
Citizen Lab report highlights data collection during COVID-19, privacy law reform
Wednesday, September 29, 2021 @ 1:05 PM | By Amanda Jerome
On Sept. 28, the Citizen Lab released a “preliminary comparative analysis” of how various “information technologies were mobilized in response to COVID-19 to collect data” and the “extent to which Canadian health or privacy or emergencies laws impeded the response to COVID-19.” The report also highlights the “potential consequences of reforming data protection or privacy laws to enable more expansive data collection, use, or disclosure of personal information in future health emergencies.”
The report, “Pandemic Privacy: A preliminary analysis of collection technologies, data collection laws, and legislative reform during COVID-19,” was authored by Benjamin Ballard, Amanda Cutinha and Christopher Parsons.
Parsons, a senior research associate at the Citizen Lab, in the Munk School of Global Affairs & Public Policy with the University of Toronto, told The Lawyer’s Daily that when analyzing the different technologies used in Canada, the U.S. and the U.K., “one of the most noteworthy elements was the way telecommunications systems had been repurposed to facilitate pandemic surveillance.”
He noted that, although the report doesn’t go into “too much depth” other than to say that “this is probably permissible under emergencies in health laws,” he believes the issue “does open the gate for practitioners and theorists alike to [ask]: what exactly does it mean to wholescale transform technology ecosystems for health purposes?”
Parsons said this issue “links up with the second section of the report” where the authors spend a lot of time “going through what was the legislative web that existed ahead of the COVID-19 pandemic.”
He noted that after the SARS outbreak there was a “recognition that the Privacy Act probably needs stronger privacy protections built in” and “that hasn’t been done.” He also noted that the Privacy Act, the Personal Information Protection and Electronic Documents Act (PIPEDA), the Emergencies Act, and health acts “all permitted a pretty robust amount of sharing back and forth.”
Parsons stressed that “privacy was not an impediment at any point based on the research we did.”
“In fact, what was more substantively an issue were information agreements between the provinces, between agencies, and so if there’s legal work to be done it’s figuring out why those weren’t created and how do we build those up more robustly,” he said, noting that any updates to privacy legislation should be careful of “socially beneficial abuses of data.”
“Namely because the initially prescribed categories are relatively delimited, but they can be expanded at any point by the government, which means that’s an aperture that can open significantly,” he said, noting that privacy legislation needs a “human rights approach to protecting people’s rights and privacy.”
“The concern there is absent that [approach], and especially with the potential to gradually extend how the legislation could be used, the restrictions on private businesses when they’re handling and using people’s data will be less restricted than what we see in Europe and other jurisdictions that do have a human rights-based approach,” he explained.
The report found that “privacy legislation did not establish any notable legal barriers for collecting, sharing, and using personal information given the permissibility of such activities in health emergencies, as laid out in provincial health and emergencies laws.”
“More broadly, however,” the report noted, “the legislative standard that allows for derogations from consent in emergency situations may be incompatible with individuals’ perceptions of their privacy rights and what they consider to be ‘appropriate’ infringements of these rights, especially when some individuals contest the gravity (or even existence) of the COVID-19 pandemic in the first place.”
“The mismatch between the law and normative expectations of privacy, while pronounced during the COVID-19 pandemic, is not a new or unprecedented situation,” the report explained.
The report noted that “[F]ederal and provincial decision makers have possessed lawful authority to increase information sharing in COVID-19 pandemic, but they have often responded in disconnected and uncoordinated manners.”
“At the same time,” the reported added, “opposition to the government’s lawful abilities to collect, use, and disclose information as well as to consent-based digital technologies that were meant to mitigate the spread of COVID-19, reveal an ongoing disconnect between the lawfulness of such handling of personal information and Canadians’ normative expectations of how their personal information should be handled.”
According to the report, the COVID-19 pandemic “represents the first public health crisis in which Canada’s federal and provincial privacy, health, and emergency legislation operated simultaneously, highlighting the use of these powers to collect, use, and disclose personal information.”
“As a result of a poorly coordinated government response to SARS, proactive and reactive tools to combat public health threats were implemented, including the creation of the Public Health Agency of Canada (PHAC) and the application of emergency legislation to public health crises,” the report added, noting that both PHAC and the emergency legislation “were used during the COVID-19 pandemic.”
The report also noted that “[L]awful information sharing also occurred often, despite individuals remaining uninformed of the amount of data being collected about them.”
“Additionally, the COVID-19 pandemic was novel in terms of the digital technologies used to collect information, which raised concerns as to how existing legislation governs new technology,” the report added.
Parsons said the authors hope that this report will “act as a guidepost for later work” and “to remind people, ‘this is where we were at this stage of the pandemic, this is the kind of data that was being collected.’ ”
“We transformed well over a billion devices in people’s hands, their iPhones, their Androids, and there’s a totally new means of disease surveillance that exists on the planet today that did not exist 18 months ago. These are obvious things today, but if you were to go back 24 months prior to now I think we’d all be shocked that that would exist,” he said, noting the report is meant to “capture how data was collected and the significance of that.”
“And finally, strategically, [if] the legislatures do look at introducing new legislation to reform privacy laws the hope is that they’ll look at our report, as well as work of other colleagues, and recognize that human rights are essential to include in any privacy law reform. And if the government of Canada, and their provincial counterparts, are going to ensure that they either regain or maintain the trust of the electorate that they cut out as many of these little wiggle rooms, like an order-in-council will expand something and won’t be apparent,” he said, stressing that “if privacy is going to be the key coin of the digital realm then people have to trust how that coin is going to be collected and traded.”
