Feds should ‘consider withdrawing’ Bill C-27, says Citizen Lab report, proposing 19 amendments

By Amanda Jerome

Law360 Canada (November 22, 2022, 9:39 AM EST) -- In a report critically assessing the federal government’s existing practice of collecting mobility information for “socially beneficial and legitimate business interest purposes,” Citizen Lab has proposed 19 amendments to Bill C-27, noting however that the amendments are “modest” and do “not address many of the glaring deficiencies in the legislation.”

The report, titled ‘Minding Your Business: A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under the Socially Beneficial and Legitimate Interest Exemptions in Canadian Privacy Law,’ also stressed that “if the government’s goal is to pass privacy law that respects the rights and dignity of Canadian residents, it should consider withdrawing C-27 and subsequently re-introducing legislation that is written to reflect the need for privacy-related legislation that protects human rights and ensures that collections, uses, and disclosures of personal information, including de-identified information, follow after a detailed equity and gender-based policy assessment process.”

The report, released Nov. 22, explained that the federal government started obtaining “de-identified and aggregated mobility data” in March 2020 from “private companies for the socially beneficial purpose of trying to understand and combat the spread of COVID-19.” This data was provided by Telus and BlueDot.

However, the report noted, it “wasn’t until December 2021, after the government issued a request for proposals for cellular tower information that would extend the collection of mobility information, that the public became widely aware of the practice.” Soon after, parliamentary meetings into “the government’s collection of mobility data began” and revealed that “Canada’s existing privacy legislation is largely ineffective in managing the collection, use, and disclosure of data in a manner that recognizes the privacy rights of individuals.”

“In spite of this finding,” the report explained, the federal government “introduced Bill C-27: An Act to enact the Consumer Privacy Protection Act, the Personal Information and Data Protection Tribunal Act and the Artificial Intelligence and Data Act and to make consequential and related amendments to other Acts in June 2022, which if passed into law, will fail to correct existing deficiencies in Canada’s federal commercial privacy law.”

The report stressed that Bill C-27 would “make explicit that the government can continue collecting information, including mobility data from private organizations, so long as uses were socially beneficial and without clearly demarcating what will or will not constitute such uses in the future.”

The report emphasized the sensitivity of mobility information, which can “reveal individuals’ and communities’ patterns of life and reveal associational trends before participants themselves are aware of them.”

As an example, the report noted, that some governments “might analyze de-identified data to assess how far people must travel to obtain abortion-care services and, subsequently, recognize that more services are required.”

“Other governments could use the same de-identified mobility data and come to the opposite conclusion and selectively adopt policies to impair access to such services,” the report added, noting that if Bill C-27 is “not amended, its impacts will be felt well after the COVID-19 pandemic has come to a close.”

“It is already the case that access to certain forms of health care, including maternal health care, is politicized in Canada. If the government is permitted to continue collecting geolocation information without the knowledge and meaningful consent of individuals, this information may be used to further stigmatize already marginalized communities as well as create the legal condition where geolocation information and other de-identified or aggregated information could be used in excess of socially beneficial health intervention,” the report explained.

The report’s recommendations span from enabling the “Privacy Commissioner to establish regulations to ensure appropriate de-identification” and requiring that the “socially beneficial purpose be publicly disclosed and approved by the Privacy Commissioner and that an adverse effect assessment be conducted” to consultation with “Indigenous groups in the amendment of privacy legislation.”

The report stressed that the federal government’s “collection of de-identified mobility data from private companies has laid bare the issue of how de-identified data is treated under the law and the opaque ways in which government agencies can obtain and use information associated with residents of Canada.”

It noted that mobility data can “lead to a privacy quagmire insofar as current authorizing legislation may see private companies and government agencies alike collect, use, or disclose information in ways that are lawful but that seem inappropriate when held up to the public eye.”

“The current governance of identified and de-identified personal information has led to a governance gap insofar as the law is ambivalent to the problem of function creep in how data is used. Moreover, under the proposed law, data could be used in ways that individuals or their communities would oppose. These challenges are magnified by present failures to establish comprehensive, meaningful consent requirements concerning the collection, use, and disclosure of personal information as well as for personal information that has been processed into de-identified data. All of these issues are compounded when cast through the lenses of non-consensual collections and uses or disclosures of information collected from Indigenous persons and their communities,” the report added, noting that Citizen Lab’s recommendations are “only a start toward the necessary amendments for this legislation.”

Amanda Cutinha, co-author of Citizen Lab report

Amanda Cutinha, co-author of Citizen Lab report

In an interview with The Lawyer’s Daily, Amanda Cutinha, who authored the report with senior research associate Christopher Parsons, highlighted the recommendations regarding the bill’s “socially beneficial purpose exception and the legitimate interest exception” as “they allow for data sharing without consent and knowledge under specific circumstances.”

She noted that neither exception have “a ton of guidance” and are “relatively vague as to what is meant by them.”

Cutinha contributed to the report when she was a researcher at Citizen Lab and is currently a litigation associate at Miller Thomson LLP.

Cutinha told The Lawyer’s Daily that there are “a huge number of threat actors that are able and capable of reidentifying de-identified data,” so “the sharing of that data becomes problematic” when “it might be in the wrong hands.”

“Even when it’s in the right hands, you have a concern that this data can be reidentified for specific purposes,” she added, noting this legislation concerns highly sensitive data, which can have far-reaching impacts.

“You have situations like access to abortion care, where different governments can take a different approach to using data in ways that are maybe problematic for society,” she said, noting that in the COVID-19 context mobility data could impact members of marginalized communities.

“Low income communities are impacted by this for the most part because they’re the ones moving around the most during COVID. They have jobs that require them to go to and from work. They take public transit often, so we have these communities that are already marginalized, and they’re represented by predominantly racialized people, subject to government attention. And depending on the government, there was a lot of discussion about social distancing, and if the government decided to take a law enforcement aspect to that, then you’re policing specific communities over others and that can be a real issue,” she explained.

Cutinha also explained that during COVID “new technologies emerged” that allowed for data sharing that wasn’t possible in other health emergencies, such as the SARS outbreak in 2003.

“We’ve seen the rollout of contact tracing applications and different technologies that have gone into contact tracing,” she said, noting that some governments have used GPS or Bluetooth technology to accomplish this.

“All of these new technologies kind of emerged in response to COVID-19 because governments have wanted to be able to use data to their advantage in preventing viral transmission. And specifically, I think, a big thought throughout writing this paper was: do these changes quell innovation? Do they quell the idea that we shouldn’t be using technology to our advantage in these situations? And I think the answer to that is: no. We just have to be aware that these technologies exist and have laws that allow for adequately protecting privacy rights,” she said, noting this is the “key of privacy law reform.”

“Our privacy laws were written so long ago, at a time, even before SARS, where we couldn't have imagined that we’d use these technologies in these ways,” she emphasized.

Cutinha noted that Bill C-27 approaches privacy reform from a “commercial standpoint” and looks at “consumer protection.”

“Whereas in other places, like in the EU, they have the GDPR, [which] looks at individual protection,” which approaches protecting individuals from a human rights perspective, she explained.

In Canada, Cutinha noted, “there needs to be a completely different starting point for privacy legislation in order to actually protect individual rights.”

If you have any information, story ideas or news tips for The Lawyer’s Daily please contact Amanda Jerome at Amanda.Jerome@lexisnexis.ca or 416-524-2152.