Last month, the Privacy Commissioner of Canada shared with two parliamentary committees his response to an information request on the privacy implications of the federal government’s recent COVID exposure notification app (COVID Alert) and the effectiveness of existing privacy laws.

When reviewing the recent COVID Alert application, the Office of the Privacy Commissioner of Canada (OPC) discovered major weaknesses with current federal privacy laws. In this instance, the government emphasized that its privacy laws shall not apply in light of its claim that personal information should not be collected by the COVID Alert app. The government also claims that while the application is well designed, it was not liable to make these commitments.

“The government chose to respect the principles put forth in our guidance documents because public trust is vital to the application’s success. However, without robust laws, other programs and applications could be introduced in the future that are not so privacy-sensitive,” the Commissioner stated.

Securing Privacy of “COVID App” Users

At the same time, the Commissioner noted that the government went to “great lengths” to ensure that data is protected. The Commissioners office also determined that the COVID Alert application takes “great care” to reply on de-identified data, including random codes that cannot be used to identify an individual.

“At the critical point when an individual has been diagnosed with COVID-19 and the provincial health authorities provide a one-time code for the individual to enter into the application, again great care is taken to ensure their identity is well protected,” wrote the Commissioner. “For instance, the matching of random numbers following an exposure only takes place on users’ phones and no personal data will leave a user’s phone.”

Benefits of New Technology

In his response letter to members of the ETHI, INDU and the Leader of the Green Party, the Commissioner pointed out that although technology offers practical benefits in this pandemic period, it has created risks to privacy that should not go unnoticed. The commissioner claims in a letter to shadow ministers that what we need now, more important than ever, is legislation that allows recent technologies to produce benefits in the public interest while guaranteeing that rights will be protected, such as fundamental rights and privacy.

“Because of the growing role of public-private partnerships in addressing situations such as the COVID crisis, we need common principles enshrined in both our public-sector and private-sector laws,” the Commissioner wrote.

Protecting Canadians Online

The Commissioner also included several examples of how privacy laws should be updated to appropriately protect Canadians online. One of the examples mentioned (purpose limitation) explains how it is currently unclear whether or not the law would forbid organisations from seeking information found in the COVID Alert application — such as if a user has received an exposure notification — as a condition of service.

“In our view, it is another failing of our current laws that voluntariness and purpose limitation cannot be enforced clearly against third parties,” said the Commissioner.

At the end of the letter to committee members, the Commissioner included a table displaying how countries across the globe have legislated in recent years to make sure that their privacy laws consider the latest technological realities. The chart features multiple trading partners from around the world who have undertaken measures recommended by the Commissioner in the past, particularly in his latest annual report to Parliament.

“These recommendations were also put forward by provincial and territorial privacy commissioners over the years, and recently we have seen provincial governments introduce bills or announce an intention to modernize their laws,” the Privacy Commissioner said in his letter.