Letter to shadow ministers
August 20, 2020
Hon. Michelle Rempel Garner, P.C., M.P.
House of Commons
Mr. Pierre Paul-Hus, M.P.
House of Commons
Mr. Matt Jeneroux, M.P.
House of Commons
Dear Mrs. Rempel Garner, Mr. Paul-Hus and Mr. Jeneroux:
Thank you for your letter dated July 29, 2020 in which you inquire about the privacy implications of the federal government’s COVID-19 exposure notification application (COVID Alert) and the ArriveCAN application.
Subsequent to receiving your correspondence, my office completed its review of the COVID Alert application. Both our review and the Health Canada privacy assessment are available online for reference.Footnote 1
Throughout the pandemic, the Office of the Privacy Commissioner of Canada (OPC) has recognized that the current health crisis calls for a flexible and contextual application of privacy laws. However, because privacy is a fundamental right, it is very important in our democratic country based on the rule of law that key principles continue to operate, even if some of the more detailed requirements are not applied as strictly as they normally would be.
With a view to achieving both greater flexibility and ensuring respect for privacy as a fundamental right, in April the OPC released a Framework to assess privacy-impactful initiatives in response to the pandemic (“the Framework”)Footnote 2. Following this, in May we issued a joint statement with provincial and territorial privacy commissioners on privacy principles that should be respected in the design and during the use of any contact tracing or similar application (“the Joint FPT Statement”)Footnote 3.
Both of these documents were meant to offer clear guidance on how to incorporate privacy into the design of government programs to address the pandemic, in recognition of the fact that our laws do not provide an effective level of protection suited to the digital environment. Some of the principles put forth in our guidance documents are not currently legal requirements in our privacy laws, yet are considered internationally to be fundamental privacy protective measures.
Our review of the COVID Alert application highlighted serious weaknesses with our current federal privacy legislation. In this case, the government took the position that its privacy laws do not apply in light of its assertion that personal information is not collected by the application. Further, while the design of the application is good, and that the government has agreed to be subject to an independent review, the government was not bound to make these commitments. The government chose to respect the principles put forth in our guidance documents because public trust is vital to the application’s success. However, without robust laws, other programs and applications could be introduced in the future that are not so privacy-sensitive.
COVID Alert application
As you note in your letter, I appeared before the House of Commons Standing Committee on Industry, Science and Technology on May 29, 2020, where I discussed privacy considerations associated with digital contact tracing applications. Following my appearance, the federal government engaged my Office to review the COVID Alert application. We had several communications with government officials over the course of several weeks, reviewed their privacy assessment and issued our final review of the application on July 30, 2020.
Throughout the process, Health Canada and other federal partners communicated with the OPC on program details as they evolved, albeit over a compressed period of time. While ideally we would have preferred to be consulted earlier, we were ultimately satisfied with the nature of the consultation that occurred. The government accepted several of our recommendations and we concluded that the program respected all of our recommended principles. As you are aware, the federal government launched the COVID Alert application on July 31, 2020.
You raise a number of important issues in your letter, to which I offer the following in response, based on our review of the COVID Alert application:
Collection of personal data
As mentioned, and as you note in your letter, the federal government takes the position that no personal information is collected by the application. Throughout our review, we posed a series of questions regarding this assertion, as well as regarding the protections in place to safeguard the information involved in the application’s functioning, including information on the interactions between the federal layer and the provincial system. Ultimately, we determined that the government went to great lengths to ensure that the data is strongly protected and de-identified.
Personal health information is clearly collected by provincial health authorities. The application itself, however, takes great care to rely on de-identified data, including random numbers that are not associated with individuals. At the critical point when an individual has been diagnosed with COVID-19 and the provincial health authorities provide a one-time code for the individual to enter into the application, again great care is taken to ensure their identity is well protected. For instance, the matching of random numbers following an exposure only takes place on users’ phones and no personal data will leave a user’s phone.
We are satisfied that exceptionally strong measures have been adopted to ensure that the identity of users is protected and not disclosed to the Government of Canada. While experts generally agree that there is no such thing as zero risk of the re-identification of de-identified data, here, in light of the security measures and other safeguards adopted, we determined that the risk of re-identification is very low.
