Teresa Scassa - Blog

Teresa Scassa

Teresa Scassa

Monday, 10 August 2020 08:58

How Will COVID Alert Measure Up?

 

Canada’s new exposure notification app – COVID Alert has launched in Ontario. This shifts the focus from whether to adopt an app and what type to how we will know if the app is a success.

COVID Alert is built upon the Google Apple Exposure Notification System (GAEN) which is a completely decentralized model. This means that none of the proximity data collected via the app is shared with public authorities. GAEN apps must be entirely voluntary. Users choose whether to download the app and whether to upload positive test results for COVID-19. If a user is notified that they have been in proximity to someone who has tested positive for COVID-19 the app will advise what steps to take – but it will be up to the user to take those steps. Although there are privacy risks with any app (and here, they would be predominantly ones related to security and the possibility of malicious attacks), this could be the app on most users’ phones that collects the least personal data. COVID Alert has been vetted by the Privacy Commissioner of Canada and by Ontario’s Privacy Commissioner. It will also be reviewed by privacy commissioners in those provinces that choose to deploy it.

All of this is good news. As we start returning to workplaces, bars, restaurants and public transit, our daily lives will involve more and more moments of proximity with strangers. If nearly everyone is using COVID Alert – and if COVID Alert actually works the way it should – then it should help alert us to potential exposure to COVID-19 so that we can take steps to get tested and/or to isolate ourselves from those we might harm.

Although it is likely to be useful, authorities are quick to point out it is only one tool among many. This is because there is much that is unknown about the actual performance of GAEN exposure notification apps. Such apps have only recently been launched in other countries. The threshold for recording a proximity event is one issue. For COVID Alert, a proximity event is recorded when two app users are within 2 metres of each other for 15 minutes or more. An EU guidance document describes this as “a starting point for the definition of a high-risk exposure contact”, but also indicates that “evaluation and calibration will be key to define the optimal time-and distance settings that adequately capture people at risk of infection.” The apps cannot detect whether people are separated by plexiglass or wearing masks or face shields, and may not function as well when phones are in purses or backpacks. These factors may impact the accuracy of the apps. People may receive exposure notifications due to contacts that are very unlikely to result in infection (on opposite sides of plexiglass, for example) but will experience stress and disruption (perhaps having to miss work while waiting for test results) as a result. These inconveniences might be disproportionately experienced by those whose work demands that they interact with the public or ride transit, and there may be problematic sociodemographic impacts as a result. On the other hand, for those who have to be out and about, the app may provide some level of comfort. There is much that we do not yet know, but that we need to learn. Noting some of the uncertainties around these types of apps, the Privacy Commissioner has recommended “that the government closely monitor and evaluate the app’s effectiveness once it is used, and decommission it if effectiveness cannot be demonstrated.”

One way to learn about the app and its impacts is to gather data and develop metrics to assess its performance. The highly decentralized GAEN model makes this more challenging, since no data is shared with governments via the app. The number of downloads can reveal how many people are willing to try the app. But it does not do much more than that. Useful data would include data about how many people who get tested do so because they received an app notification. It would be interesting to be able to correlate this data with positive or negative test results. In other words, what percentage of people who are prompted to get tested by the app actually test positive for COVID-19? It would also be useful to know how many of the people who receive exposure notifications are also separately contacted by contact tracers. Does the app amplify the reach of conventional contact tracing or does it largely duplicate it? Jurisdictions such as Australia, which has a centralized model, are beginning to collect and analyze such data. Alberta’s contact tracing app uses a centralized system and it might be particularly interesting to compare the domestic performance of a centralized app with the decentralized one. And, while the GAEN is fully decentralized, it does allow for additional data to be collected, with user consent, so long as this is separate from the exposure notification system. The Irish app, built on GAEN, has a voluntary user survey which allows consenting users to share data about the performance of the app. As provinces begin to deploy COVID Alert, both they and the federal government should be thinking about what data they need to evaluate this technology, and how they will gather it. According to the Privacy Commissioner’s assessment, the new Advisory Council established to oversee the use of the app will evaluate its effectiveness. Any such evaluation should be shared with the public.

As the app rolls out in Ontario, individuals will be asked to download it, and broad uptake will be important to its success. Using the app may provide individuals with added protection; it also means that they will be contributing to an experiment to assess the utility of this type of technology to assist in pandemic control. COVID Alert aims to help contain a disease which we know can spread wildly and at great personal and societal cost. Carefully calibrated metrics, and transparency about the successes or failures of the app should, and hopefully will, be part of this experiment.

 

On July 10, 2020, the Supreme Court of Canada issued a split decision in a constitutional law case with interesting implications for privacy law. The Quebec government had challenged the constitutionality of Canada’s 2017 Genetic Non-Discrimination Act (the Act), arguing that it fell outside federal jurisdiction over criminal law and intruded upon areas of provincial jurisdiction. It had brought its challenge by way of a reference case to the Quebec Court of Appeal. That Court ruled that the law was unconstitutional, and the decision was appealed to the Supreme Court of Canada.

The hearing before the Supreme Court of Canada was unusual. The appeal was brought, not by the federal Attorney-General, but rather by the Canadian Coalition for Genetic Fairness, a group that had been an intervenor in the Court of Appeal proceedings. Notwithstanding the fact that the validity of a federal law was at issue, the federal Attorney-General sided with the Attorney-General of Quebec in arguing that the law was unconstitutional. This strange situation was due to the origins of the law. It was introduced as a Senate bill, championed by Senator James Cowan. The bill was passed by the Senate and came to the House of Commons. The federal government believed that it was unconstitutional and cabinet did not support it. However, given the nature of the subject matter of the bill, the government allowed a free vote in Parliament. The result was that the bill passed by a vote of 222 in favour and 60 against.

A majority of five Supreme Court of Canada judges, in two separate decisions, ruled that the Act was a valid exercise of Canada’s jurisdiction over criminal law under s. 91(27) of the Constitution Act, 1867. Four dissenting judges were of the opinion that the law was, in “pith and substance” a matter of provincial jurisdiction.

The Act does three things, only one of which was challenged before the Court. In the first place (and most controversially) it makes it an offence for anyone to require an individual to undergo a genetic test or to provide the results of an existing genetic test as a condition of receiving goods or services or of entering into a contract. The law also prohibits anyone from collecting the results of a genetic test taken by a person from a third-party source without that person’s written consent. The non-controversial parts of the bill consisted of amendments to the Canadian Human Rights Act to prohibit genetic discrimination, and amendments to the Canada Labour Code to protect employees against forced genetic testing or requirements to disclose test results. It was accepted that the federal government had jurisdiction to amend these statutes in this way. Thus, the only issue before the court was the constitutional basis for the parts of the Act that dealt with the provision of goods and services and the entering into contracts.

It was no secret that a major concern of the proponents of the Act was that individuals might be compelled to reveal their genetic history, and might be adversely impacted when doing so. The chief areas of concern were in relation to insurance and employment. Insurance contracts and employment outside of the federally regulated sectors, are typically matters within provincial jurisdiction, as is contract law. The issue, therefore, was whether this law, which made it an offence to insist upon genetic testing or to access to the results of genetic tests, was a matter of criminal law, or a pretext for intruding upon provincial jurisdiction.

Justice Karakatsanis, writing for three of the five justices in the majority, found that the ‘pith and substance’ of the Act was “to protect individuals’ control over their detailed personal information disclosed by genetic tests, in the broad areas of contracting and the provision of goods and services, in order to address Canadians’ fears that their genetic test results will be used against them and to prevent discrimination based on that information.” (at para 4). She characterized this as falling under Parliament’s criminal law power because “they respond to a threat of harm to several overlapping public interests traditionally protected by the criminal law” (at para 4) that include “autonomy, privacy, equality and public health” (at para 4).

Justice Moldaver, writing for himself and Justice Côté agreed that the law fell within federal jurisdiction, but differed as to the reasons for this. However, he characterized the ‘pith and substance’ of the law as “prohibiting conduct that undermines individuals’ control over the intimate information revealed by genetic testing.” (at para 111) He found that the Act was an exercise of the criminal law power because it contained “prohibitions accompanied by penalties [. . .] backed by the criminal law purpose of a suppressing a threat to health.” (at para 112)

Justice Kasirer, writing for the dissenting justices characterized the ‘pith and substance’ of the law as “to regulate contracts and the provision of goods and services, in particular contracts of insurance and employment, by prohibiting some perceived misuses of one category of genetic tests, the whole with the view to promoting the health of Canadians.’ (at para 154). As a result, in his view, the matter falls within provincial jurisdiction over property and civil rights under s. 92(13) of the Constitution Act, 1867.

The point of divergence for majority and dissent was with respect to whether the law primarily regulates contracts and the provision of goods and services, or whether it principally imposes penalties for activities that threaten values traditionally protected by the criminal law. The fact that the majority justified the legislation under the federal criminal law power has interesting implications for privacy law in Canada.

First, both sets of reasons for the majority clearly consider that privacy values are appropriate subject matter for criminal legislation. In a way, we knew this already – for example, no one challenges the constitutionality of provisions that criminalize voyeurism. However, voyeurism in the Criminal Code is not just a matter of privacy – there is also an element of sexual exploitation or predation – the control of which is firmly rooted in criminal law. This situation is notably different. What is criminalized (legitimately, from the point of view of the majority) is requiring people to take genetic tests or to disclose the results of such tests, or for someone to seek out this data from a third party in order to use it in relation to contracts, goods or services. This is largely a matter of informational privacy. The difference between the two sets of majority reasons is that two of the five majority justices anchor the informational privacy concerns very specifically in the link between the (mis)use of these tests and the objective of protecting public health. Three of the justices are open to grounding the Act, not just in public health protection, but in the need to protect autonomy, privacy and equality.

On the privacy issues, Justice Karakatsanis begins by noting that “individuals have powerful interests in autonomy and privacy, and in dignity more generally, protected by various Charter guarantees” (at para 82). She also noted that individuals have “a clear and pressing interest in safeguarding information about themselves” (at para 82). According to Justice Karakatsanis, compelling people to undergo genetic testing “poses a clear threat to autonomy and to an individual’s privacy interest in not finding out what their genetic makeup reveals about them and their health prospects.” (at para 85) She notes that some people might not want to know their genetic ‘destiny’. Further, forcing individuals to share this information as a condition of receiving goods or services or entering into a contract compromises “an individual’s control over access to their detailed genetic information” (at para 85).

Justice Karakatsanis also describes genetic information as being at an individual’s “biographical core” of information. This ‘biographical core’ represents that information that is most closely tied to individual identity. She notes that the Act reflects Parliament’s view that “The dignity, autonomy and privacy interests in individuals’ detailed genetic information were understood by Parliament to be unique and strong” (at para 87). She noted as well that genetic testing technology is evolving rapidly, making the volume of information they may reveal about individuals something that “will undoubtedly continue to evolve alongside technological abilities to interpret test results” (at para 88). The sensitivity of the information is matched by the potential for its abuse.

Although Justice Karakatsanis finds that the legislation also serves to protect public health (by removing individual fears of the consequences for them of seeking genetic testing), she rules that it is also within federal jurisdiction because of its “response to the risk of harm that the prohibited conduct and discrimination based on genetic test results pose to autonomy, privacy and equality” (at para 92). For Justice Moldaver, who also supports the constitutionality of the Act, the pith and substance of the legislation lies in Parliament’s goal “to protect health by prohibiting conduct that undermines individuals’ control over the intimate information revealed by genetic testing” (at para 111)[my emphasis]. This is a subtle but important distinction. He grounds constitutionality in the protection of public health; protecting intimate information is simply the means by which the public health goal is achieved. Justice Kasirer, writing for the four dissenting justices was prepared to recognize the Attorney-General of Canada’s concession “that Parliament could enact legislation targeting a threat to privacy and autonomy hat might well constitute a valid criminal law purpose” (at para 251). But recognizing a concession is not necessarily agreeing with it. He notes that in this case, because the pith and substance of the legislation is not to protect privacy or autonomy, but rather to regulate contracts and the provision of goods and services, the matter is moot.

Justice Kasirer, in particular, notes the slippery slope that could result from finding that privacy, dignity and autonomy are freestanding anchors for the federal criminal law power. He notes that “Such a holding would encourage the view that any new technology with implications bearing on public morality might form the basis for the criminal law power, and potentially, bring a wide range of scientific developments within federal jurisdiction on no principled constitutional basis” (at para 253).

Indeed, this is at the heart of what is so interesting from a privacy perspective in this decision. Justice Karakatsanis, writing for herself and two other justices, seems to recognize that the protection of privacy can find an anchor in the criminal law power by virtue of the impact of intrusions of privacy on dignity and autonomy. Justice Moldaver and Justice Côté recognize the informational control dimensions of the genetic testing issue, but anchor the law’s constitutionality squarely in the goal of protecting public health, something long recognized as a matter open to regulation under the criminal law power. Justice Kasirer rejects federal jurisdiction entirely, but is alert to the potential for a focus on privacy, in an era of rapidly emerging technology, to dramatically impact the constitutional balance between federal and provincial governments.

These are interesting times for privacy, digital innovation, and the constitution. It is expected that the federal government will soon introduce a bill to reform the Personal Information Protection and Electronic Documents Act (PIPEDA). The Privacy Commissioner has pressed the government to adopt a ‘privacy as a human rights’ approach in this reform process, but the government has seemed hesitant because of concerns that any emphasis on the human rights dimension of privacy might threaten the law’s fragile constitutional footing under the trade and commerce power. The Supreme Court of Canada in the Reference re Genetic Non-Discrimination suggests that such an approach might not be as constitutionally risky as previously thought, although the risks are evidently there.

The regulation of artificial intelligence (AI) technologies will also be a matter of future legislative concern as they continue to rapidly evolve and impact all aspects of our lives. This case therefore may foreshadow debates about where jurisdiction might lie over possible prohibitions on certain uses of AI, on the automation of certain types of decision-making, or other measures to protect privacy, dignity or autonomy in the face of this new technology. Justice Kasirer is clearly concerned that at least three of his colleagues have opened a door for much wider-ranging federal jurisdiction over technologies that can impact privacy, dignity, and autonomy.

On May 29, 2020 I was invited to a meeting of the House of Commons INDU Committee which is considering Canada's response to the COVID-19 Pandemic. On May 29, it was focusing its attention on contact tracing apps. A copy of my brief oral presentation is below. The videotape of the hearing and the Q & A with fellow invitee Michael Bryant of the Canadian Civil Liberties Association can be found here.

 

Speaking Notes for Teresa Scassa, Canada Research Chair in Information Law and Policy, University of Ottawa, INDU – Canadian Response to the COVID-19 Pandemic, May 29, 2020

Thank you, Madame Chair and Committee members for the opportunity to address this committee on privacy in Canada’s COVID-19 response.