If you have any information, story ideas or news tips for The Lawyer’s Daily please contact Amanda Jerome at Amanda.Jerome@lexisnexis.ca or call 416-524-2152.
The report, “Pandemic Privacy: A preliminary analysis of collection technologies, data collection laws, and legislative reform during COVID-19,” was authored by Benjamin Ballard, Amanda Cutinha and Christopher Parsons.

Christopher Parsons, senior research associate at the Citizen Lab
He noted that, although the report doesn’t go into “too much depth” other than to say that “this is probably permissible under emergencies in health laws,” he believes the issue “does open the gate for practitioners and theorists alike to [ask]: what exactly does it mean to wholescale transform technology ecosystems for health purposes?”
Parsons said this issue “links up with the second section of the report” where the authors spend a lot of time “going through what was the legislative web that existed ahead of the COVID-19 pandemic.”
He noted that after the SARS outbreak there was a “recognition that the Privacy Act probably needs stronger privacy protections built in” and “that hasn’t been done.” He also noted that the Privacy Act, the Personal Information Protection and Electronic Documents Act (PIPEDA), the Emergencies Act, and health acts “all permitted a pretty robust amount of sharing back and forth.”
Parsons stressed that “privacy was not an impediment at any point based on the research we did.”
“In fact, what was more substantively an issue were information agreements between the provinces, between agencies, and so if there’s legal work to be done it’s figuring out why those weren’t created and how do we build those up more robustly,” he said, noting that any updates to privacy legislation should be careful of “socially beneficial abuses of data.”
“Namely because the initially prescribed categories are relatively delimited, but they can be expanded at any point by the government, which means that’s an aperture that can open significantly,” he said, noting that privacy legislation needs a “human rights approach to protecting people’s rights and privacy.”
“The concern there is absent that [approach], and especially with the potential to gradually extend how the legislation could be used, the restrictions on private businesses when they’re handling and using people’s data will be less restricted than what we see in Europe and other jurisdictions that do have a human rights-based approach,” he explained.
The report found that “privacy legislation did not establish any notable legal barriers for collecting, sharing, and using personal information given the permissibility of such activities in health emergencies, as laid out in provincial health and emergencies laws.”
“More broadly, however,” the report noted, “the legislative standard that allows for derogations from consent in emergency situations may be incompatible with individuals’ perceptions of their privacy rights and what they consider to be ‘appropriate’ infringements of these rights, especially when some individuals contest the gravity (or even existence) of the COVID-19 pandemic in the first place.”
“The mismatch between the law and normative expectations of privacy, while pronounced during the COVID-19 pandemic, is not a new or unprecedented situation,” the report explained.
The report noted that “[F]ederal and provincial decision makers have possessed lawful authority to increase information sharing in COVID-19 pandemic, but they have often responded in disconnected and uncoordinated manners.”
“At the same time,” the reported added, “opposition to the government’s lawful abilities to collect, use, and disclose information as well as to consent-based digital technologies that were meant to mitigate the spread of COVID-19, reveal an ongoing disconnect between the lawfulness of such handling of personal information and Canadians’ normative expectations of how their personal information should be handled.”
According to the report, the COVID-19 pandemic “represents the first public health crisis in which Canada’s federal and provincial privacy, health, and emergency legislation operated simultaneously, highlighting the use of these powers to collect, use, and disclose personal information.”
“As a result of a poorly coordinated government response to SARS, proactive and reactive tools to combat public health threats were implemented, including the creation of the Public Health Agency of Canada (PHAC) and the application of emergency legislation to public health crises,” the report added, noting that both PHAC and the emergency legislation “were used during the COVID-19 pandemic.”
The report also noted that “[L]awful information sharing also occurred often, despite individuals remaining uninformed of the amount of data being collected about them.”
“Additionally, the COVID-19 pandemic was novel in terms of the digital technologies used to collect information, which raised concerns as to how existing legislation governs new technology,” the report added.
Parsons said the authors hope that this report will “act as a guidepost for later work” and “to remind people, ‘this is where we were at this stage of the pandemic, this is the kind of data that was being collected.’ ”
“We transformed well over a billion devices in people’s hands, their iPhones, their Androids, and there’s a totally new means of disease surveillance that exists on the planet today that did not exist 18 months ago. These are obvious things today, but if you were to go back 24 months prior to now I think we’d all be shocked that that would exist,” he said, noting the report is meant to “capture how data was collected and the significance of that.”
“And finally, strategically, [if] the legislatures do look at introducing new legislation to reform privacy laws the hope is that they’ll look at our report, as well as work of other colleagues, and recognize that human rights are essential to include in any privacy law reform. And if the government of Canada, and their provincial counterparts, are going to ensure that they either regain or maintain the trust of the electorate that they cut out as many of these little wiggle rooms, like an order-in-council will expand something and won’t be apparent,” he said, stressing that “if privacy is going to be the key coin of the digital realm then people have to trust how that coin is going to be collected and traded.”
If you have any information, story ideas or news tips for The Lawyer’s Daily please contact Amanda Jerome at Amanda.Jerome@lexisnexis.ca or call 416-524-2152.