Secure storage of personal data and safeguards against hacking
Based on our review of the documentation provided to our Office, we concluded that the COVID Alert application has very strong safeguards in place. This assessment is based in part on the following considerations:
- Exceptionally strong encryption techniques protect all the data in use, in transit, and at rest;
- The one-time code process relies on one of the strongest cryptographic hashing functions;
- The Google and Apple cryptographic specifications in place to protect the data make it “computationally infeasible for an attacker to find a collision on a Rolling Proximity Identifier.”Footnote 4 Owing to these safeguards, the risk that hackers can obtain users’ data is exceptionally low; and
- The Canadian Digital Service (CDS) has implemented appropriate measures to safeguard the data stored on its servers. Although IP addresses accompany attempts to verify one-time codes sent to CDS’s servers, the retention of those IP addresses is limited. Access to the IP addresses is also restricted to a small number of staff. The data stored by CDS is also predominantly de-identified. As a result, the risk of re-identification from the storage of IP addresses is extremely low.
Appropriate destruction of health and personal data
In discussing the issue of destruction of data with Health Canada, we are satisfied that they have taken significant steps to limit its retention as much as possible, to delete data at regular intervals, and to shut down the application within 30 days after the pandemic is declared over. Also important is that individuals can delete the application at any time.
You inquire in your letter as to “unintended consequences” of proximity alerts. While this term is somewhat ambiguous, there are oversight mechanisms in place that should help to verify the effectiveness of the application, among other factors. For example, my Office offered to play an oversight role by conducting an audit one month after the launch of the app, and on a regular defined period thereafter. Health Canada has confirmed that it will conduct a joint audit with my Office, to begin in the fourth quarter of 2020.The audit will include an assessment of respect for the principles in the joint statement of Canada’s privacy commissioners, including an ongoing analysis of the application’s effectiveness under the necessity and proportionality principle. If we find problems during the course of our audit, we will request that the government decommission the application.
Additionally, the government has formed an External Advisory Council whose mandate is to provide advice and guidance “to ensure the application meets the highest standards in public health outcomes, technology and privacy” and whose membership comes from a variety of disciplines including health, privacy, data governance and science. Health Canada has committed to providing my Office with regular reports on the work of the Advisory Council.
An outstanding concern we have relates to the voluntariness of the application and purpose limitation. While we are satisfied that these principles are respected by the government, it is not clear that our laws would prohibit organizations from seeking information in the application. This could entail organizations requiring details on whether the user has received an exposure notification as a condition of service or to gain re-entry to the workplace. While the government has committed to providing messaging that individuals should not be required to use the application or disclose information about their use of it, as well as guidance to the private sector in this regard, these measures do not completely eliminate this risk.
Similarly, several commercial entities will be able to determine whether individuals have downloaded and used the application. These entities should not be permitted to monitor their customers’ use of the COVID Alert application.
Other countries have legislated to prohibit such practices. Ultimately, the law should be amended to make these principles enforceable against third parties.
While we hope that this information addresses your questions regarding our assessment of the COVID Alert application, should you have additional or unresolved questions or concerns we would welcome the opportunity to engage with you further on this matter.
You also inquire about the ArriveCAN application. The Public Health Agency of Canada (PHAC) consulted with my office in June on activities relating to the enforcement of, and compliance with, quarantine requirementsFootnote 5 for travellers entering Canada, including aspects of the ArriveCAN application. Subsequently, we received a Privacy Compliance Evaluation (PCE) from PHAC on these activities and provided recommendations. We also requested more information and are currently awaiting a response.
For your reference, a Privacy Compliance Evaluation is meant to provide a streamlined approach to conducting a privacy analysis compared to the normally-required Privacy Impact Assessment (PIA). The Treasury Board of Canada Secretariat (TBS) has granted government departments the discretion to conduct a PCE in lieu of a PIA to provide flexibility to more quickly develop programs and initiatives in response to the COVID-19 pandemic while ensuring compliance with the Privacy Act.
In your letter, you ask whether my Office has concerns with a provision in the ArriveCAN privacy noticeFootnote 6 outlining potential disclosures of personal information. The section of the notice that your letter highlights is part of a longer paragraph that, when read in full, clarifies that the information collected will be used and/or disclosed for the purposes of public health follow-up and monitoring and verifying compliance with the Quarantine Act and the emergency orders made under it. It is our understanding that disclosures to provincial and territorial public health units and law enforcement agencies in Canada are a necessary component of the quarantine process under the Quarantine Act for the two purposes outlined. Based on this understanding, we do not have concerns with this particular provision that outlines information-sharing activities for which PHAC has the legal authority and an identified need to disclose.
The notice then further states that, “In limited and specific circumstances, personal information may be used and disclosed without consent in accordance with subsection 8(2) of the Privacy Act.” This provision leaves room for the government to use and disclose personal information collected in direct response to the COVID-19 pandemic for other, unrelated purposes, as is indeed permitted under subsection 8(2) of the Privacy Act. Whether or not my Office would have concerns with such uses would depend on the specifics of the proposed activity.
Given our discussions with the government on this initiative are ongoing, we are not in a position to provide further information at this time.
