Report on government access to mobility data stresses need to modernize privacy laws: privacy chief

Canada has been relying on mobility data to monitor people's activity during COVID-19 lockdowns

Report on government access to mobility data stresses need to modernize privacy laws: privacy chief

Privacy Commissioner of Canada Daniel Therrien has responded to a report concerning the federal government’s access to mobility data amid the ongoing COVID-19 pandemic.

Last January, the Standing Committee on Access to Information, Privacy and Ethics (ETHI) moved to undertake a study relating to the collection and use of mobility data by the government. Since the onset of the pandemic, the Public Health Agency of Canada (PHAC) has collected and used mobility data, such as cell-tower location data, to monitor people’s activity during COVID-19 lockdowns and determine possible links between movement of populations within Canada and spread of COVID-19.

On May 2, the committee issued a report entitled, “Collection and Use of Mobility Data by the Government of Canada and Related Issues.” Based on the report, the committee found that while the companies providing PHAC with access to mobility data reassured that no data identifying an individual was shared with the government, the evidence clearly illustrated that the current regulatory framework does not adequately address the use of “de-identified data” or data from which all personally identifiable information has been removed.

The committee also found that federal privacy laws are “in dire need of modernization.” With this, it made 22 recommendations to the government “to adapt to the current reality where data of millions of users are collected, used, and disclosed every day for a variety of purposes.”

In his released statement, Therrien said that the report clearly underscores “how current privacy laws are so out of step with modern technological developments” and the urgent need to modernize these laws.

According to Therrien, since there is always a risk that de-identified information may be re-identified, both the Privacy Act and the successor of former Bill C-11 should consider that information as personal, and therefore, subject to privacy protections.

“This was the solution proposed in former Bill C-11, the Consumer Privacy Protection Act, which died on the order paper when the last election was called,” Therrien said.

Therrien suggested that current privacy laws should give organizations greater flexibility to use personal information without consent for responsible innovation and socially beneficial purposes. However, this should be done within a legal framework that acknowledges privacy as a human right and a vital element for the exercise of other fundamental rights.

“Under our approach to law reform, there would be less emphasis placed on consent and the terms and conditions under which it is obtained,” Therrien said. “It is neither practical nor realistic to expect individuals to give consent for all uses of their data.”

In addition, Therrien recommended that greater flexibility to use personal information for the public good should come with “greater transparency and accountability.” That means that the use of personal data for public good purposes should be subject to independent oversight by the Office of the Privacy Commissioner (OPC).

The OPC should have the authority to conduct proactive audits to ensure public trust, verify compliance with the law, and reassure that privacy rights are respected, Therrien added.