Ottawa’s contentious use of Canadians’ mobility data early in the COVID-19 pandemic should serve as a warning the government needs to strengthen its proposed new private-sector privacy law, the Toronto internet-security and human-rights organization Citizen Lab says.
The report adds to broad criticism from the privacy community of the Consumer Privacy Protection Act, which was introduced as part of Bill C-27 in June. A Citizen Lab report released Tuesday argues the federal government’s use of location data from Telus Corp. and BlueDot Inc. – which allowed Ottawa to track the movement of millions of devices to understand population movements in the era of rolling COVID-19 lockdowns – could create a slippery slope in which such data could restrict human rights.
Even though that data about people’s movements had been stripped of identifying information, or “de-identified,” some data sets can be merged with others to reidentify an individual. And even in aggregate, the patterns could be used to achieve political ends. On the heels of developing restrictions on abortion in the United States, the Citizen Lab researchers wrote that a future government could use aggregated data from the private sector to identify popular abortion clinics and move to impede people’s access to them.
They argue Ottawa needs to take a stronger rights-based approach to privacy to assure Canadians this kind of data would be collected for a socially beneficial purpose – with greater responsibilities on government to inform Canadians about data collection and only disclose information with their explicit consent.
Canada’s current private-sector privacy law, the Personal Information Protection and Electronic Documents Act (PIPEDA), is more than two decades old. It’s been widely acknowledged as insufficient in safeguarding Canadians’ data rights since the early days of social media.
After a false start in the Liberals’ second term, Innovation Minister François-Philippe Champagne tabled new legislation in June. But many privacy advocates and technology-governance experts have warned the new rules still aren’t enough to respond to today’s data-gathering practices.
Introduced last June, Bill C-27 would bring into force a PIPEDA replacement called the Consumer Privacy Protection Act, plus additional legislation that would regulate algorithmic decision-making and establish a privacy tribunal. The bill reached second reading in the House of Commons several weeks ago, but has not yet gone to committee for debate and amendments.
Ottawa’s mobility-data use spurred long debates at the House ethics committee earlier this year. In a subsequent report, the committee recommended that the federal government be more transparent about the purpose and extent of its data use, further urging that Canadians should be able to opt out of this kind of collection.
Amanda Cutinha, the Citizen Lab report’s lead author and a litigation associate at Miller Thomson LLP, said in an interview the ethics committee’s findings on mobility data and subsequent announcement of C-27 presented an opportunity to rethink how Canada approaches privacy. She drew a direct line from Ottawa’s mobility-data use to her recommendations for the legislation: “How can we prevent this from happening again?”
De-identification is reversible, she warned, adding that “once new data sets are out there, new technology emerges that allow for further reidentification.” (The proposed law is expected to consider data reidentification as an offence.)
Asked about the Citizen Lab report’s broad findings, Laurie Bouchard, a spokesperson for the Innovation Minister’s office, said in an e-mail: “Whenever the bill will be at the step to receive amendments, our government will continue to work with all interested stakeholders and is committed to updating our privacy laws.”
Bill C-27 is intended to balance Canadians’ privacy with economic development, allowing businesses to collect and process data with numerous restrictions, including around consent for data collection. Numerous critics, however, argue that the bill does not properly clarify certain exemptions to obtaining citizens’ consent, such as when it claims there is a “legitimate interest that outweighs any potential adverse effect on the individual resulting from that collection or use.”
Some privacy advocates welcomed C-27′s addition of massive fines for data abusers, and new powers for the federal privacy commissioner to force companies to comply with the law. But they still argue the administrative tribunal proposed by the government to help with enforcement and appeals is unnecessary. “I think it would just add delays,” said Colin Bennett, a University of Victoria political science professor who closely studies privacy law in Canada.
The bill has also been widely disparaged for not framing privacy as a human right like other contemporary privacy directives, such as the European Union’s General Data Protection Regulation. Privacy Commissioner Philippe Dufresne has said he hopes to enshrine privacy as a “fundamental right” in Canada.
“The EU will say it’s not opposed to using data for innovation, but fundamentally it’s on a human-rights basis,” said Teresa Scassa, the Canada Research Chair in Information Law and Policy at the University of Ottawa, who has written extensively about the bill. (Prof. Scassa and Prof. Bennett also both consulted on a recent paper for the Centre for Digital Rights arguing for C-27 reform.)
Prof. Bennett, meanwhile, argues that calling the new law the Consumer Privacy Protection Act is a misclassification of who the bill should protect in the first place. “It establishes an expectation that we are responding and asserting our privacy rights not as Canadians or individuals, but as consumers,” he said.