Industry Committee on May 29th, 2020

I would request some clarification from Mr. Masse.

You talked about evidence regarding fraud calls that was received on May 20. There was much evidence on May 20 that was not related to fraud calls per se, but to fraud related to COVID-19, some of which was delivered through calls, many through texts or the web.

Is it specifically just fraud calls or all fraud related to COVID-19?

Thank you, Madam Chair and committee members for your invitation to discuss tracing applications, one of the approaches being studied in Canada and elsewhere to ensure a safe return to a more normal life. Please note that the expression “tracing application” is used in public speech to describe various mobile applications that serve as public health tools. Some applications are designed for conducting true contact tracing, while others have the goal of informing users and giving them advice based on their level of risk. The goal of an application is important for privacy purposes.

During this public health crisis related to COVID-19, the health and safety of Canadians is a key concern. It's natural for governments and public health authorities to try to find ways, including technological means, to better understand and control the spread of the virus. In this context, the Office of the Commissioner has adopted a flexible and contextual approach in its enforcement of privacy laws. We strongly believe that it's possible to use technology to protect both public health and privacy. Technology in itself is neither good nor bad. Everything depends on how it's designed, used and regulated.

When properly designed, tracing applications could achieve both objectives simultaneously, in terms of public health and the protection of rights. However, if implemented inappropriately, they could lead to surveillance by governments or businesses that exceeds public health needs and is therefore a violation of our fundamental rights.

I will now try to switch to English. I do not have the language button on my screen. I have a microphone and a camera, but no indication of language.

Does it work, even though I'm speaking English now?

Yes. I'm about to speak about the importance of the design.

Madam Chair, I don't have the French version of the rest of the presentation. I suggest that my colleague, Mr. Smolynec, read the end of the presentation in English. I'll then answer questions in French, regardless of the language in which the questions are asked.

Good afternoon.

Following from the commissioner's opening remarks, appropriate designs of technologies, such as tracing applications, depend on respect for some key privacy principles recommended in the OPC’s “Framework for the Government of Canada to Assess Privacy-Impactful Initiatives in Response to COVID-19”, and in a joint statement by federal, provincial and territorial privacy commissioners on contact-tracing applications.

In the interest of time, we will focus on six of these principles.

First is purpose limitation. Personal information collected through tracing applications should be used to protect defined public health purposes, and for no other purpose.

Second, these applications should be justified as necessary and proportionate, and therefore be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective.

Third, there must be a clear legal basis for the use of these applications and use should be voluntary, as this is important to ensure citizens’ trust. Use should therefore be consent-based and consent must be meaningful.

Fourth, these exceptional measures should be time-limited. Any personal information collected during this period should be destroyed when the crisis ends, and the applications decommissioned.

Fifth is transparency. Governments should be clear about the basis and the terms applicable to these applications. Privacy impact assessments or meaningful privacy analysis should be completed, reviewed by privacy commissioners, and a plain-language summary published proactively.

Sixth is accountability. Governments and companies should be accountable for how personal information will be collected, used, disclosed and secured. Oversight by an independent third party, such as privacy commissioners, would enhance citizens’ trust.

While governments have stressed the importance of privacy in the design of tracing applications, several of the principles I have mentioned are not currently legal requirements in our two federal privacy laws. For instance, nothing currently prevents a company from proposing an app that is not evidence-based and using the information for commercial purposes unrelated to health protection, provided consent is obtained, often in incomprehensible terms. A government could partner with such a company.

The current health crisis has made clear that technologies can play a very useful role in making essential activities safe. This meeting is about contact tracing, but potential benefits are much wider. For instance, let us think about virtual medicine or e-education.

What we need, more urgently than ever, are laws that allow technologies to produce benefits in the public interest without creating risks that fundamental rights such as privacy will be violated. Because of the growing role of public-private partnerships in addressing situations such as the COVID crisis, we need common principles enshrined in public sector and private sector laws.

Thank you. That concludes our statement.

No, I am not.

My office has been talking for several years now about the fact that our legal framework needs to be modernized and strengthened, and the current crisis clearly shows there will be a need to accelerate the technological revolution that was already at play before COVID.

This acceleration requires an even stronger legal framework.

Perhaps I should respond in French, given the interpretation issue that we've encountered.