Appearance before the Committee on Access to Information, Privacy and Ethics (ETHI) on their Study of the Collection and Use of Mobility Data by the Government of Canada

February 7, 2022
Ottawa, Ontario

Opening Statement by Daniel Therrien
Privacy Commissioner of Canada

(Check against delivery)

---

Introduction

Thank you for the invitation to appear in connection with your important study. With me is Martyn Turcotte, Director of the Technology Analysis Directorate at the Office. My remarks today will cover the following points:

• The application of privacy principles to the use of data for public health purposes;
• The nature of interactions between the Public Health Agency of Canada (PHAC) and my Office; and,
• How the use of de-identified data fits more generally within data practices by the public and private sectors in the 21st century, and the need for law reform.

Privacy principles and use of data for public health

Early in the pandemic, the OPC recognized that data can serve the public interest, such as protecting public health.

To that end, we published a framework for how to achieve this while respecting privacy, a key point of which was to use de-identified or aggregated data wherever possible.

Our framework cautioned that institutions should be aware there is always a risk of re-identification, noting the importance of being attentive to such risks, which are highly case-specific.

Given the risk of re-identification, our framework was explicit that there needs to be technical and other means implemented to protect the information.

In principle, then, the use of de-identified or aggregated data for public health purposes is consistent with our framework, provided appropriate technical standards are used.

Nature of interaction with PHAC and subsequent complaints filed with our Office

Since the beginning of the pandemic, we have had regular meetings with the Public Health Agency of Canada and Health Canada on COVID related initiatives. We welcome these interactions.

I note that the OPC’s role is of an advisory nature. Institutions are free to accept or reject our recommendations.

In the case of the government’s use of mobility data, we were informed of the intent to use data in a de-identified and aggregated way. We offered to review the technical means used to de-identify data and to provide advice, which was declined. The government relied on other experts to that end, which is its prerogative.

Now that we have received complaints alleging violations of privacy, we will turn our attention to the means chosen for de-identification and whether they were appropriate to safeguard against re-identification. Since this is under investigation, we will not be able to provide you with advice on this aspect of your study.

How PHAC initiative reflects use of data by the public and private sectors and demonstrates need for law reform

I would now like to offer the following observations on how this case is only one example of much more widespread practices in the public and private sectors, and why in my view it again illustrates the urgent need for law reform. I also wish to suggest issues you may want to consider during your study.

Organizations in both the public and private sectors constantly re-use data to new ends. This practice raises legitimate concerns by consumers, particularly when their personal information is used, without their knowledge, for purposes other than those they expected.

Is the solution to ensure meaningful consent is obtained for all of such uses? I think this is neither realistic nor reasonable, as this case illustrates. The solution, in my view, would be to authorize the use of personal data for socially beneficial purposes and legitimate commercial interests, within a rights based law that acknowledges the nature and value of privacy as a human right so as to give privacy its appropriate weight in any balancing exercise.

The government argues that its use of mobility data did not engage the Privacy Act, in other words that the Act does not apply at all. Oddly, if the data was properly anonymized and aggregated (a fact your committee and our Office will separately investigate), that conclusion is likely legally correct.

So the first question you should consider is whether the data was properly de-identified and aggregated. But even if it was, I would suggest the second issue is whether it is good legislative policy that de-identified information falls outside the reach of privacy laws.

For all its flaws, the government’s previous bill to modernize the private sector privacy law, C-11, considered that de-identified information remained personal, and therefore subject to the protections of privacy law, while providing flexibility for certain uses and therefore facilitating innovation. We think removing de-identified information from the reach of privacy laws would bring very significant risks and is not good policy.

Another question is whether the government should be able to rely on private sector partners to comply with privacy laws (here to adequately de-identify personal information) before they share user data with the government. I believe the government should ensure its partners have complied with the law or, at a minimum, that it retains the right to audit.

Then there is the question of transparency and consent. Did the government or its private sector partners adequately inform users that their mobility data would be used for public health purposes? While there is a reference to the Data for Good program somewhere in Telus’ privacy policies and while the government does make an effort to inform citizens of its use of mobility data on its COVID Trends webpage, I do not think anyone would seriously argue that most users knew how their data was being used.

Does that matter? That, I suggest, is another question you should consider. Transparency is important to enhance trust, and the government could likely have been more proactive in informing Canadians about its program.

Should programs like this require meaningful consent? As mentioned earlier, I believe that due to the limitations of the consent model in protecting privacy, a more appropriate policy would be to authorize the use of personal information for legitimate commercial interests and the public good, within a rights based law. That law should be enforced by the OPC, an independent regulator, to whom would be conferred requisite powers and resources to protect Canadians.

Finally, this data sharing initiative is an example of the movement of data between the private and public sectors and demonstrates the need for both to be governed by common principles and rules. With these two sectors interacting ever more frequently it is imperative that they be held to similar standards. Ideally, our two federal privacy laws should also be updated concurrently.

Conclusion

I hope your study will help shed light on these important issues and facilitate Canadians’ understanding of these data practices. I look forward to your questions.