We are currently in a situation in which Canadians are very vulnerable – economically, socially, and in terms of their physical and mental health. Canadians know that sacrifices are necessary to address this crisis – and have already made sacrifices of different magnitudes. Most Canadians accept that this is necessary to save lives and to begin to return to ‘normal’. They accept that some degree of privacy may need to be sacrificed in some contexts. But there is no binary choice between privacy and no privacy. Instead, there must be a careful balancing of privacy with other public interests.

There are two overarching privacy concerns when it comes to Canada’s response to the pandemic. The first is that there is a risk that poorly thought out collection, use or disclosure of personal information will create privacy and security vulnerabilities with little real benefit, or with benefits disproportionate to risks and harms. The second is that the pandemic may lead to the introduction of data gathering or processing technologies that will create a ‘new normal’ leading to even greater inroads on privacy, dignity and autonomy. Importantly, surveillance often has the most significant adverse impacts on the most vulnerable in our society.

The pandemic context raises a broad range of privacy issues, from government or law enforcement access to location and personal health information, to contact tracing apps and beyond. As we begin the ‘return to normal’, we will also see issues of workplace surveillance, as well as tracking tools and technologies used to help determine who gets into stores, who receives services, or who gets on airplanes. Personal health information, generally considered to be among our most sensitive personal information, may become a currency we are required to use in order to carry out ordinary daily activities.

Since I am limited only to 5 minutes, I would like to tease out 3 main themes.

1) A first theme is trust. “Trust” is referenced in the Digital Charter and is essential when asking Canadians to share personal information with government. But trust is complicated by a pandemic context in which issues evolve rapidly and are often unprecedented. One thing that trust requires is transparency, and governments have struggled with transparency – whether it is with respect to sharing data that models the spread of COVID-19 with the public or (as was the case of Alberta) launching a contact-tracing app without releasing the Privacy Impact Assessment. Transparency is essential to trust.

2) A second theme is necessity and proportionality. The Privacy Commissioner of Canada, along with his provincial and territorial counterparts, supports an approach to privacy based on necessity and proportionality. This is derived from the human rights context. Necessity and proportionality provide a robust analytical framework for balancing privacy rights against other public interests, and should already be part of an amended Privacy Act.

The importance of this approach cannot be overemphasized. We are in a data driven society. It is easy to become enthused about technological solutions, and innovators promise that data analytics, including AI, can solve many of our problems. We need to remember that while technology can provide astonishing benefits, there is already a long history of poorly designed, poorly implemented, and often rushed technological solutions that have created significant risks and harms. Novel technological solutions often fail. This is becoming a reality, for example, with many recently launched national contact tracing apps. Rushed, flawed schemes to harvest personal data – even if for laudable goals – will erode trust at best and cause harm at worst.

This is why clear guidelines – such as those developed by the Commissioners – are crucial. There should be an emphasis on purpose and time-limited solutions that minimize privacy impacts.

3) A third theme is human rights. Privacy is closely tied to human rights, but this relationship is increasingly complex in a data driven society. Privacy laws govern data collection, use and disclosure, and it is increasingly common for data uses to have significant impacts on human rights and civil liberties, including the freedom of association, freedom of speech, and the right to be free from discrimination. Until recently, public conversations about contact tracing have been predominantly about government-adopted apps to deal with public health disease tracking. As businesses reopen and people go back to work, the conversation will shift to contact-tracing and disease monitoring in the private sector, including the possible use of so-called immunity passports. We will see workplace surveillance technologies as well as technologies that might be used to limit who can enter retail stores, who can access services, who can get on airplanes, and so on. While there are obviously serious public health and safety issues here, as well as issues important to economic recovery and the ability of people to return to work, there is also significant potential for harm, abuse, and injustice. Much of this private sector surveillance will be in areas under provincial jurisdiction, but by no means all of it. The federal government must play a leadership role in setting standards and imposing limitations.

I will end my remarks here and look forward to your questions.


 

Research for this article was made possible with the support of the Heinrich Boell Foundation Washington, DC.

This piece was originally published by Heinrich Boell Stiftung as part of their series on the broad impacts of the COVID-19 pandemic. The original publication can be found here.

 

 

A strong sense of regional sovereignty in the Canadian health care system may lead to different choices for technologies to track and contain the spread of the coronavirus. A multiplicity of non-interoperable apps could put their effectiveness in question and could create regional differences in approaches to privacy..

By Teresa Scassa

Canada’s national capital Ottawa is located in the province of Ontario but sits on the border with Quebec. As soon as restrictions on movement and activities due to the coronavirus begin to lift, the workforce will once again flow in both directions across a river that separates the two provinces. As with other countries around the world, Canada is debating how to use technology to prevent a second wave of infections. Yet as it stands right now, there is a chance that commuters between Ontario and Quebec could have different contact-tracing apps installed on their phone to track their movements, and that these apps might not be fully interoperable.

Innovation in contact-tracing apps is happening in real time, and amid serious concerns about privacy and security. In Canada, many provinces are on the threshold of adopting contact-tracing apps. Canadian app developers, building on technologies adopted elsewhere, will be offering solutions that rely on decentralized, centralized, or partially centralized data storage. At least one Canadian-built app proposes broader functionalities, including AI-enhancement. And, as is so often the case in Canada, its federal structure could lead to a multiplicity of different apps being adopted across the country. Similar challenges may be faced in the United States.

One app to rule them all?

Canada is a federal state, with 10 provinces and 3 territories. Under its constitution, health care is a matter of provincial jurisdiction, although the federal government regulates food and drug safety. It has also played a role in health care through its spending power, often linking federal health spending to particular priorities. However, when it comes to on-the-ground decision-making around the provision of health care services and public health on a regional level, the provinces are sovereign. Canadian federalism has been tested over the years by Quebec’s independence movement, and more recently by dissatisfaction from Western provinces, particularly Alberta. These tensions mean that co-operation and collaboration are not always top of mind.

When it comes to adoption of contact tracing apps, there is the distinct possibility in Canada that different provinces will make different choices. On May 1 Alberta became the first Canadian province to launch a contact tracing app. There have been reports, for example that New Brunswick is considering a contact tracing app from a local app developer, and the government of Newfoundland and Labrador has also indicated it is considering an app. Other governments contemplating contact tracing apps include Manitoba and Saskatchewan. The possibility that multiple different apps will be adopted across the country is heightened by reports that one municipal entity – Ottawa Public Health – may also have plans to adopt its own version of a contact-tracing app.

Although different contact-tracing apps may not seem like much of an issue with most Canadians under orders to stay home, as restrictions begin to loosen, the need for interoperability will become more acute. If non-interoperable contact-tracing apps were to be adopted in Ontario and Quebec (or even in Ontario, Quebec and Ottawa itself), their individual effectiveness would be substantially undermined. Similar situations could play out in border areas across the country, as well as more generally as Canadians begin to travel across the country.

On May 5, 2020, Doug Ford, the premier of Ontario, Canada’s most populous province, called for a national strategy for contact tracing apps in order to prevent fragmentation. His call for cohesion no doubt recognizes the extent to which Canada’s sometimes shambolic federalism could undermine collective public health goals. Yet with so many provinces headed in so many different directions, often with local app developers as partners, it remains to be seen what can be done to harmonize efforts.

Privacy and contact tracing in Canada

The international privacy debate around contact-tracing apps has centred on limiting the ability of governments to access data that reveals individuals’ patterns of movement and associations. Attention has focused on the differences between centralized and decentralized storage of data collected by contact-tracing apps. With decentralized data storage, all data is locally stored on the app user’s phone; public health authorities are able to carry out contact-tracing based on app data only through a complex technological process that keeps user identities and contacts obscure. This model would be supported by the Google/Apple API, and seems likely to be adopted in many EU states. These apps will erase contact data after it ceases to be relevant, and will cease to function at the end of the pandemic period.

By contrast, with centralized data storage, data about app registrants and their contacts is stored on a central server accessible to public health authorities. A compromise position is found with apps in which data is initially stored only on a user’s phone. If a user tests positive for COVID-19, their data is shared with authorities who then engage in contact-tracing. As an additional privacy protection, express consent can be required before users upload their data to central storage. This is a feature of both the Australian and Alberta models.

Decentralized storage has gained considerable traction in the EU where there are deep concerns about function creep and about the risk that user contact data could be used to create ‘social graphs’ of individuals. The European privacy debates are influenced by the General Data Protection Regulation (GDPR) and its shift toward greater individual control over personal data. In Canada, although the federal privacy commissioner has been advancing a ‘privacy as a human right’ approach to data protection, and although there has been considerable public frustration over the state of private sector data protection, little public sentiment seems to have galvanized around contact-tracing apps. Although Canadians have reacted strongly against perceived overcollection of personal data by public sector bodies in the past, in the pandemic context there seems to be a greater public willingness to accept some incursions on privacy for the public good. What incursions will be acceptable remains to be seen. The federal, provincial and territorial privacy commissioners (with the notable exception of the Alberta commissioner whose hands have been somewhat tied by the launch of the Alberta app) have issued a joint statement on the privacy requirements to be met by contact-tracing apps.

The Alberta contact-tracing app has received the cautious endorsement of the province’s Privacy Commissioner who described it as a “less intrusive” approach (presumably than full centralized storage). She noted that she had reviewed the Privacy Impact Assessment (PIA) (a study done to assess the privacy implications of the app), and was still seeking assurances that collected data would not be used for secondary purposes. She also indicated that the government had committed to the publication of a summary of the Privacy Impact Assessment, although no date was provided for its eventual publication.

Given the attention already paid to privacy in Europe and elsewhere, and given that Australia’s similar app was launched in conjunction with the public release of its full PIA, the Alberta launch should set off both privacy and transparency alarms in Canada. In a context in which decisions are made quickly and in which individuals are asked to sacrifice some measure of privacy for the public good, sound privacy decision-making, supported by full transparent PIAs, and an iterative process for rectifying privacy issues as they emerge, seems a minimum requirement. The release of the Alberta app has also created a gap in the common front of privacy commissioners, and raises questions about the interoperability of contact-tracing apps across Canada. It remains to be seen whether Canada’s federal structure will lead not just to different apps in different provinces, but to different levels of transparency and privacy as well.

 

On April 15, 2020 Facebook filed an application for judicial review of the Privacy Commissioner’s “decisions to investigate and continue investigating” Facebook, and seeking to quash the Report of Findings issued on April 25, 2019. This joint investigation involving the BC and federal privacy commissioners was carried out in the wake of the Cambridge Analytica scandal.

The Report of Findings found that Facebook had breached a number of its obligations under the federal Personal Information Protection and Electronic Documents Act (PIPEDA) and B.C.’s Personal Information Protection Act (PIPA). [As I explain here, it is not possible to violate both statutes on the same set of facts, so it is no surprise that nothing further has happened under PIPA]. The Report of Findings set out a series of recommendations. It also contained a section on Facebook’s response to the recommendations in which the commissioners chastise Facebook. The Report led to some strongly worded criticism of Facebook by the federal Privacy Commissioner. On February 6, 2020, the Commissioner referred the matter to Federal Court for a hearing de novo under PIPEDA.

The application for judicial review is surprising. Under the Federal Courts Act, a party has thirty days from the date of a decision affecting it to seek judicial review. For Facebook, that limitation ran out a long time ago. Further, section 18.1 of the Federal Courts Act provides for judicial review of decision, but a Report of Findings is not a decision. The Commissioner does not have the power to make binding orders. Only the Federal Court can do that, after a hearing de novo. The decisions challenged in the application for judicial review are therefore the “decisions to investigate and to continue investigating” Facebook.

In its application for judicial review Facebook argues that the complainants lacked standing because they did not allege that they were users of Facebook or that their personal information had been impacted by Cambridge Analytica’s activities. Instead, they raised general concerns about Facebook’s practices leading to the Cambridge Analytica scandal. This raises the issue of whether a complaint under PIPEDA must be filed by someone directly affected by a company’s practice. The statute is not clear. Section 11(1) of PIPEDA merely states: “An individual may file with the Commissioner a written complaint against an organization for contravening a provision of Division 1 or 1.1 or for not following a recommendation set out in Schedule 1.” Facebook’s argument is that a specific affected complainant is required even though Facebook’s general practices might have left Canadian users vulnerable. This is linked to a further argument by Facebook that the investigation lacked a Canadian nexus since there was no evidence that any data about Canadians was obtained or used by Cambridge Analytica.

Another argument raised by Facebook is that that the investigation amounted to a “broad audit of Facebook’s personal information management practices, not an investigation into a particular PIPEDA contravention” as required by Paragraph 11(1) of PIPEDA. Facebook argues that the separate audit power under PIPEDA has built-in limitations, and that the investigation power is much more extensive. They argue, essentially, that the investigation was an audit without the limits. Facebook also argues that the report of findings was issued outside of the one-year time limit set in s. 13(1) of PIPEDA. In fact, it was released after thirteen rather than twelve months.

Finally, Facebook argues that the investigation carried out by the Commissioner lacked procedural fairness and independence. The allegations are that the sweeping scope of the complaint made against Facebook was not disclosed until shortly before the report was released and that as a result Facebook had been unaware of the case it had to meet. It also alleges a lack of impartiality and independence on the part of the Office of the Privacy Commissioner in the investigation. No further details are provided.

The lack of timeliness of this application may well doom it. Section 18.1 of the Federal Courts Act sets the thirty-day time limit from the date when the party receives notice of the decision it seeks to challenge; the decision in this case is the decision to initiate the investigation, which would have been communicated to Facebook almost two years ago. Although judges have discretion to extend the limitation period, and although Facebook argues it did not receive adequate communication regarding the scope of the investigation, even then their application comes almost a year after the release of the Report of Findings. Perhaps more significantly, it comes two and a half months after the Commissioner filed his application for a hearing de novo before the Federal Court. The judicial review application seems to be a bit of a long shot.

Long shot though it may be, it may be intended as a shot across the bows of both the Office of the Privacy Commissioner and the federal government. PIPEDA is due for reform in the near future. Better powers of enforcement for PIPEDA have been on the government’s agenda; better enforcement is a pillar of the Digital Charter. The Commissioner and others have raised enforcement as one of the major weaknesses of the current law. In fact, the lack of response by Facebook to the recommendations of the Commissioner following the Report of Findings was raised by the Commissioner as evidence of the need for stronger enforcement powers. One of the sought-after changes is the power for the Commissioner to be able to issue binding orders.

This application for judicial review, regardless of its success, puts on the record concerns about procedural fairness that will need to be front of mind in any reforms that increase the powers of the Commissioner. As pointed out by former Commissioner Jennifer Stoddart in a short article many years ago, PIPEDA creates an ombuds model in which the Commissioner plays a variety of roles, including promoting and encouraging compliance with the legislation, mediating and attempting early resolution of disputes and investigating and reporting on complaints. Perhaps so as to give a degree of separation between these roles and any binding order of compliance, it is left to the Federal Court to issue orders after a de novo hearing. Regardless of its merits, the Facebook application for judicial review raises important procedural fairness issues even within this soft-compliance model, particularly since the Commissioner took Facebook so publicly to task for not complying with its non-binding recommendations. If PIPEDA were to be amended to include order-making powers, then attention to procedural fairness issues will be even more crucial. Order-making powers might require clearer rules around procedures as well as potentially greater separation of functions within the OPC, or possibly the creation of a separate adjudication body (e.g. a privacy tribunal).

Given that we are in the middle of a pandemic, it is easy to miss the amendments to Ontario’s Personal Health Information Protection Act (PHIPA) and the Freedom of Information and Protection of Privacy Act (FIPPA) that were part of the omnibus Economic and Fiscal Update Act, 2020 (Bill 188) which whipped through the legislature and received Royal Assent on March 25, 2020.

There is much that is interesting in these amendments. The government is clearly on a mission to adapt PHIPA to the digital age, and many of the new provisions are designed to do just that. For example, although many health information custodians already do this as a best practice, a new provision in the law (not yet in force) will require health information custodians that use digital means to manage health information to maintain an electronic audit log. Such a log must detail the identity of anyone who deals with the information, as well as the date and time of any access or handling of the personal information. The Commissioner may request a custodian to provide him with the log for audit or review. Clearly this is a measure designed to improve accountability for the handling of digital health information and to discourage snooping (which is also further discouraged by an increase in the possible fine for snooping found later in the bill).

The amendments will also create new obligations for “consumer electronic service providers”. These companies offer services to individuals to help manage their personal health information. The substance of the obligations remains to be further fleshed out in regulations; the obligations will not take effect until the regulations are in place. The Commissioner will have a new power to order that a health information custodian or class of custodians cease providing personal health information to a consumer electronic service provider. Presumably this will occur in cases where there are concerns about the privacy practices of the provider.

Interestingly, at a time when there is much clamor for the federal Privacy Commissioner to have new enforcement powers to better protect personal information, the PHIPA amendments give the provincial Commissioner the power to levy administrative penalties against “any person” who, in the opinion of the Commissioner, has contravened the Act or its regulations. The administrative penalties are meant either to serve as ‘encouragement’ to comply with the Act, or as a means of “preventing a person from deriving, directly or indirectly, any economic benefit as a result of contravention” of PHIPA. The amount of the penalty should reflect these purposes and must be in accordance with regulations. The amendments also set a two-year limitation period from the date of the most recent contravention for the imposition of administrative penalties. In order to avoid the appearance of a conflict of interest, administrative penalties are paid to the Minister of Finance of the province. These provisions await the enactment of regulations before taking effect.

The deidentification of personal information is a strategy relied upon to carry out research without adversely impacting privacy, but the power of data analytics today raises serious concerns about reidentification risk. It is worth noting that the definition of “de-identify” in PHIPA will be amended, pending the enactment of regulations to that can require the removal of any information “in accordance with such requirements as may be prescribed.” The requirements for deidentification will thus made more adaptable to changes in technology.

The above discussion reflects some of the PHIPA amendments; readers should be aware that there are others, and these can be found in Bill 188. Some take effect immediately; others await the enactment of regulations.

I turn now to the amendments to FIPPA, which is Ontario’s public sector data protection law. To understand these amendments, it is necessary to know that the last set of FIPPA amendments (also pushed through in an omnibus bill) created and empowered “inter-ministerial data integration units”. This was done to facilitate inter-department data sharing with a view to enabling a greater sharing of personal information across the government (as opposed to the more siloed practices of the past). The idea was to allow the government to derive more insights from its data by enabling horizontal sharing, while still protecting privacy.

These new amendments add to the mix the “extra-ministerial data integration unit”, which is defined in the law as “a person or entity, or an administrative division of a person or entity, that is designated as an extra-ministerial data integration unit in the regulations”. The amendments also give to these extra-ministerial data integration units many of the same powers to collect and use data as are available to inter-ministerial data integration units. Notably, however, an extra-ministerial data integration unit, according to its definition, need not be a public-sector body. It could be a person, a non-profit, or even a private sector organization. It must be designated in the regulations, but it is important to note the potential scope. These legislative changes appear to pave the way for new models of data governance in smart city and other contexts.

The Institute for Clinical Evaluative Sciences (ICES) is an Ontario-based independent non-profit organization that has operated as a kind of data trust for health information in Ontario. It is a “prescribed entity” under s. 45 of PHIPA which has allowed it to collect “personal health information for the purpose of analysis or compiling statistical information with respect to the management of, evaluation or monitoring of, the allocation of resources to or planning for all or part of the health system, including the delivery of services.” It is a trusted institution which has been limited in its ability to expand its data analytics to integrate other relevant data by public sector data protection laws. In many ways, these amendments to FIPPA are aimed at better enabling ICES to expand its functions, and it is anticipated that ICES will be designated in the regulations. However, the amendments are cast broadly enough that there is room to designate other entities, enabling the sharing of municipal and provincial data with newly designated entities for the purposes set out in FIPPA, which include: “(a) the management or allocation of resources; (b) the planning for the delivery of programs and services provided or funded by the Government of Ontario, including services provided or funded in whole or in part or directly or indirectly; and (c) the evaluation of those programs and services.” The scope for new models of governance for public sector data is thus expanded.

Both sets of amendments – to FIPPA and to PHIPA – are therefore interesting and significant. The are also buried in an omnibus bill. Last year, the Ontario government launched a Data Strategy Consultation that I have criticized elsewhere for being both rushed and short on detail. The Task Force was meant to report by the end of 2019; not surprisingly, given the unrealistic timelines, they have not yet reported. It is not even clear that a report is still contemplated.

While it is true that technology is evolving rapidly and that there is an urgent need to develop a data strategy, the continued lack of transparency and the failure to communicate clearly about steps already underway is profoundly disappointing. One of the pillars of the data strategy was meant to be privacy and trust. Yet we have already seen two rounds of amendments to the province’s privacy laws pushed through in omnibus bills with little or no explanation. Many of these changes would be difficult for the lay person to understand or contextualize without assistance; some are frankly almost impenetrable. Ontario may have a data strategy. It might even be a good one. However, it seems to be one that can only be discovered or understood by searching for clues in omnibus bills. I realize that we are currently in a period of crisis and resources may be needed elsewhere at the moment, but this obscurity predates the pandemic. Transparent communication is a cornerstone of trust. It would be good to have a bit more of it.

The COVID-19 pandemic has sparked considerable debate and discussion about the role of data in managing the crisis. Much of the discussion has centred around personal data, and in these discussions the balance between privacy rights and the broader public interest is often a focus of debate. Invoking the general ratcheting up of surveillance after 9-11, privacy advocates warn of the potential for privacy invasive emergency measures to further undermine individual privacy even after the crisis is over.

This post will focus on the potential for government use of data in the hands of private sector companies. There are already numerous examples of where this has taken place or where it is proposed. The nature and intensity of the privacy issues raised by these uses depends very much on context. For the purposes of this discussion, I have identified three categories of proposed uses of private sector data by the public sector. (Note: My colleague Michael Geist has also written about 3 categories of data – his are slightly different).

