Key Issues Related to Privacy

Digital Government and Digital Identity (ID)

Lead Directorates:

1. Technology Analysis Directorate
2. Government Advisory Directorate
3. Policy, Research and Parliamentary Affairs

Background

• The Government of Canada is committed to expanding its offerings of digital services and increasing Canadians’ adoption of digital government.
• The federal Canada’s Digital Strategy includes a national approach to digital identity and to the harmonized use of private sector, provincial or territorial, and federal digital ID credentials for authentication and access to government programs.
• Government digital service initiatives involve public-private partnerships with concurrent public and private sector privacy compliance risks and issues.
• The Government of Canada is planning major transformations of federal IT infrastructure, breaking down data governance “silos” and expanding data integration across government institutions.
• The OPC has provided advice and recommendations on digital services and digital ID projects in both the public and private sector, including the federal government Pan-Canadian Trust Framework (PCTF) and the Digital ID and Authentication Council of Canada (DIACC) PCTF.
• The OPC has been consulted on use of certain provincial digital identity credentials for accessing federal government services online. Quebec and Ontario are both planning to implement digital ID credentials, which may also in the future be used as part of the common trusted federal identity platform.
• The OPC has called for the Government of Canada to devote closer attention to privacy issues during the development of digital services, noting that it should not sacrifice personal information protection, and that legislation enabling digital government must respect privacy as a fundamental human right.
• Commissioner Therrien has appeared before Parliament on digital government initiatives, including:
  • Before the Standing Committee on Access to Information, Privacy and Ethics (ETHI) on use of digital ID and the federal data strategy in January 2019 (Appearance before the ETHI on Privacy of Digital Government Services);
  • Before the House of Commons Standing Committee on Industry and Technology’s (INDU) study on contract tracing applications in May 2020 (Appearance before the INDU on contact tracing application); and
  • Before the Senate Standing Committee on Legal and Constitutional Affairs’ study on Bill S-203 (now S-210) on restricting youth access to sexually explicit content in June 2021 (Appearance before the Senate Standing Committee on Legal and Constitutional Affairs on Bill S-203, An Act to restrict young persons’ online access to sexually explicit material).

Current status

• Commissioner Therrien met regularly with the Chief Information Officer (CIO) of Canada Catherine Luelo and the Government of Canada’s Chief Data Officer Stephen Burt at the Treasury Board of Canada Secretariat (TBS).
• The Government Advisory Directorate leads regular monthly meetings between the OPC and TBS that includes discussions related to digital government.

Strategic considerations

• In recent investigations, the OPC has examined the privacy issues related to identity verification, and has issued guidance on use of new technologies used for identification activities, emphasizing the need for lawful collection of data.
• The CIO has requested harmonized and amalgamated privacy advice on digital ID from all federal, provincial and territorial (FPT) privacy commissioners, which will require a collaborative approach.
• The Council of Europe has issued Digital Identity Draft Guidelines for a digital ID implementation, on which the OPC’s Deputy Commissioner of Compliance is in discussions with the European Data Protection Supervisor.

Next steps

• The CIO of Canada will be invited to make a presentation on the federal digital ID plan to the Federal, Provincial and Territorial (FPT) privacy commissioners in September.
• The OPC will maintain close communications with federal government institutions as digital ID plans and pilot projects roll out.
• The OPC will continue discussions with its provincial and territorial counterparts regarding their implementation of digital ID.

Further reading

• TBS Presentation Deck, Strategy for Government in the Digital Age, May 4, 2022.
• Briefing Note, Update on pan-Canadian Digital ID initiatives, August 2021.
• Note to File, Canadian Government names first Chief Data Officer, March 30, 2022.

---

Guidance and Joint Statement on Facial Recognition

Lead Directorate: Policy, Research and Parliamentary Affairs Directorate

Background

• Early in 2020, media sources revealed that the Royal Canadian Mounted Police (RCMP) had been using Facial Recognition Technology (FRT) services provided by Clearview AI.
• In response, the OPC, alongside its provincial and territorial counterparts (FPT) began developing guidance on the use of FRT by police. The purpose of the guidance is to help police agencies ensure any use of FRT complies with the law, minimizes risks, and respects the right to privacy.
• In June 2021, the OPC and its FPT counterparts published a draft version of the guidance. They opened a public consultation both on its contents and on views of the broader regulatory framework for police use of FRT, which concluded in December 2021. See: Notice of consultation and call for comments – Privacy guidance on facial recognition for police agencies.
• The OPC and its FPT counterparts published the final Privacy guidance on facial recognition for police agencies in May 2022. At the same time, they published a Joint Statement outlining recommendations for reform of the regulatory framework for police use of FRT. These recommendations centred on authorization for FRT use, necessity and proportionality requirements, oversight, and privacy rights and protections.

Current status

• The OPC has committed to working with the RCMP to develop and publish supplementary guidance, in the form of “use case” analyses, specific to narrow applications of FRT proposed by the RCMP. This work has not yet begun and is expected to be carried out in conjunction between the Policy, Research and Parliamentary Affairs Directorate and the Government Advisory Directorate.

Strategic considerations

• While the FRT Guidance and Joint Statement focus on FRT use in the context of policing, wider applications of FRT are of growing concern, including applications in the private sector.
• The OPC participates in two FRT working groups:
  1. The Artificial Intelligence Community of Practice (AIPCOP) FRT working group, which is internal to Government of Canada; and
  2. The Global Privacy Assembly FRT sub-working group, which is international in scope.
• Both groups are currently developing common principles for FRT use, and this work will inform future OPC policy work on FRT.

Further reading

• Recommended legal framework for police agencies’ use of facial recognition – Joint Statement by Federal, Provincial and Territorial Privacy Commissioners
• Joint investigation of Clearview AI, Inc.
• Special report to Parliament on the OPC’s investigation into the RCMP’s use of Clearview AI and draft joint guidance for law enforcement agencies considering the use of FRT

---

Artificial Intelligence and Automated Decision-Making

Lead Directorates:

1. Policy, Research and Parliamentary Affairs Directorate
2. Government Advisory Directorate

Background

• In 2020, the OPC launched a public consultation on proposals for ensuring the appropriate regulation of Artificial Intelligence (AI) under PIPEDA, with the working assumption that legislative changes to PIPEDA are required to help reap the benefits of AI while upholding individuals’ fundamental right to privacy. See: Consultation on the OPC’s Proposals for ensuring appropriate regulation of artificial intelligence.
• The OPC received 86 submissions, and held two in-person consultations with stakeholders.
• Subsequently, the OPC worked with and commissioned a report from expert Professor Ignacio Cofone in the Faculty of Law at McGill University (Policy Proposals for PIPEDA Reform to Address Artificial Intelligence Report).
• The OPC then published its own proposed regulatory framework for AI (A Regulatory Framework for AI: Recommendations for PIPEDA Reform), key elements of which included recommendations to:
  • Allow personal information to be used for public and legitimate business interests, including for the training of AI, but only if privacy is entrenched as a human right;
  • Create provisions specific to automated decision-making, including new rights to an explanation and to contest automated decisions; and
  • Require businesses to demonstrate accountability to the regulator upon request, ultimately through algorithmic traceability, proactive inspections, and other enforcement measures.
• These recommendations formed the basis of written submissions that the OPC made in response to Bill C-11.
• These recommendations also contributed to the OPC’s response to the Department of Justice on Privacy Act modernization, with additional recommendations on clarifying that statistical inferences produced by AI are personal information, and ensuring that a minimum standard for the right to explanation be delineated to ensure its meaningfulness, including where trade secrets are implicated.
• In 2019, the Treasury Board of Canada Secretariat (TBS) introduced its Directive on Automated Decision-Making, which came into force for federal government institutions in April 2020. The Directive applies to any public sector system, tool or statistical model used to recommend or make an administrative decision about a client while providing external services.
• The Government Advisory Directorate has provided recommendations to TBS on the Directive and the Algorithmic Impact Assessment tool introduced through it. Though the OPC finds the Directive to be relatively strong, the OPC also believes that many of its requirements need the force of law, in light of limited compliance from the federal government institutions subject to it, as well as to create actionable rights for individuals.

Current status

• The OPC continues to refine its position on AI by analyzing more detailed aspects of its impact on privacy and other human rights. It participates in the Global Privacy Assembly’s working group on AI alongside international counterparts to work towards common approaches.
• AI has a dedicated workstream under the G7 DPAs Roundtable, the first meeting of which will take place June 8 2022.

