Skip to main content
back to forum topic

Canada's internet privacy legislation is quite toothless. What can CIRA do with respect to domestic privacy legislation and with companies who sell products requiring accepting relinguishing personal privacy before being able to signon/login to have access to product features, and who offer as the only alternative to cancel one's account (and hence access to product features) crippling the product; with privacy information being erased maybe month(s) later? Further, if you read most company's privacy policies plan on spending several hours just to scratch the surface. Few companies using the internet have a simple privacy policy. Two examples of relinquishing privacy are - FitBit where most of the marketed features are internet based (personally pursued the privacy policy with both with FitBit and the Office of the Privacy Commissioner); - Google Android which requires signing away rights before even seeing the operating system/apps of the device purchased; though the practice pervades the internet. Please outline specific action plan(s), not just a general acknowledgment of the issue.

The government of Canada has released a Digital Charter containing 10 principles supporting digital privacy and other data rights. As a stakeholder in the digital rights domain, CIRA should provide input into changes to the Personal Information Protection and Electronic Documents Act (PIPEDA) to support the principles in the Digital Charter. - Liza Aboud


Canada's Digital Charter is a great step towards enhancing internet privacy legislation. The document has no legal status, but clearly acts as a framework that will drive changes to laws affected by it.

CIRA can participate by influencing and shaping the direction that implementation of the Charter will take. However, there needs to be a balance between government controls and the stewardship approach in order to maintain a thriving data economy that is built on trust. To quote CIRA’s CEO, “We believe regulating the internet should always be handled with a light touch and an eye towards maintaining Canada’s position as a global leader online. We look forward to working with the federal government to advance this initiative.”

In terms of an action plan, clearly CIRA has already committed to working with the government at the outset. It must continue to involve itself in the process as the Digital Charter and its supporting measures are implemented.

There’s no question that privacy and surveillance are two of the most important issues for Canadians right now, and will continue to be issues for many years to come. 

The challenge for CIRA is how do we bring a greater understanding of these complex issues to the Canadian public, and yet keep our action focused in ways that stay within CIRA’s Mandate (see other campaign forum conversation).  

CIRA is already an “influencer'' on many issues about the Canadian Internet, including the  concerns you raise about privacy and surveillance. Examples of CIRAs leadership in the last year include 1) The invitation to Dr. Kevorkian to speak at the 2019 AGM and 2) CIRA’s decision to join the Facebook Advertising boycott last summer. CIRA has also published several good blog posts on these topics and has a strong privacy policy found on the website.

However, there’s an important gap that’s still unresolved in CIRA’s privacy policy. Specifically, the way CIRA manages membership contact information during the annual election cycle. 

If elected, I commit to bringing up the issue of clarifying the rules around how board candidates use the CIRA membership list to contact members electronically during an CIRA election. 

In past elections, some candidates have used the CIRA membership list to contact members electronically as part of their campaigns with no restrictions on the data other than a somewhat obscure rule found in the Canada Not-For-Profits Act. This year CIRA finally acknowledged the practice and identified the applicable legislation that enables this practice (Section 23 of the Canada Not-For-Profit Corporations Act). This is a definitely a step forward, but it is not sufficient to close the gap between the privacy protection found, or not found, in the general legislation versus the details of the privacy protections found in CIRA's privacy policy.

Specific changes I feel would improve members privacy protection include adding better rules around the use of this data (for instance limiting the time of use of the data to an active election cycle), as well as adding an opt-in vs opt-out option for members (with a default of opt-out). There are unresolved legal and membership questions that need to be addressed. If elected, I will champion a discussion about how to bring better membership privacy protection in a transparent way. 

This is not just an issue about CIRA. It affects all Not-For-Profit corporations in Canada.

I look forward to hearing more thoughts from members and candidates about this important issue.  

Reference Links:

CIRA Privacy Policy

CIRA Members Information: Important to Know

CIRA Facebook Advertising Boycott


HI David.  Ryan Black here: nomination committee candidate and current Board member and Chair, Governance, at CIRA. 

Your points about security of member data during the election cycle are very timely and raise the right issues.  I do want to assure you and the CIRA members that CIRA (and myself, as a member of its Board of Directors) takes its member data privacy seriously and constantly seeks to improve its practices; that said, the Canada Not-For-Profits Corporations Act is what it is, and members are allowed to access member lists for campaigning purposes under that legislation.  I believe the true problem here rests in antiquated (ironic, given how new it is) legislation that didn't properly consider privacy and anti-spam considerations when mandating corporate disclosure.

I'm so glad that the membership is alive to this issue, though, as are the candidates: because I can tell you... it's a live issue that you're right affects ALL NFP Corps and not just CIRA.

Hi folks - Thanks for the question, Election Admin (or whomever through them asked it!)  - Ryan Black here: nomination committee candidate and current Board member and Chair, Governance, at CIRA. 

I have to be honest, if you look at the other responses given by the candidates here, they're very clear and there isn't much more to say.  CIRA is a non-governmental non-profit, and IS, in fact, a stakeholder involved in many different initiatives.  The Digital Charter starts to scratch the surface, but CIRA's primary role is to be a steward of .CA and to foster a better Internet for Canadians, and when you compare the budget CIRA has against some of the governmental initiatives on cybersecurity and privacy, you start to realize that CIRA really has to pick its battles and focus its energies where it can get the best bang for its effort.  In that regard, thought leadership is key and I'm very proud of the thought leadership demonstrated by CIRA in this area, including education about why Canadian IXPs matter, why privacy matters, how data flows across Canada, and the like.

See more here:

I am the member candidate from Newfoundland and Labrador, and I agree that Canadian IXPs matter.  I am curious if you know why Newfoundland and Labrador is not on the map...quite literally, as can be seen here:

I assume that we should be included in the Atlantic IXP, but there is no indication that this is the case.  As a current board member, can you shed any light on this?


