Teresa Scassa - Blog

Displaying items by tag: covid19

 

Research for this article was made possible with the support of the Heinrich Boell Foundation Washington, DC.

This piece was originally published by Heinrich Boell Stiftung as part of their series on the broad impacts of the COVID-19 pandemic. The original publication can be found here.

 

 

A strong sense of regional sovereignty in the Canadian health care system may lead to different choices for technologies to track and contain the spread of the coronavirus. A multiplicity of non-interoperable apps could put their effectiveness in question and could create regional differences in approaches to privacy..

By Teresa Scassa

Canada’s national capital Ottawa is located in the province of Ontario but sits on the border with Quebec. As soon as restrictions on movement and activities due to the coronavirus begin to lift, the workforce will once again flow in both directions across a river that separates the two provinces. As with other countries around the world, Canada is debating how to use technology to prevent a second wave of infections. Yet as it stands right now, there is a chance that commuters between Ontario and Quebec could have different contact-tracing apps installed on their phone to track their movements, and that these apps might not be fully interoperable.

Innovation in contact-tracing apps is happening in real time, and amid serious concerns about privacy and security. In Canada, many provinces are on the threshold of adopting contact-tracing apps. Canadian app developers, building on technologies adopted elsewhere, will be offering solutions that rely on decentralized, centralized, or partially centralized data storage. At least one Canadian-built app proposes broader functionalities, including AI-enhancement. And, as is so often the case in Canada, its federal structure could lead to a multiplicity of different apps being adopted across the country. Similar challenges may be faced in the United States.

One app to rule them all?

Canada is a federal state, with 10 provinces and 3 territories. Under its constitution, health care is a matter of provincial jurisdiction, although the federal government regulates food and drug safety. It has also played a role in health care through its spending power, often linking federal health spending to particular priorities. However, when it comes to on-the-ground decision-making around the provision of health care services and public health on a regional level, the provinces are sovereign. Canadian federalism has been tested over the years by Quebec’s independence movement, and more recently by dissatisfaction from Western provinces, particularly Alberta. These tensions mean that co-operation and collaboration are not always top of mind.

When it comes to adoption of contact tracing apps, there is the distinct possibility in Canada that different provinces will make different choices. On May 1 Alberta became the first Canadian province to launch a contact tracing app. There have been reports, for example that New Brunswick is considering a contact tracing app from a local app developer, and the government of Newfoundland and Labrador has also indicated it is considering an app. Other governments contemplating contact tracing apps include Manitoba and Saskatchewan. The possibility that multiple different apps will be adopted across the country is heightened by reports that one municipal entity – Ottawa Public Health – may also have plans to adopt its own version of a contact-tracing app.

Although different contact-tracing apps may not seem like much of an issue with most Canadians under orders to stay home, as restrictions begin to loosen, the need for interoperability will become more acute. If non-interoperable contact-tracing apps were to be adopted in Ontario and Quebec (or even in Ontario, Quebec and Ottawa itself), their individual effectiveness would be substantially undermined. Similar situations could play out in border areas across the country, as well as more generally as Canadians begin to travel across the country.

On May 5, 2020, Doug Ford, the premier of Ontario, Canada’s most populous province, called for a national strategy for contact tracing apps in order to prevent fragmentation. His call for cohesion no doubt recognizes the extent to which Canada’s sometimes shambolic federalism could undermine collective public health goals. Yet with so many provinces headed in so many different directions, often with local app developers as partners, it remains to be seen what can be done to harmonize efforts.

Privacy and contact tracing in Canada

The international privacy debate around contact-tracing apps has centred on limiting the ability of governments to access data that reveals individuals’ patterns of movement and associations. Attention has focused on the differences between centralized and decentralized storage of data collected by contact-tracing apps. With decentralized data storage, all data is locally stored on the app user’s phone; public health authorities are able to carry out contact-tracing based on app data only through a complex technological process that keeps user identities and contacts obscure. This model would be supported by the Google/Apple API, and seems likely to be adopted in many EU states. These apps will erase contact data after it ceases to be relevant, and will cease to function at the end of the pandemic period.

By contrast, with centralized data storage, data about app registrants and their contacts is stored on a central server accessible to public health authorities. A compromise position is found with apps in which data is initially stored only on a user’s phone. If a user tests positive for COVID-19, their data is shared with authorities who then engage in contact-tracing. As an additional privacy protection, express consent can be required before users upload their data to central storage. This is a feature of both the Australian and Alberta models.