State of federal privacy laws
Your letter raises the crucial question about the adequacy of our privacy laws in safeguarding Canadians’ data with respect to these two applications. As previously referenced, our work in reviewing the COVID Alert application highlighted some weaknesses in our laws and the urgent need for them to be modernized. How our government can claim that an application described worldwide as extremely privacy sensitive and the subject of reasoned concern for the future of democratic values as not being subject to its privacy laws is of significant concern.
The digital age has undoubtedly facilitated better services for Canadians. While the COVID Alert application is not a panacea, it is likely to contribute, along with other measures, to reducing the spread of COVID-19 and therefore to saving lives.
At the same time, the current pandemic has greatly accelerated what was already a disruptive digital revolution. Examples include the much greater use of virtual medicine and e-learning. These technologies offer real benefits but also create very significant risks to privacy and other rights.
What we need, more urgently than ever, are laws that allow technologies to produce these benefits in the public interest while ensuring that fundamental rights such as privacy will be protected. And because of the growing role of public-private partnerships in addressing situations such as the COVID crisis, we need common principles enshrined in both our public-sector and private-sector laws.
The following are but a few examples of how our privacy laws need to be updated to more appropriately protect Canadians’ in the context of the digital environment, including with respect to the two applications in question:
- Rights-based privacy laws: In light of the increasingly significant risks being posed by data driven technologies, including to rights such as privacy, equality and democracy, my Office has advocated for our privacy laws to be given a rights based foundation. This would include the addition of a preamble and purpose clause to each of our federal laws that would serve to provide guidance as to the values, principles and objectives that should shape the interpretation and application of both PIPEDA and the Privacy Act. It would also entail the inclusion of other important measures in our laws, such as a requirement to demonstrate accountability on the part of organizations and departments, and the ability for my Office to conduct proactive inspections, among others.
- Purpose limitation: In the case of the COVID Alert application, it is unclear whether the law would currently prohibit organizations from seeking information residing in the application, including whether the user has received an exposure notification, as a condition of service. In our view, it is another failing of our current laws that voluntariness and purpose limitation cannot be enforced clearly against third parties.
- Inclusion of a Necessity and Proportionality Standard: Government institutions should be required to ensure that their measures are necessary and proportionate, which means essentially evidence-based, necessary for the specific purpose identified and not overbroad. In our view, these principles serve to balance the privacy rights of individuals with the government’s need to collect, use and disclose personal information for purposes that demonstrably serve the public interest.
- Requirement to consult the OPC and conduct PIAs: Similarly, the requirements to consult the OPC on initiatives that pose risks to privacy and to conduct PIAs to ensure such risks are identified and mitigated are only at the level of policy. This results in inconsistent adherence. We have long advocated for such measures to be legally required.
- De-identified information: It is well-established that there is always a risk that individuals can be re-identified when their personal information has been de-identified. The Act should define de-identified information to allow for a more targeted and nuanced application of certain rules rather than risk having it fall completely outside of the law’s application.
- Independent oversight: Among the rules that should apply even if de-identified information is used is the requirement for independent oversight. The government ultimately agreed to invite our Office in a joint audit of COVID Alert, but this was after some discussion. The law should provide for independent oversight in all cases where privacy interests are at issue.
When I appeared before the House of Commons Standing Committee on Industry, Science and Technology, I indicated that when properly designed, tracing applications could achieve both public health objectives and the protection of rights simultaneously.Footnote 7 Technology itself is neither good nor bad. Everything depends on how it is designed, used and regulated.
While proper design choices have largely been made in the case of the COVID Alert application, the fact remains that our existing legislative framework for privacy is outdated and does not sufficiently deal with the digital environment to ensure appropriate regulation of new technologies.
The current health crisis has made clear that technology can play a very useful role in making essential activities safe. However, data driven technologies have also been shown to be harmful to rights, including privacy, equality and democracy. We need laws that support the development and use of technologies in the public interest, as well as protect our fundamental rights. This is relevant not only with the example of digital contact tracing, but also in many other areas where we have seen a marked acceleration of the digital revolution.
Internationally, and even at the provincial level, privacy laws are being strengthened to address challenges of the digital age. It is time that Canada move in the same direction.
Canada requires updated privacy laws that consider privacy in its full spectrum of rights and provide for effective enforcement and recourse. Such a reformulation of our privacy laws will help to restore trust in Canadian democracy and our economy.
Thank you again for sharing your important concerns with my Office.
(Original signed by)
- Announcement: Commissioner writes to parliamentary committees on privacy in a pandemic
- Letter to committee members
- Comparative table: International Developments in Privacy Protection
- Date modified: