Appearance before the House of Commons Standing Committee on Industry, Science and Technology (INDU) on contact tracing applications
May 29, 2020
Ottawa, Ontario
Opening statement by Daniel Therrien
Privacy Commissioner of Canada
(Check against delivery)
Thank you chair and committee members for your invitation to discuss tracing applications, which is one of the approaches being studied in Canada and elsewhere to ensure a safe return to a more normal life.
Please note that the expression “tracing applications” is used in public speech to describe various mobile applications as public health tools. Some are designed for conducting true contact tracing while others have the ultimate goal of informing users and giving them advice based on their level of risk.
Protecting both public health and privacy
During this public health crisis due to COVID-19, the health and safety of Canadians is a key concern. It is natural for governments and public health authorities to try to find ways, including technological means, to better understand and control the spread of the coronavirus.
In this context, the Office of the Privacy Commissioner has suggested a flexible and contextual approach in its enforcement of privacy laws. We strongly believe that it is possible to use technology to protect both public health and privacy. Technology in itself is neither good nor bad. Everything depends on how it is designed, used and regulated.
When properly designed, tracing applications could achieve both objectives simultaneously, in terms of public health and the protection of rights. If implemented inappropriately, they could lead to surveillance by governments or businesses that exceeds public health needs and is therefore a violation of our fundamental rights.
App design is key to the protection of rights
Appropriate design of technologies such as tracing applications depends on respect for some key privacy principles recommended in the OPC’s Framework to Assess Privacy-Impactful Initiatives in Response to COVID-19, and in a Joint Statement by Federal, Provincial and Territorial Privacy Commissioners on contact tracing applications.
In the interest of time, I will focus here on six of these principles.
First, purpose limitation: personal information collected through tracing applications should be used to protect defined public health purposes and for no other purpose.
Second, these applications should be justified as necessary and proportionate and, therefore, be science-based, necessary for a specific purpose, tailored to that purpose and likely to be effective.
Third, there must be a clear legal basis for the use of these applications and use should be voluntary, as this is important to ensure citizens’ trust. Use should therefore be consent-based and consent must be meaningful.
Fourth, these exceptional measures should be time-limited. Any personal information collected during this period should be destroyed when the crisis ends and the applications de-commissioned.
Fifth, transparency: governments should be clear about the basis and the terms applicable to these applications. Privacy Impact Assessments or meaningful privacy analysis should be completed, reviewed by privacy commissioners, and a plain-language summary published proactively.
Sixth, accountability: governments and companies should be accountable for how personal information will be collected, used, disclosed and secured. Oversight by an independent third party, such as privacy commissioners, would enhance citizens’ trust.
Current crisis heightens need for law reform
While governments have stressed the importance of privacy in the design of tracing applications, several of the principles I have mentioned are not currently legal requirements in our two federal privacy laws. So, for instance, nothing currently prevents a company from proposing an app that is not evidence-based and use the information for commercial purposes unrelated to health protection, provided consent is obtained, often in incomprehensible terms. A government could also partner with that company.
The current health crisis has made clear that technologies can play a very useful role in making essential activities safe. This meeting is about contact tracing but potential benefits are much wider: for instance, let us think about virtual medicine or e-education.
What we need, more urgently than ever, are laws that allow technologies to produce benefits in the public interest without creating risks that fundamental rights such as privacy will be violated. And because of the growing role of public-private partnerships in addressing situations such as the COVID crisis, we need common principles enshrined in public-sector and private-sector laws.
- Date modified: