The federal privacy commissioner has little faith current laws are strong enough to protect the rights of Canadians if governments approve a COVID-19 contact tracing app.
Asked Friday by a parliamentary committee if he is confident current privacy laws would protect Canadians if there was a privacy breach in a contact tracing app, Commissioner Daniel Therrien was firm.
“No I am not,” he told the House of Commons standing committee on Industry, Science and Technology. “My office has been talking for several years about the fact than our legal framework needs to be modernized and strengthened, and the current crisis shows need to accelerate the technological revolution that was at play before COVID. This acceleration requires an even stronger legal framework.”
The Personal Information Protection and Electronic Documents Act (PIPEDA), which covers data collected by businesses in all provinces except British Columbia, Alberta and Quebec (which have their own privacy laws) is more an industry code of practice, Therrien said a year ago. An updated law should give Canadians the right to privacy.
Therrien and provincial privacy commissioners said last month that governments should at least commit that any approved apps must meet six privacy principles that ensure the installation of an app is voluntary and ensures governments promise any personal data collected will be for defined public health purposes only. These principles also should also promise personal data collected will be destroyed after the crisis ends.
Therrien said that if an app is designed that follows those principles it could protect Canadians’ privacy. “When properly designed, tracing applications could achieve both objectives simultaneously, in terms of public health and the protection of rights. If implemented inappropriately, they could lead to surveillance by governments or businesses that exceeds public health needs and is therefore a violation of our fundamental rights.”
But, he noted, nothing currently in PIPEDA requires personal data collected only be used for public health tracing purposes. Nor, he added does the law prevent a company that offers a contact tracing app from using data collected for commercial purposes. The current law now only requires a company to obtain consent “based on an ambiguous privacy policy.”
Another reason to update PIPEDA is the increase in videoconferencing in medicine and education means more privacy protection for these technologies is needed, he added.
Prime Minister Justin Trudeau has acknowledged bureaucrats are looking at about 12 possible apps without detailing what criteria is being asked for or considered. Therrien shed some light by noting a research institute has been asked by Trudeau’s science advisor to look at whether current federal and provincial laws would allow provincial privacy commissioners to have a watchdog role over apps.
Asked if a privacy law covering COVID apps would be better rather than waiting for a full overhaul of PIPEDA, Therrien said he the law could be modified including covering public-private transfers of personal data.
He also made it clear having stronger tracing app data protection would increase public adoption. “If we had a more robust legal framework it’s virtually certain people would have more confidence in the system and would rely on these applications because they would see the benefits to public health and would be less fearful of violations to their privacy,” he said.
At one point an MP said an epidemiologist told him that during this crisis public health trumps privacy rights. Therrien disagreed, saying it is possible to protect people’s privacy and serve public health.
Therrien’s testimony comes as the federal, provincial and territorial governments privately discuss the possibility of approving a mobile contact tracing app to help manual contact tracing by local health authorities. Alberta jumped the gun and without the approval of other jurisdictions released its own app.
What concerns Therrien is that private companies are the ones creating apps being considered, and they might be managing any data collected (although that data could be encrypted).
Briefly, a privacy app generates and broadcasts random encrypted ID numbers on Bluetooth. Devices with apps that are close by for a set period of time (Alberta’s app is 15 minutes in total over 24 hours) detect the signal and compile a list of those numbers. Depending on the system if a person tests positive for COVID-19 they can either upload that list to a health authority for decrypting the list, allowing them to notify others that someone they were close to is positive (called a centralized approach); or the user could trigger the app to send out notices to those on its list without a health authority getting the information (called a decentralized approach). There are hybrid possibilities as well.
Therrien said he prefers the decentralized approach. However, he wouldn’t oppose a centralized app if a health authority can show the data it gets is necessary for public health purposes.
The fight over the centralized versus de-centralized approach accelerated last month when Apple and Google announced a partnership to develop a decentralized data-collecting API that health authorities can build an app on. Data would be held on devices and not uploaded to a centralized app without the users’ permission. Pointedly calling it an “exposure notification” approach, any app developed using the API wouldn’t collect location data or personally-identifiable information.
Among the loud supporters is former Ontario privacy commissioner Ann Cavoukian, who spoke about it on a session on COVID apps during the siberXchange online cybersecurity conference last week.
The Apple-Google framework is “unbelievably privacy-protective” she said. Alberta “went in the wrong direction” with its centralized app, she said. She also noted Australia, which has released a similar app, is moving towards the Apple-Google framework.
“No one’s going to use the app if they don’t trust it if they think it’s collecting your personal information,” Cavoukian said.
Asked where Canada is headed on tracing apps, she replied that Canadians and Americans have to insist on the protection of their privacy. “Let your governments know how deeply you care about preserving your privacy and freedom,” she said. In the wrong hands, information that you have tested positive for the virus could jeopardize your ability to get a job.
Also testifying at last week’s parliamentary hearing was University of Ottawa law professor Teressa Scassa, who cautioned the government not to rush into approving an app. “Rushed, flawed schemes to harvest personal data even for laudable goals will erode trust at best and will cause harm at worst,” she said. She also worried privacy legislation is not addressing the possibility that companies will use apps to control who comes back to work in offices and factories as they try to track who is healthy, who may have tested positive for COVID and if co-workers need to be warned.
Also testifying was Michael Bryant, executive director of the Canadian Civil Liberties Association, who said the middle of a health crisis is not the time for parliament to pass new privacy legislation to deal with contact tracing apps. “I’m nervous about legislating at this time,” suggesting haste may make bad law. Instead, he said, dealing with some issues could be resolved by federal or provincial governments through their powers to make emergency orders.
Bryant also said the association believes contact tracing apps won’t be practical in real-world conditions and will yield many false positives.
