Statement from the Privacy Commissioner following release of ETHI report into the government’s collection and use of mobility data
May 4, 2022
Privacy Commissioner of Canada Daniel Therrien released the following statement in response to the House of Commons Standing Committee on Access to Information, Privacy and Ethics’ (ETHI) report on the Collection and Use of Mobility Data by the Government of Canada:
We welcome the committee’s report on the collection and use of mobility data by the Government of Canada.
Fundamentally, this matter is about trust and how the government, although pursuing legitimate goals, failed to act in ways that would reassure Canadians that its use of mobility data would respect their privacy.
It underscores how current privacy laws are so out of step with modern technological developments that even socially beneficial uses of data are seen as suspect because Canadians have no confidence that our laws will protect them.
We agree with ETHI that this matter again underscores the urgent need to modernize our privacy laws. Amendments are required on many fronts, including the following, which are particularly relevant to the lessons learned during ETHI’s study.
First, both the public sector Privacy Act and the successor of former Bill C-11, the upcoming private sector privacy law, should, while allowing for flexibility in the use of de-identified information, consider that information as personal and therefore protected under privacy laws.
The government maintained that its use of de-identified mobility data was not covered by the Privacy Act, which only protects personal information about an identifiable individual. While that may be legally correct under the current law, this is not good policy and the law should be changed.
As there is always a risk that de-identified information may be re-identified, a better policy would be to consider de-identified information as personal and therefore subject to privacy protections. This was the solution proposed in former Bill C-11, the Consumer Privacy Protection Act, which died on the order paper when the last election was called.
Second, our laws should give organizations greater flexibility to use personal information without consent for responsible innovation and socially beneficial purposes. However, this should be done within a legal framework that recognizes privacy as a human right, and as an essential element for the exercise of other fundamental rights. This approach is essential to building public trust, as there is no trust without the protection of rights.
On that note, stakeholders have argued that a rights-based approach is not possible under Canadian federal law, as the protection of civil rights falls within provincial jurisdiction under the Constitution.
To the contrary, the OPC has received expert legal advice which holds that our proposed amendments to former Bill C-11 “would add to the constitutional validity” of a new private sector law.
Under our approach to law reform, there would be less emphasis placed on consent and the terms and conditions under which it is obtained. It is neither practical nor realistic to expect individuals to give consent for all uses of their data.
However, and this is our third recommendation: this greater flexibility to use personal information for the public good, including public health purposes, should come with greater transparency and accountability. These uses of personal data should therefore be subject to independent oversight by the OPC, an expert body mandated to protect the privacy of citizens. The regulator should have the authority to conduct proactive audits, to verify compliance with the law and reassure Canadians that their privacy rights are respected.
In this instance, while the government informed my office of its intention to use mobility data, it ultimately declined our offer to review how the data was de-identified and how privacy principles were implemented. The regulator should be able to insist on a proactive audit, where required to ensure public trust.
Fourth, this data sharing initiative is an example of the movement of data between the private and public sectors and demonstrates the need for both to be governed by common principles and rules. With these two sectors interacting ever more frequently, it is imperative that they be held to similar standards. Ideally, our two federal privacy laws should be updated concurrently.
We are grateful for ETHI’s report, its latest among many that have called for enhanced protection of the privacy rights of Canadians.
Related documents:
Key OPC recommendations for a new federal private sector privacy law
- Enable responsible innovation
- Adopt a rights-based framework
- Increase corporate accountability
- Ensure interoperability of laws, internationally and domestically
- Adopt quick and effective remedies
- Give the OPC tools to adopt a risk-based approach while being transparent
- Date modified: