Privacy watchdogs across Canada say the breach of Alberta’s voters list by a separatist group has prompted a renewed push for legislative reforms, with B.C.’s privacy commissioner pointing to his province as an example of how privacy laws should be reformed across Canada.
Alberta privacy commissioner Diane McLeod has called on the provincial government to change its private sector privacy law to give her office jurisdiction over political parties — a “concerning gap” that her counterparts say exists in their provinces and territories, as well as federally.
Only B.C.’s Personal Information Protection Act (PIPA) includes political parties as organizations that are subject to a privacy commissioner’s oversight, a fact McLeod has repeatedly raised.
In an interview, B.C. privacy commissioner Michael Harvey said the Alberta incident should serve as an opportunity to strengthen privacy laws throughout the country, including in his own province.
“I would do it today,” he said.
“My hope is that Canadians wake up and start demanding better of their governments in this regard.”
Alberta Premier Danielle Smith said earlier this month that her government will wait for the investigations by McLeod’s office, the RCMP and Elections Alberta to conclude “before commenting further and assessing whether any future legislative changes need to be considered.”
In statements to Global News, several privacy watchdogs said they have pushed the issue for years and would urge action in light of the Alberta breach.
A spokesperson for the Office of the Privacy Commissioner of Canada told Global News that federal privacy commissioner Philippe Dufresne has “long called for Canadian privacy legislation to be modernized” to protect electors’ privacy and data by including political parties, including in parliamentary testimony as recently as February this year.
A Yukon Accountability office spokesperson said it supports Dufresne’s calls to update the federal Personal Information Protection and Electronic Documents Act (PIPEDA), which applies to organizations in provinces and territories — including Yukon — where there is no equivalent private sector privacy law.
Nova Scotia privacy commissioner David Nurse said in an email that the Alberta breach “has exposed risks related to the list of electors that I had not thought of before, such as the risk to a victim of domestic violence if their address is revealed.”
“I would encourage the government, in cooperation with the Chief Electoral Officer, to review the existing laws and policies governing the use of the list of electors, and consider what we can learn from the Alberta experience,” he said.
A spokesperson for the Office of the Information and Privacy Commissioner of Prince Edward Island said the commissioner “would support any legislative changes that would help better protect the personal information of voters from unauthorized access, use or disclosure.”
The Office of the Information and Privacy Commissioner of Ontario, where there is also no provincial private sector privacy law, said it called for political parties to be covered under future legislation during consultations in 2021. The province has not passed such a law in the years since.
A spokesperson for Newfoundland and Labrador’s Office of the Information and Privacy Commissioner said it made a similar submission during a 2020 statutory review of that province’s privacy law. The change was included in the final recommendations to the legislature, which did not pass any amendments.
“As with her predecessor and other Canadian Information and Privacy Commissioners, Commissioner Kerry Hatfield remains concerned about the fact that political parties in Newfoundland and Labrador are not subject to any substantive privacy laws or oversight thereof,” the office spokesperson said.
Privacy watchdogs, which are independent from government, generally have order-making powers that can compel private organizations to take necessary steps to protect personal data.
Citizens can trigger investigations by submitting a complaint if they feel their data was used inappropriately or exposed, and can access their information from organizations under the law.
Get daily National news
Get daily Canada news delivered to your inbox so you’ll never miss the day’s top stories.
In provinces and territories other than B.C., as well as federally, the protection of voter information is subject instead to election laws that restrict the sharing of voters’ lists to elected officials, political parties and party officials. The information can only be used to solicit donations, recruit party members and communicate with electors.
A 2018 joint resolution from all 13 provincial and territorial privacy commissioners and the Office of the Privacy Commissioner of Canada urged their respective governments to pass legislation that requires political parties to comply with privacy laws and to create independent oversight for those organizations.
Both Harvey and McLeod signed the resolution in their previous roles as the privacy commissioners for Newfoundland and Labrador and Yukon, respectively.
Provinces and territories have not amended their privacy laws to include political parties as organizations.
A spokesperson for Manitoba Ombudsman Jill Perron said the office stands behind the 2018 joint resolution and encourages the government to consider a regulatory privacy compliance framework that includes political parties.
“It is important that individuals have assurances that there is a legal requirement for political parties to protect the privacy of that information,” Perron said in a statement.
A House of Commons committee report in 2018 recommended similar amendments to PIPEDA and more oversight for the OPC over political and third parties, including regular audits of their privacy practices.
Instead, the federal government passed legislation later that same year that it said would strengthen privacy protections and requirements for political parties under the Canada Elections Act, which the privacy watchdogs’ resolution warned did not go far enough.
Elections Canada noted the chief electoral officer has worked with the federal privacy commissioner to issue joint guidance to political parties on protecting voters’ personal information and has pushed to reinforce the privacy rule in federal election law.
“Elections Canada takes the privacy of electors very seriously and works continuously to keep personal information secure,” a spokesperson said.
Provincial and territorial elections agencies, however, told Global News they would support further strengthening voters’ privacy protections in legislation.
Elections Quebec spokesperson Julie St-Arnaud-Drolet said the incident “gives pause for thought and demonstrates that such transmissions can put vulnerable individuals at risk in the event of data breaches, unauthorized communications, or unregulated access.”
“We may eventually make recommendations to the legislator to provide better protection for electors,” she said.
Yukon chief electoral officer Max Harvey said in an email that “legislative recommendations may follow” from his office’s review of the territorial elections act and will consider how other jurisdictions, including Alberta, may respond.
“In the interim, lists will continue to be issued to political parties as per the legislative requirements,” he added.
New Brunswick’s chief electoral officer, Kim Poffenroth, last week called on the province to look into stronger legislation regarding what New Brunswick candidates can do with voter data.
“There are rules in legislation but there is not the same kind of robust regime in information privacy that government and Elections New Brunswick have to comply with,” she said.
Elections New Brunswick raised similar concerns in a 2025 report on electoral data privacy, where it found New Brunswick has outdated voter privacy laws. The report recommended removing vulnerable voters’ information from lists and requiring parties to provide privacy policies prior to receiving the data.
Elections agencies in Quebec, Manitoba, Saskatchewan and Yukon told Global News they are closely monitoring the situation in Alberta and would consider any recommendations that emerge from the investigations.
Harvey said B.C.’s PIPA, passed in 2004, gives his office “broad authority” to investigate all parties responsible if a similar voters’ list breach occurred in his province.
“We have the authority to investigate the political party and how they got (the voters list) and the nature of how they disclosed it,” he said. “If there was an organization (that received the list), I’d be able to investigate them too.”
Harvey added his office can also collaborate with and provide expertise to the RCMP and Elections BC in their own investigations into a privacy matter regarding political organizations.
“This is unique to British Columbia in Canada,” he said.
Harvey noted he has testified in Alberta’s ongoing PIPA review to advocate for the inclusion of political parties under the privacy law.
Lawyers for Elections Alberta have said in court that investigators determined a database of voters’ names and addresses allegedly published by a group called the Centurion Project matched a voter list provided last summer to the pro-independence Republican Party of Alberta.
They said it was unclear if a party official gave the list to the group or if it was obtained through other means.
McLeod and other watchdogs have said the publishing of voter information put various groups at risk, including intimate partner violence survivors, public officials and members of law enforcement. They say those exposures should compel legislatures to act swiftly to address the privacy law gap.
The Yukon Accountability spokesperson, however, said the circumstances of the Alberta incident has also underscored “a reality that the risk of breaches perpetuated by individuals with legitimate access to the data can never be fully mitigated.”
“Robust privacy policies and procedures, along with physical, technical and administrative safeguards, are best practices that can help prevent privacy breaches and allow organizations to respond quickly when they do occur. ”
Harvey said B.C.’s own privacy laws could be further strengthened in light of the Alberta breach, including by giving his office code-making powers and administrative penalties to force compliance.
He added specific measures for political parties, like access controls and auditing procedures, would also be valuable.
“In our democracy, our information that in the possession of political parties is of high importance and I think it needs to be protected strongly,” he said.
“What could be more important than the functioning of our democracy?”
—With files from Global’s Rebecca Lau and Anna Mandin, and The Canadian Press