The first category involves the use of private sector data to mine it for knowledge or insights. For example, researchers and public health agencies have already experimented with using social media data to detect the presence or spread of disease. Some of this research is carried out on publicly accessible social media data and the identity of specific individuals is not necessary to the research, although geolocation generally is. Many private sector companies sit on a wealth of data that reveals the location and movements of individuals, and this could provide a rich source of data when combined with public health data. Although much could be done with aggregate and deidentified data in this context, privacy is still an issue. One concern is the potential for re-identification. Yet the full nature and scope of concerns could be highly case-specific and would depend upon what data is used, in what form, and with what other data it is combined.

Government might, or might not be, the lead actor when it comes to the use of private sector data in this way. Private sector companies could produce analytics based on their own stores of data. They might do so for a variety of reasons, including experimentation with analytics or AI, a desire to contribute to solutions, or to provide analytics services to public and private sector actors. There is also the potential for public-private collaborations around data.

Private sector companies acting on their own would most likely publish only aggregate or deidentified data, possibly in the form of visualizations. If the published information is not personal information, this type of dissemination is possible, although these companies would need to be attentive to reidentification risks.

In cases where personal data is shared with the public sector, there might be other legal options. The Personal Information Protection and Electronic Documents Act (PIPEDA) contains a research exception that allows organizations to disclose information without consent “for statistical, or scholarly study or research, purposes that cannot be achieved without disclosing the information, [and] it is impracticable to obtain consent”. Such disclosure under s. 7(3)(f) requires that the organization inform the Commissioner in advance of any such disclosure, presumably to allow the Commissioner to weigh in on the legitimacy of what is proposed. The passage of a specific law, most likely on an emergency basis, could also enable disclosure of personal information without consent. Such an option would be most likely to be pursued where the government seeks to compel private sector companies to disclose information to them. Ideally, any such law would set clear parameters on the use and disposal of such data, and could put strict time limits on data sharing to coincide with the state of emergency. A specific law could also provide for oversight and accountability.

The second category is where information is sought by governments in order to specifically identify and track individuals in order to enable authorities to take certain actions with respect to those individuals. An example is where cell phone location data of individuals who have been diagnosed with the disease is sought by government officials so that they can retrospectively track their movements to identify where infected persons have been and with whom they have had contact (contact-tracing).This might be done in order to inform the public of places and times where infected persons have been (without revealing the identity of the infected person) or it might be done to send messages directly to people who were in the vicinity of the infected person to notify them of their own possible infection. In such cases, authorities access and make use of the data of the infected person as well as the data of persons in proximity to them. Such data could also be used to track movements of infected persons in order to see if they are complying with quarantine requirements. For example, public authorities could combine data from border crossings post-spring break with cell phone data to see if those individuals are complying with directives to self-quarantine for 14 days.

The use of private sector data in this way could be problematic under existing Canadian privacy law. Telcos are subject to PIPEDA, which does not contain an exception to the requirement for consent that would be an easy fit in these circumstances. However, PIPEDA does permit disclosure without consent where it is ‘required by law’. A special law, specific to the crisis, could be enacted to facilitate this sort of data sharing. Any such law should also contain its own checks and balances to ensure that data collection and use is appropriate and proportional.

Israel provides an example of a country that enacted regulations to allow the use of cell phone data to track individuals diagnosed with COVID-19. A podcast on this issue by Michael Geist featuring an interview with Israeli law professor Michael Birnhack exposes some of the challenges with this sort of measure. In a decision issued shortly after the recording of the podcast, the Israeli Supreme Court ruled that the regulations failed to meet the appropriate balance between privacy and the demands of the public health crisis. The case makes it clear that it is necessary to find an appropriate balance between what is needed to address a crisis and what best ensures respect for privacy and civil liberties. It is not an all or nothing proposition – privacy or public health. It is a question of balance, transparency, accountability and proportionality.

It is interesting to note that in this context, at least one country has asked individuals to voluntarily share their location and contact information. Singapore has developed an app called TraceTogether that uses Bluetooth signals to identify the phones of other app users that are within two metres of each user. The design of the app includes privacy protective measures. Sharing personal data with appropriate consent is easily permitted under public and private sector laws so long as appropriate safeguards are in place.

A third category of use of personal information involves the public sharing of information about the movements of individuals known to be infected with the virus. Ostensibly this is in order to give people information they may need to protect themselves from unwanted exposure. South Korea offers an example of such measures – it has provided highly detailed information about the location and movements of infected persons; the detail provide could lead to identification. Given the fact in Canada at least, testing has been limited due to insufficient resources, a decision to release detailed information about those who test positive could serve to stigmatize those persons while giving others a false sense of security. Some have raised concerns that such measures would also discourage individuals from coming forward to be tested or to seek treatment out of concerns over stigmatization. In Canada, the disclosure of specific personal health information of individuals – or information that could lead to their identification – is an extreme measure that breaches basic personal health information protection requirements. It is hard to see on what basis the public release of this type of information could be at all proportionate.

A common theme in all of the debates and discussions around data and privacy in the current context is that exceptional circumstances call for exceptional measures. The COVID-19 pandemic has spurred national and regional governments to declare states of emergency. These governments have imposed a broad range of limitations on citizen activities in a bid to stop the spread of the virus. The crisis is real, the costs to human life, health and to the economy are potentially devastating. Sadly, it is also the case that while many do their best to comply with restrictions, others flaunt them to greater or lesser extents, undermining the safety of everyone. In this context, it is not surprising that more drastic, less voluntary measures are contemplated, and that some of these will have important implications for privacy and civil liberties. Privacy and civil liberties, however, are crucially important values and should not be casual victims of pandemic panic. A careful balancing of interests can be reflected not just in the measures involving the collection and use of data, but also in issues of oversight, transparency, accountability, and, perhaps most importantly, in limits on the duration of collection and use.

Clearview AI and its controversial facial recognition technology have been making headlines for weeks now. In Canada, the company is under joint investigation by federal and provincial privacy commissioners. The RCMP is being investigated by the federal Privacy Commissioner after having admitted to using Clearview AI. The Ontario privacy commissioner has expressed serious concerns about reports of Ontario police services adopting the technology. In the meantime, the company is dealing with a reported data breach in which hackers accessed its entire client list.

Clearview AI offers facial recognition technology to ‘law enforcement agencies.’ The term is not defined on their site, and at least one newspaper report suggests that it is defined broadly, with private security (for example university campus police) able to obtain access. Clearview AI scrapes images from publicly accessible websites across the internet and compiles them in a massive database. When a client provides them with an image of a person, they use facial recognition algorithms to match the individual in the image with images in its database. Images in the database are linked to their sources which contain other identifying information (for example, they might link to a Facebook profile page). The use of the service is touted as speeding up all manner of investigations by facilitating the identification of either perpetrators or victims of crimes.

This post addresses a number of different issues raised by the Clearview AI controversy, framed around the two different sets of privacy investigations. The post concludes with additional comments about transparency and accountability.

1. Clearview AI & PIPEDA

Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) applies to the collection, use and disclosure of personal information by private sector organizations engaged in commercial activities. Although Clearview AI is a U.S. company, PIPEDA will still apply if there is a sufficient nexus to Canada. In this case, the service clearly captures data about Canadians, and the facial recognition services are marketed to Canadian law enforcement agencies. This should be enough of a connection.

The federal Privacy Commissioner is joined in his investigation by the Commissioners of Quebec, B.C. and Alberta. Each of these provinces has its own private sector data protection laws that apply to organizations that collect, use and disclose personal information within the borders of their respective province. The joint investigation signals the positive level of collaboration and co-operation that exists between privacy commissioners in Canada. However, as I explain in an earlier post, the relevant laws are structured so that only one statute applies to a particular set of facts. This joint investigation may raise important jurisdictional questions similar to those raised in the Facebook/Cambridge Analytica joint investigation and that were not satisfactorily resolved in that case. It is a minor issue, but nonetheless one that is relevant and interesting from a privacy governance perspective.

The federal Commissioner’s investigation will focus on whether Clearview AI complied with PIPEDA when it collected, used and disclosed the personal information which populates its massive database. Clearview AI’s position on the legality of its actions is clearly based on U.S. law. It states on its website that: “Clearview searches the open web. Clearview does not and cannot search any private or protected info, including in your private social media accounts.” In the U.S., there is much less in the way of privacy protection for information in ‘public’ space. In Canada however, the law is different. Although there is an exception in PIPEDA (and in comparable provincial private sector laws) to the requirement of consent for the collection, use or disclosure of “publicly available information”, this exception is cast in narrow terms. It is certainly not broad enough to encompass information shared by individuals through social media. Interestingly, in hearings into PIPEDA reform, the House of Commons ETHI Committee at one point seemed swayed by industry arguments that PIPEDA should be amended to include websites and social media within the exception for “publicly available personal information”. In an earlier post, I argued that this was a dangerous direction in which to head, and the Clearview AI controversy seems to confirm this. Sharing photographs online for the purposes of social interaction should not be taken as consent to use those images in commercial facial recognition technologies. What is more, the law should not be amended to deem it to be so.

To the extent, then, that the database contains personal information of Canadians that was collected without their knowledge or consent, the conclusion will likely be that there has been a breach of PIPEDA. The further use and disclosure of personal information without consent will also amount to a breach. An appropriate remedy would include ordering Clearview AI to remove all personal information of Canadians that was collected without consent from its database. Unfortunately, the federal Commissioner does not have order-making powers. If the investigation finds a breach of PIPEDA, it will still be necessary to go to Federal Court to ask that court to hold its own hearing, reach its own conclusions, and make an order. This is what is currently taking place in relation the Facebook/Cambridge Analytica investigation, and it makes somewhat of a mockery of our privacy laws. Stronger enforcement powers are on the agenda for legislative reform of PIPEDA, and it is to be hoped that something will be done about this before too long.

 

2. The Privacy Act investigation

The federal Privacy Commissioner has also launched an investigation into the RCMP’s now admitted use of Clearview AI technology. The results of this investigation should be interesting.

The federal Privacy Act was drafted for an era in which government institution generally collected the information they needed and used from individuals. Governments, in providing all manner of services, would compile significant amounts of data, and public sector privacy laws set the rules for governance of this data. These laws were not written for our emerging context in which government institutions increasingly rely on data analytics and data-fueled AI services provided by the private sector. In the Clearview AI situation, it is not the RCMP that has collected a massive database of images for facial recognition. Nor has the RCMP contracted with a private sector company to build this service for it. Instead, it is using Clearview AI’s services to make presumably ad hoc inquiries, seeking identity information in specific instances. It is not clear whether or how the federal Privacy Act will apply in this context. If the focus is on the RCMP’s ‘collection’ and ‘use’ of personal information, it is arguable that this is confined to the details of each separate query, and not to the use of facial recognition on a large scale. The Privacy Act might simply not be up to addressing how government institutions should interact with these data-fuelled private sector services.

The Privacy Act is, in fact, out of date and clearly acknowledged to be so. The Department of Justice has been working on reforms and has attempted some initial consultation. But the Privacy Act has not received the same level of public and media attention as has PIPEDA. And while we might see reform of PIPEDA in the not too distant future, reform of the Privacy Act may not make it onto the legislative agenda of a minority government. If this is the case, it will leave us with another big governance gap for the digital age.

If the Privacy Act is not to be reformed any time soon, it will be very interesting to see what the Privacy Commissioner’s investigation reveals. The interpretation of section 6(2) of the Privacy Act could be of particular importance. It provides that: “A government institution shall take all reasonable steps to ensure that personal information that is used for an administrative purpose by the institution is as accurate, up-to-date and complete as possible.” In 2018 the Supreme Court of Canada issued a rather interesting decision in Ewert v. Canada, which I wrote about here. The case involved a Métis man’s challenge to the use of actuarial risk-assessment tests by Correctional Services Canada to make decisions related to his incarceration. He argued that the tests were “developed and tested on predominantly non-Indigenous populations and that there was no research confirming that they were valid when applied to Indigenous persons.” (at para 12). The Corrections and Conditional Release Act contained language very similar to s. 6(2) of the Privacy Act. The Supreme Court of Canada ruled that this language placed an onus on the CSC to ensure that all of the data it relied upon in its decision-making about inmates met that standard – including the data generated from the use of the assessment tools. This ruling may have very interesting implications not just for the investigation into the RCMP’s use of Clearview’s technology, but also for public sector use of private sector data-fueled analytics and AI where those tools are based upon personal data. The issue is whether, in this case, the RCMP is responsible for ensuring the accuracy and reliability of the data generated by a private sector AI system on which they rely.

One final note on the use of Clearview AI’s services by the RCMP – and by other police services in Canada. A look at Clearview AI’s website reveals its own defensiveness about its technologies, which it describes as helping “to identify child molesters, murderers, suspected terrorists, and other dangerous people quickly, accurately, and reliably to keep our families and communities safe.” Police service representatives have also responded defensively to media inquiries, and their admissions of use come with very few details. If nothing else, this situation highlights the crucial importance of transparency, oversight and accountability in relation to these technologies that have privacy and human rights implications. Transparency can help to identify and examine concerns, and to ensure that the technologies are accurate, reliable and free from bias. Policies need to be put in place to reflect clear decisions about what crimes or circumstances justify the use of these technologies (and which ones do not). Policies should specify who is authorized to make the decision to use this technology and according to what criteria. There should be record-keeping and an audit trail. Keep in mind that technologies of this kind, if unsupervised, can be used to identify, stalk or harass strangers. It is not hard to imagine someone use this technology to identify a person seen with an ex-spouse, or even to identify an attractive woman seen at a bar. They can also be used to identify peaceful protestors. The potential for misuse is enormous. Transparency, oversight and accountability are essential if these technologies are to be used responsibly. The sheepish and vague admissions of use of Clearview AI technology by Canadian police services is a stark reminder that there is much governance work to be done around such technologies in Canada even beyond privacy law issues.

A recent story in iPolitics states that both the Liberals and the Conservatives support strengthening data protection laws in Canada, although it also suggests they may differ as to the best way to do so.

The Liberals have been talking about strengthening Canada’s data protection laws – both the Privacy Act (public sector) and the Personal Information Protection and Electronic Documents Act (PIPEDA) (private sector) since well before the last election, although their emphasis has been on PIPEDA. The mandate letters of both the Ministers of Justice and Industry contained directions to reform privacy laws. As I discuss in a recent post, these mandate letters speak of greater powers for the Privacy Commissioner, as well as some form of “appropriate compensation” for data breaches. There are also hints at a GDPR-style right of erasure, a right to withdraw consent to processing of data, and rights of data portability. With Canada facing a new adequacy assessment under the EU’s General Data Protection Regulation (GDPR) it is perhaps not surprising to see this inclusion of more EU-style rights.

Weirdly, though, the mandate letters of the Minister of Industry and the Minister of Heritage also contain direction to create the new role of “Data Commissioner” to serve an as-yet unclear mandate. The concept of a Data Commissioner comes almost entirely out of the blue. It seems to be first raised before the ETHI Committee on February 7, 2019 by Dr. Jeffrey Roy of Dalhousie University. He referenced in support of this idea a new Data Commissioner role being created in Australia as well as the existence of a UK Chief Data Officer. How it got from an ETHI Committee transcript to a mandate letter is still a mystery.

If this, in a nutshell, is the Liberal’s plan, it contains both the good, the worrisome, and the bizarre. Strengthening PIPEDA – both in terms of actual rights and enforcement of those rights is a good thing, although the emphasis in the mandate letters seems very oriented towards platforms and other issues that have been in the popular press. This is somewhat worrisome. What is required is a considered and substantive overhaul of the law, not a few colourful and strategically-placed band-aids.

There is no question that the role of the federal Privacy Commissioner is front and centre in this round of reform. There have been widespread calls to increase his authority to permit him to issue fines and to make binding orders. These measures might help address the fundamental weakness of Canada’s private sector data protection laws, but they will require some careful thinking about the drafting of the legislation to ensure that some of the important advisory and dispute resolution roles of the Commissioner’s office are not compromised. And, as we learned with reform of the Access to Information Act, there are order-making powers and then there are order-making powers. It will not be a solution to graft onto the legislation cautious and complicated order-making powers that increase bureaucracy without advancing data protection.

The bizarre comes in the form of the references to a new Data Commissioner. At a time when we clearly have not yet managed to properly empower the Privacy Commissioner, it is disturbing that we might be considering creating a new bureaucracy with apparently overlapping jurisdiction. The mandate letters suggest that the so-called data commissioner would oversee (among other things?) data and platform companies, and would have some sort of data protection role in this regard. His or her role might therefore overlap with both those of the Privacy Commissioner and the Competition Bureau. It is worth noting that the Competition Bureau has already dipped its toe into the waters of data use and abuse. The case for a new bureaucracy is not evident.

The Conservatives seem to be opposed to the creation of the new Data Commissioner, which is a good thing. However, Michelle Rempel Garner was reported by iPolitics as rejecting “setting up pedantic, out of date, ineffectual and bloated government regulatory bodies to enforce data privacy.” It is not clear whether this is simply a rejection of the new Data Commissioner’s office, or also a condemnation of the current regulatory approach to data protection (think baby and bath water). Instead, the Conservatives seem to be proposing creating a new data ownership right for Canadians, placing the economic value of Canadians’ data in their hands.

This is a bad idea for many reasons. In the first place, creating a market model for personal data will do little to protect Canadians. Instead, it will create a context in which there truly is no privacy because the commercial exchange of one’s data for products and services will include a transfer of any data rights. It will also accentuate existing gaps between the wealthy and those less well off. The rich can choose to pay extra for privacy; others will have no choice but to sell their data. Further, the EU, which has seriously studied data ownership rights (and not just for individuals) has walked away from them each time. Data ownership rights are just too complicated. There are too many different interests in data to assign ownership to just one party. If a company uses a proprietary algorithm to profile your preferences for films or books, is this your data which you own, or theirs because they have created it?

What is much more important is the recognition of different interests in data and the strengthening, through law, of the interests of individuals. This is what the GDPR has done. Rights of data portability and erasure, the right to withdraw consent to processing, and many other rights within the GDPR give individuals much stronger interests in their data, along with enforcement tools to protect those interests. Those strengthened interests are now supporting new business models that place consumers at the centre of data decision-making. Open banking (or consumer-directed banking), currently being studied by the Department of Finance in Canada, is an example of this, but there are others as well.

The fix, in the end, is relatively simple. PIPEDA needs to be amended to both strengthen and expand the existing interests of individuals in their personal data. It also needs to be amended to provide for appropriate enforcement, compensation, and fines. Without accountability, the rights will be effectively meaningless. It also needs to happen sooner rather than later.

 

(With thanks to my RA Émilie-Anne Fleury who was able to find the reference to the Data Commissioner in the ETHI Committee transcripts)

The year 2020 is likely to bring with it significant legal developments in privacy law in Canada. Perhaps the most important of these at the federal level will come in the form of legislative change. In new Mandate letters, the Prime Minister has charged both the Minister of Justice and the Minister of Innovation Science and Industry with obligations to overhaul public and private sector data protection laws. It is widely anticipated that a new bill to reform the Personal Information Protection and Electronic Documents Act (PIPEDA) will be forthcoming this year, and amendments to the Privacy Act are also expected at some point.

The mandate letters are interesting in what they both do and do not reveal about changes to come in these areas. In the first place, both mandate letters contain identical wording around privacy issues. Their respective letters require the two Ministers to work with each other:

. . . to advance Canada’s Digital Charter and enhanced powers for the Privacy Commissioner, in order to establish a new set of online rights, including: data portability; the ability to withdraw, remove and erase basic personal data from a platform; the knowledge of how personal data is being used, including with a national advertising registry and the ability to withdraw consent for the sharing or sale of data; the ability to review and challenge the amount of personal data that a company or government has collected; proactive data security requirements; the ability to be informed when personal data is breached with appropriate compensation; and the ability to be free from online discrimination including bias and harassment. [my emphasis]

A first thing to note is that the letters reference GDPR-style rights in the form of data portability and the right of erasure. If implemented, these should give individuals considerably more control over their personal information and will strengthen individual interests in their own data. It will be interesting to see what form these rights take. A sophisticated version of data portability has been contemplated in the context of open banking, and a recent announcement makes it clear that work on open banking is ongoing (even though open banking is notably absent from the mandate letter of the Minister of Finance). GDPR-style portability is a start, though it is much less potent as a means of empowering individuals.

The right of erasure is oddly framed. The letters describe it as “the ability to withdraw, remove and erase basic personal data from a platform” (my emphasis). It is unclear why the right of erasure would be limited to basic information on platforms. Individuals should have the right to withdraw, remove and erase personal data from all organizations that have collected it, so long as that erasure is not inconsistent with the purposes for which it was provided and for which it is still required.

Enhancements to rights of notice and new rights to challenge the extent of data collection and retention will be interesting reforms. The references to “appropriate compensation” suggest that the government is attuned to well-publicized concerns that the consequences of PIPEDA breaches are an insufficient incentive to improve privacy practices. Yet it is unclear what form such compensation will take and what procedures will be in place for individuals to pursue it. It is not evident, for example, whether compensation will only be available for data security breaches, or whether it will extend to breaches of other PIPEDA obligations. It is unclear whether the right to adequate compensation will also apply to breaches of the Privacy Act. The letters are mum as to whether it will involve statutory damages linked to a private right of action, or some other form of compensation fund. It is interesting to note that although the government has talked about new powers for the Commissioner including the ability to levy significant fines, these do not appear in the mandate letters.

Perhaps the most surprising feature of the Minister of Industry’s mandate letter is the direction to work with the Minister of Canadian Heritage to “create new regulations for large digital companies to better protect people’s personal data and encourage greater competition in the digital marketplace.” This suggests that new privacy obligations that are sector-specific and separate from PIPEDA are contemplated for “large digital companies”, whatever that might mean. These rules are to be overseen by a brand new Data Commissioner. Undoubtedly, this will raise interesting issues regarding duplication of resources, as well as divided jurisdiction and potentially different approaches to privacy depending on whether an organization is large or small, digital or otherwise.

<< Start < Prev 1 2 3 4 5 6 7 8 9 10 Next > End >>
Page 6 of 37

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law