture designed to make usable all of the data ingested by Cambridge Analytica. AIQ justified the non-consensual targeting of US voters on the basis that its American clients who collected the personal information at first instance had no legal obligation to seek consent.

My joint report on AIQ with the Office of the Privacy Commissioner of Canada (McEvoy & Therrien, 2019) determined that this was no legal answer. The fact is, they were a Canadian company operating in BC and were obligated to comply with BC law. This meant that AIQ had to exercise due diligence in seeking assurance from their clients that consent was employed to collect the personal information they intended to use. They obviously didn’t.

Subsequent events also undermined AIQ’s claim that the US data they worked with was lawfully obtained. The Federal Trade Commission found in late 2019 that Cambridge Analytica, working with app developer Aleksandr Kogan, deceived users by telling them they would not collect their personal information (Agreement Containing Consent Order as to Respondent Aleksandr Kogan, 2019). The message to Canadian companies operating globally is that they must observe the rules in the places that they work in and those of their home territory.

In the end, AIQ agreed to follow the recommendations of our joint report, cleaning up its practices to ensure, going forward, that they secure consent for the personal information used in client projects as well as improving security measures for safeguarding that information.

Conclusion

In the two years that have taken me from Victoria to the UK and back, the privacy landscape has changed dramatically. The public’s understanding of the privacy challenges we face as a society has been seismically altered. In the past, it was not uncommon for people to ask me at events, “Maybe I share a bit too much of my information on Facebook, but what could possibly go wrong with that?” . Facebook/Cambridge Analytica graphically demonstrated exactly what could go wrong. The idea that enormous numbers of people could be psychologically profiled for the purposes of political message targeting without their knowledge shocked people. The CanTrust Index (CanTrust Index, 2019) that tracks trust sentiment of major brands with Canadians found that Facebook’s reputation took a sharp nosedive with Canadians between 2017 and 2019, according to their most recent survey. In 2017, 51 per cent of Canadians trusted Facebook. Today, just 28 per cent say the same.

The underpinnings of the entire economic model now driving the internet and its social media platforms has been put on full public display. While few people can describe the detailed workings of real time bidding or a cookie’s inner mechanics, most comprehend that their daily activities across the web are tracked in meticulous detail.

While public awareness and concern have shifted markedly, action by legislators to address those concerns has in many jurisdictions tried to keep in step. It is true that the General Data Protection Regulation has set a new standard in Europe but even there, the more exacting ePrivacy Regulation has stalled (Bannerman, 2019). Canadian legislators have tried to be proactive in responding to privacy’s changing landscape. However, the Privacy Commissioner of Canada, as noted, is without direct order-making power. Neither of our offices have the authority to issue administrative penalties. It is little wonder citizens are left to ask “Who has my back?” when organisations violate data protection laws.

The road to reform will not be an easy one. There is considerable bureaucratic and corporate resistance to a stronger regulatory regime. Working together, regulators, academics, and civil society must continue to urge for legislative reform. Our efforts are strongly supported by public sentiment. The OPC’s 2019 survey on privacy (OPC, 2019) revealed that a substantial number of Canadians would be far more willing to transact with a business that was under an enhanced regulatory regime that included financial penalties for wrongdoers. That should be a signal to organisations, including political parties, that data protection is good for their business and that they too should support strengthened regulatory frameworks.