Thank you very much, Mr. Chair.
Thank you for the invitation to appear in connection with your important study.
Early in the pandemic, the Office of the Privacy Commissioner of Canada recognized that data can serve the public interest, such as protecting public health. To that end, we published a framework for how to achieve this while respecting privacy, a key point of which was to use de‑identified or aggregated data wherever possible.
Our framework cautioned that institutions should be aware there is always a risk of re‑identification. Given this risk, our framework was explicit that there needs to be technical and other means implemented to protect the information. In principle, then, the use of de‑identified or aggregated data for public health purposes is consistent with our framework, provided appropriate technical standards are used.
Since the beginning of the pandemic, we have had regular meetings with the Public Health Agency of Canada on COVID-related initiatives. We welcome these interactions.
In the case of the government's use of mobility data, we were informed of their intent to use data in a de‑identified and aggregated way. We offered to review the technical means used to de‑identify data and to provide advice, but the government relied on other experts to that end, which is its prerogative.
Now that we have received complaints, we will investigate and turn our attention to the means chosen for de‑identification and whether they were appropriate to safeguard against re‑identification. Since this is under investigation, we will not be able to provide you with advice on this aspect of your study.
I would now like to offer the following observations on how this case is only one example of much more widespread practices in the public and private sectors and why, in my view [Technical difficulty—Editor] the urgent need for law reform. I also wish to suggest issues that you may want to consider during your study.
Organizations in both the public and private sectors constantly reuse data to new ends. This practice raises legitimate concerns by consumers, particularly when their personal information is used without their knowledge for purposes other than those they expected. Is the solution to ensure meaningful consent is obtained for all such cases? I think this is neither realistic nor reasonable, as this case illustrates.
The solution, in my view, would be to authorize the use of personal data for socially beneficial purposes and legitimate commercial interests within a rights-based law that acknowledges the nature and value of privacy as a human right so as to give privacy its appropriate weight in any balancing exercise.
The government argues that its use of mobility data did not engage the Privacy Act: in other words, that the act does not apply. Oddly, if the data was properly anonymized and aggregated—a fact that your committee and our office will separately investigate—that conclusion is likely legally correct, so the first question you should consider is whether the data, indeed, was properly de-identified and aggregated.
Even if it was, I would suggest that the second issue is whether it is good legislative policy that de-identified information falls outside the reach of privacy laws. We think removing de-identified information from the reach of these laws would bring very significant risks and is not good policy.
There is then the question of transparency and consent. Did the government or its private-sector partners adequately inform users that their mobility data would be used for public health purposes? While there is a reference to the “data for good” program somewhere in Telus's privacy policies, and while the government does make an effort to inform citizens of its use of mobility data on its COVIDTrends web page, I do not think anyone would seriously argue that most users knew how their data would be used.
Does that matter? That, I suggest, is another question you should consider. There's no question that transparency is important to enhance trust, and the government could likely have been more proactive in informing Canadians about its program, but should programs like this require meaningful consent?
As I mentioned earlier, I believe that due to the limitations of the consent model in protecting privacy, a more appropriate policy would be to authorize the use of personal information for legitimate commercial interests and the public good within a rights-based law. That law should be enforced by the OPC, an independent regulator, to which would be conferred the requisite powers and resources to protect Canadians.