Hi Ryan, 

Thanks for the quick response. 

CIRA is definitely THE leading organization in Canada championing education and best practices for how to use technology on the Internet. It’s not surprising, given the nature of our community, that innovative communication strategies are used during board elections. My experience tells me that innovation often requires multiple iterations before the best solution shines through. 

I’m happy to hear your reassurance and acknowledgement that my analysis is on the right path. To be honest, I already have great confidence that CIRA will eventually end up with the right solution AND that we will then be in a position to help other NFP companies in Canada. That’s the leadership expected of CIRA. That’s what we will do. 

Although the issue of privacy was raised in this particular thread, I feel there's an additional question about how the membership list might be used to support a broader digital marketing campaign, possibly involving paid advertising. I don’t want to hijack this thread on privacy, so maybe I’ll start another thread on that topic later. 

I hope to have a chance to work with you as a fellow board member on the challenges of good governance in the modern age of digital marketing. Regardless of the results of my personal campaign, I feel there’s an opportunity for the board to open the lines of communication with the membership community, beyond the limited time we have while the Campaign Forum is open. The potential of using the membership community to further the goals of CIRA is an under-utilized asset, in my opinion. Alas, that’s different conversation thread too. :-)

Good luck with your campaign! 


The theme of the Digital Charter is definitely on point!    As the discussion topic requests a specific action plan, I will respond in this manner.   I have observed other Boards dealing with this type of issue by adopting a "comply or explain" approach.   CIRA's action plan can turn the 10 principles contained within the Charter into a roadmap for which progress is measured on a regular basis, either annually or more frequently is desired. 

CIRA will then be able to demonstrate its strength of support and leadership in the advancing of privacy legislation.

Jennifer Sondergaard

To gain access to many of the popular applications on the Internet today requires us to give up a lot of personal information as you point out in your question.  The key issue is what companies can or cannot do with that information.  The European Union has taken a leading role in this area with the GDPR.  Canada has a similar model known as PIPEDA.  A comparison can be found at

The EU GDPR is more stringent than Canada and perhaps there is something there that we can learn from to inform our future policy direction.  In the CIRA Mandate forum question ( I stated that I feel CIRA should take a more active role in the policy discussions that impact the Internet in Canada.  While CIRA is a contributor, I feel that it can become an Influencer.  Ultimately Parliament writes the law, but CIRA can certainly become more opinionated in shaping the laws moving forward.

While CIRA is an important voice for privacy regulations in Canada, its own website remains proof that there is lots of work to be done, also in CIRA's side.

As annoying as the "cookie warning" on websites have become to most of us, most websites now allow choices as to which cookies are permitted. Some even allow a complete opt-out of cookie tracking. CIRA's website only features an "OK" button, basically telling you to leave the site (or block JavaScript and cookies) if you don't want to be tracked.

Here are some of the third party trackers CIRA currently uses on their website:

* Google Analytics/Conversion tracking/Tag Manager/Google Font API

* Active Campaign

* Informz

* LinkedIn Insights

* DoubleClick Floodlight

* Twitter JS library

* Mailchimp

* Cloudflare

* Amazon S3 CDN

Even though it seems obsessive, it often is common practice. I wanted to use this as an example to illustrate the lack of privacy while you are on the CIRA (and many other) website(s).


While you state that "CIRA is an important voice for privacy regulations in Canada" I still have no answer to my question - What polices have been developed in that regard and has CIRA promoted any change in government policy, regulation or legislation – other than blog posts?  

We are all internet evangelists, knowing the importance of the internet to our economic and social prosperity, even more so in COVID times.  That is given and well established.  Now we need to know what has be done. 

Alex, I'm glad you're participating in this discuss as well. I'm curious to hear what you think CIRA (with you on the board) has done for privacy regulation and what it should be doing in a way that suits its role.

In my eyes CIRA is playing the role it should be playing as a public voice and advisor. I believe this goes beyond blog posts, but extends into talking to the media and particpating in public consultations, which CIRA is doing.

The other item that could potentially be added into the mix, is more advice for businesses and individuals to provide and create privacy. This would include revisiting the amount of trackers on the CIRA website etc. A change would be a good reason for a blog post and press release ;-)

This "discussion" not "discuss" I wish there were a 5 minute edit period.I better not re-read the rest, I mgiht find more typos.

As the member who raised the question of CIRA's involvement in privacy legislation, other than commenting that even CIRA was not immune to using hidden identification within its anonymous link "Ask your question" (probably to prevent one member from repetitively up-voting a question?) was concerned that the public internet was increasingly being subverted to for-profit interests (to some extent supported by CIRA) prejudicing the vast public user base.

Two examples are
- the licensing, particularly of operating systems, which require relinquishing diverse personal rights to for-profit interests unrelated to copyright interests in the software;
- the use of tracking cookies and ip addresses to collect marketing information not immediately related to the use of the website [cf. in 2009 my bank anonymously placed a market tracking cookie on my computer with every login to online banking until confronted with the action and subsequently removing the practice; even my religious denomination finds it necessary to do market tracking!] - despite assurances, it does not take much to connect a tracking cookie/ip address with an individual once the information is within a database.

While CIRA is primarily the registration authority for the .ca domain and quite probably most of its membership are non-personal and unfortunately therefore its focus, most users of the internet are personal and, other than what was referred to as presently toothless privacy legislation, have little voice to protect legitimate interests.

My concern was not with candidate access to my membership e-mail address to raise question/motion(s) relating to the internal affairs of CIRA as questioned by several of the respondents.  Election to the board is not a carte blanche, and without a defined process how else might the membership be involved?