We have been following the COVID-19 crisis and its impact on privacy law over the course of the past few months. It has become apparent during that time that the requirements of the pandemic and the contact tracing debate highlight the need for privacy law reform in Canada, as emphasized by Canadian federal Privacy Commissioner (“OPC”), Daniel Therrien, in a speech before the House of Commons.

In this recent appearance, Commissioner Therrien highlighted six main points as they relate to so-called “contact tracing”. These contain important lessons for organizations developing or considering the use of these types of tools:

  • Purpose limitation: personal information collected through tracing applications should be used for defined public health purposes and for no other purpose.
  • Proportionality: apps should be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective.
  • Legal basis: use should be voluntary, as this is important to ensure citizens’ trust. Use should, therefore, be consent-based, and consent must be meaningful.
  • Time-limitation: any personal information collected during this period should be destroyed when the crisis ends, and the applications de-commissioned.
  • Transparency: Privacy Impact Assessments or meaningful privacy analysis should be completed and reviewed by privacy commissioners, and a plain-language summary published proactively.
  • Accountability: governments and companies should be accountable for how personal information will be collected, used, disclosed and secured. Oversight by an independent third party, such as privacy commissioners, would enhance citizens’ trust.

Alberta’s Information and Privacy Officer (“OIPC”) has been reviewing the PIA (Privacy Impact Assessment) of Alberta Health’s “TraceTogether” app, noting the following key components that would be required to develop and use a compliant application:

  • Voluntary adoption;
  • Data minimization;
  • Decentralized data storage;
  • User control; and
  • Limiting use of data collected to COVID-19 contact tracing.

The OIPC has not completed its investigation or released any additional findings. We will be tracking this investigation along with another potentially highly influential case relating to the use of AI facial recognition technology.

Current Debate Highlights Existing Issues

Canada’s federal private sector law (“PIPEDA”) is over 15 years old. While there have been amendments since that time, most notably via the Digital Privacy Act in 2015, which made reporting data breaches mandatory, the law at its core remains mainly unchanged. It has not been updated to reflect the realities of artificial intelligence and the implications of automated decision-making, big data, and ubiquitous computing. It does not currently require or provide a framework for an acceptable “privacy by design” approach to personal information processing. The federal Privacy Act, which applies to public institutions, was drafted in the 1980’s and is, according to the OPC, even less capable of managing the requirements and meeting the challenges of our time.

Now with the spread of the COVID-19 virus, many epidemiologists, politicians and technology companies have pointed to the ubiquity of mobile phones, availability of online connectivity, and general willingness to share data with others (usually via large multinational ICT companies) as paving the way for leveraging existing tools to combat the spread of the virus.

These so-called contact tracing tools hold much promise in that they can quickly follow and pinpoint an infected person’s touchpoints with others (and those people’s contacts), which can help inform, test, isolate, and treat those impacted. In order to do that, people need to download an app onto their mobile devices and share location on a real-time basis.

In a previous article, we discussed the views of Canada’s Privacy Commissioners on the use of this technology, described in a joint statement released in May 2020. Earlier in the year, the OPC highlighted the need for the reform of PIPEDA and the Privacy Act, specifically as it related to the expansion of artificial intelligence (see our previous blog articles for more detail), relying heavily on the targeted provisions contained in the EU General Data Protection Regulation (“GDPR”) in this regard. An over-arching theme has been that Canadian privacy legislation should be seen as human rights legislation and protection of privacy as protection of a human right (see our previous blog article for more detail). From this perspective, any technology that could potentially impede or violate privacy rights must be seen as a potential threat to human rights, including those protected by the Canadian Charter of Rights and Freedoms.

Putting all these developments into context, it would appear that organizations would be well served by implementing any contact tracing applications and other impactful technologies in a way that not only satisfies PIPEDA, or other applicable Canadian privacy laws, but also meets the expectations of the privacy commissioners who oversee such use and the general public who is taking note of the privacy as a human right perspective.

If you have any questions about these or related privacy matters, please reach out to David Krebs or another member of our privacy and cybersecurity team.