Strategic considerations

• Quebec recently made recent amendments to its privacy law to provide rights related to obtaining explanations and the ability to contest decisions based exclusively on automated processing.
• The proposed European Union AI Act is the first comprehensive law aimed at regulating AI, and includes stringent measures, including bans on:
  • Real-time use of facial recognition by law enforcement in public spaces (subject to exceptions);
  • AI that deploys “subliminal techniques” to manipulate behaviour; and
  • Use by public authorities for social scoring.

Next steps

• Through the GPA AI working group, the OPC is developing a paper outlining the risk areas of AI that concern privacy and data protection, and required protections.
• The OPC will continue to identify potential future topics to guide its AI policy development, based on international trends and research.
• TBS notified the Government Advisory Directorate in May 2022 that it has begun its third round of consultations regarding the Directive on Automated Decision-Making. The consultations are being done in a phased approach, and TBS intends to engage with the OPC during the next round of engagements over the summer 2022.

Further reading

• Briefing Note, Directive on Automated Decision Making, December 2021
• Briefing Note, Joint Opinion of the EDPB and EDPS on the EU AI Act, July 2021
• UNESCO, Recommendation on the ethics of artificial intelligence

---

Biometrics Guidance

Lead Directorate: Policy, Research and Parliamentary Affairs Directorate

Background

• The OPC has long endeavored to update its guidance on biometrics, originally published in 2011, in response to the growing use of biometrics and interest in this information by both the public and private sector. See: Data at Your Fingertips Biometrics and the Challenges to Privacy.
• A draft of the guidance has been produced with input from external experts as well as from across the OPC. It interprets requirements under both PIPEDA and the Privacy Act for businesses and federal institutions, and will supplement the recently finalized privacy guidance on facial recognition for police agencies.

Current status

• The biometrics guidance is in final stages of revisions, with edits underway to incorporate Commissioner Therrien’s feedback, the OPC’s joint facial recognition guidance, relevant on-going investigations, and positions taken by the OPC’s international counterparts.
• A draft public consultation plan has also been developed.

Strategic considerations

• The Commission d'accès à l'information du Québec (CAI) issued its own comprehensive guidelines on biometrics in 2020 (Biometrics: Principles and Legal Duties of Organizations, only available in French). While the OPC’s draft guidance was developed with interoperability in mind, it generally goes into a finer level of detail.
• The OPC has advised the Treasury Board of Canada Secretariat (TBS) of its plans to issue this guidance, as TBS is responsible for developing guidance under the Privacy Act.

Next steps

• A package will be routed to the Commissioner with the draft guidance and consultation plan for review and approval by fall 2022.

---

Public Sector COVID-19-Related Initiatives

Lead Directorate: Government Advisory Directorate

Background

• Throughout the COVID-19 pandemic, federal government institutions consulted the Government Advisory Directorate (GA) frequently on COVID-19-related activities, and GA reviewed and provided advice on numerous Privacy Impact Assessments (PIAs) related to these activities.
• GA has received more than 30 files related to COVID-19 activities, ranging from programs that log visitors to government sites for tracking potential outbreaks, to the implementation of border safety measures, and the verification of mandatory vaccination for public servants.
• In response to the pandemic, from March 13, 2020 to March 31, 2021 the Treasury Board of Canada Secretariat (TBS) relaxed some of the requirements for federal public sector institutions to conduct PIAs. The OPC expressed the view that this approach did not offer a balanced approach in assessing the privacy impacts of urgent COVID-19-related initiatives. See: Privacy in a pandemic.
• Several COVID-19-related initiatives involved public-private partnerships that included the collection of personal information by commercial entities, with risks to meaningful consent.
• GA reviews COVID-19-related activities against the OPC’s Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19.
• The OPC conducted an extensive review of Health Canada’s (HC) COVID-19 exposure notification mobile application “COVID Alert” (Privacy review of the COVID Alert exposure notification application). This review was against the Joint Statement by Federal, Provincial and Territorial (FPT) Privacy Commissioners “Supporting public health, building public trust: Privacy principles for contact tracing and similar apps”. GA also provided feedback on HC’s evaluation of the effectiveness of the COVID Alert application, which included analysis of the necessity and proportionality of the app and its respect for the FPT Commissioners’ joint statement in its design and implementation. For further reading, see the Final letter from Commissioner Therrien to HC on the Evaluation of COVID Alert.

Current status

• GA continues to receive PIAs for COVID-19-related programs.