Decentralized storage has gained considerable traction in the EU where there are deep concerns about function creep and about the risk that user contact data could be used to create ‘social graphs’ of individuals. The European privacy debates are influenced by the General Data Protection Regulation (GDPR) and its shift toward greater individual control over personal data. In Canada, although the federal privacy commissioner has been advancing a ‘privacy as a human right’ approach to data protection, and although there has been considerable public frustration over the state of private sector data protection, little public sentiment seems to have galvanized around contact-tracing apps. Although Canadians have reacted strongly against perceived overcollection of personal data by public sector bodies in the past, in the pandemic context there seems to be a greater public willingness to accept some incursions on privacy for the public good. What incursions will be acceptable remains to be seen. The federal, provincial and territorial privacy commissioners (with the notable exception of the Alberta commissioner whose hands have been somewhat tied by the launch of the Alberta app) have issued a joint statement on the privacy requirements to be met by contact-tracing apps.

The Alberta contact-tracing app has received the cautious endorsement of the province’s Privacy Commissioner who described it as a “less intrusive” approach (presumably than full centralized storage). She noted that she had reviewed the Privacy Impact Assessment (PIA) (a study done to assess the privacy implications of the app), and was still seeking assurances that collected data would not be used for secondary purposes. She also indicated that the government had committed to the publication of a summary of the Privacy Impact Assessment, although no date was provided for its eventual publication.

Given the attention already paid to privacy in Europe and elsewhere, and given that Australia’s similar app was launched in conjunction with the public release of its full PIA, the Alberta launch should set off both privacy and transparency alarms in Canada. In a context in which decisions are made quickly and in which individuals are asked to sacrifice some measure of privacy for the public good, sound privacy decision-making, supported by full transparent PIAs, and an iterative process for rectifying privacy issues as they emerge, seems a minimum requirement. The release of the Alberta app has also created a gap in the common front of privacy commissioners, and raises questions about the interoperability of contact-tracing apps across Canada. It remains to be seen whether Canada’s federal structure will lead not just to different apps in different provinces, but to different levels of transparency and privacy as well.

 

Published in Privacy

The COVID-19 pandemic has sparked considerable debate and discussion about the role of data in managing the crisis. Much of the discussion has centred around personal data, and in these discussions the balance between privacy rights and the broader public interest is often a focus of debate. Invoking the general ratcheting up of surveillance after 9-11, privacy advocates warn of the potential for privacy invasive emergency measures to further undermine individual privacy even after the crisis is over.

This post will focus on the potential for government use of data in the hands of private sector companies. There are already numerous examples of where this has taken place or where it is proposed. The nature and intensity of the privacy issues raised by these uses depends very much on context. For the purposes of this discussion, I have identified three categories of proposed uses of private sector data by the public sector. (Note: My colleague Michael Geist has also written about 3 categories of data – his are slightly different).

The first category involves the use of private sector data to mine it for knowledge or insights. For example, researchers and public health agencies have already experimented with using social media data to detect the presence or spread of disease. Some of this research is carried out on publicly accessible social media data and the identity of specific individuals is not necessary to the research, although geolocation generally is. Many private sector companies sit on a wealth of data that reveals the location and movements of individuals, and this could provide a rich source of data when combined with public health data. Although much could be done with aggregate and deidentified data in this context, privacy is still an issue. One concern is the potential for re-identification. Yet the full nature and scope of concerns could be highly case-specific and would depend upon what data is used, in what form, and with what other data it is combined.

Government might, or might not be, the lead actor when it comes to the use of private sector data in this way. Private sector companies could produce analytics based on their own stores of data. They might do so for a variety of reasons, including experimentation with analytics or AI, a desire to contribute to solutions, or to provide analytics services to public and private sector actors. There is also the potential for public-private collaborations around data.

Private sector companies acting on their own would most likely publish only aggregate or deidentified data, possibly in the form of visualizations. If the published information is not personal information, this type of dissemination is possible, although these companies would need to be attentive to reidentification risks.

In cases where personal data is shared with the public sector, there might be other legal options. The Personal Information Protection and Electronic Documents Act (PIPEDA) contains a research exception that allows organizations to disclose information without consent “for statistical, or scholarly study or research, purposes that cannot be achieved without disclosing the information, [and] it is impracticable to obtain consent”. Such disclosure under s. 7(3)(f) requires that the organization inform the Commissioner in advance of any such disclosure, presumably to allow the Commissioner to weigh in on the legitimacy of what is proposed. The passage of a specific law, most likely on an emergency basis, could also enable disclosure of personal information without consent. Such an option would be most likely to be pursued where the government seeks to compel private sector companies to disclose information to them. Ideally, any such law would set clear parameters on the use and disposal of such data, and could put strict time limits on data sharing to coincide with the state of emergency. A specific law could also provide for oversight and accountability.

The second category is where information is sought by governments in order to specifically identify and track individuals in order to enable authorities to take certain actions with respect to those individuals. An example is where cell phone location data of individuals who have been diagnosed with the disease is sought by government officials so that they can retrospectively track their movements to identify where infected persons have been and with whom they have had contact (contact-tracing).This might be done in order to inform the public of places and times where infected persons have been (without revealing the identity of the infected person) or it might be done to send messages directly to people who were in the vicinity of the infected person to notify them of their own possible infection. In such cases, authorities access and make use of the data of the infected person as well as the data of persons in proximity to them. Such data could also be used to track movements of infected persons in order to see if they are complying with quarantine requirements. For example, public authorities could combine data from border crossings post-spring break with cell phone data to see if those individuals are complying with directives to self-quarantine for 14 days.

The use of private sector data in this way could be problematic under existing Canadian privacy law. Telcos are subject to PIPEDA, which does not contain an exception to the requirement for consent that would be an easy fit in these circumstances. However, PIPEDA does permit disclosure without consent where it is ‘required by law’. A special law, specific to the crisis, could be enacted to facilitate this sort of data sharing. Any such law should also contain its own checks and balances to ensure that data collection and use is appropriate and proportional.

Israel provides an example of a country that enacted regulations to allow the use of cell phone data to track individuals diagnosed with COVID-19. A podcast on this issue by Michael Geist featuring an interview with Israeli law professor Michael Birnhack exposes some of the challenges with this sort of measure. In a decision issued shortly after the recording of the podcast, the Israeli Supreme Court ruled that the regulations failed to meet the appropriate balance between privacy and the demands of the public health crisis. The case makes it clear that it is necessary to find an appropriate balance between what is needed to address a crisis and what best ensures respect for privacy and civil liberties. It is not an all or nothing proposition – privacy or public health. It is a question of balance, transparency, accountability and proportionality.

It is interesting to note that in this context, at least one country has asked individuals to voluntarily share their location and contact information. Singapore has developed an app called TraceTogether that uses Bluetooth signals to identify the phones of other app users that are within two metres of each user. The design of the app includes privacy protective measures. Sharing personal data with appropriate consent is easily permitted under public and private sector laws so long as appropriate safeguards are in place.

A third category of use of personal information involves the public sharing of information about the movements of individuals known to be infected with the virus. Ostensibly this is in order to give people information they may need to protect themselves from unwanted exposure. South Korea offers an example of such measures – it has provided highly detailed information about the location and movements of infected persons; the detail provide could lead to identification. Given the fact in Canada at least, testing has been limited due to insufficient resources, a decision to release detailed information about those who test positive could serve to stigmatize those persons while giving others a false sense of security. Some have raised concerns that such measures would also discourage individuals from coming forward to be tested or to seek treatment out of concerns over stigmatization. In Canada, the disclosure of specific personal health information of individuals – or information that could lead to their identification – is an extreme measure that breaches basic personal health information protection requirements. It is hard to see on what basis the public release of this type of information could be at all proportionate.

A common theme in all of the debates and discussions around data and privacy in the current context is that exceptional circumstances call for exceptional measures. The COVID-19 pandemic has spurred national and regional governments to declare states of emergency. These governments have imposed a broad range of limitations on citizen activities in a bid to stop the spread of the virus. The crisis is real, the costs to human life, health and to the economy are potentially devastating. Sadly, it is also the case that while many do their best to comply with restrictions, others flaunt them to greater or lesser extents, undermining the safety of everyone. In this context, it is not surprising that more drastic, less voluntary measures are contemplated, and that some of these will have important implications for privacy and civil liberties. Privacy and civil liberties, however, are crucially important values and should not be casual victims of pandemic panic. A careful balancing of interests can be reflected not just in the measures involving the collection and use of data, but also in issues of oversight, transparency, accountability, and, perhaps most importantly, in limits on the duration of collection and use.

Published in Privacy

Canadian Trademark Law

Published in 2015 by Lexis Nexis

Canadian Trademark Law 2d Edition

Buy on LexisNexis

Electronic Commerce and Internet Law in Canada, 2nd Edition

Published in 2012 by CCH Canadian Ltd.

Electronic Commerce and Internet Law in Canada

Buy on CCH Canadian

Intellectual Property for the 21st Century

Intellectual Property Law for the 21st Century:

Interdisciplinary Approaches

Purchase from Irwin Law