Report recommends Ottawa reform socially beneficial purpose exemption to de-identified data sharing
Canadian privacy law lacks a clear governance framework for the collection and use of some personal information, Citizen Lab has concluded in a report examining how telecommunications companies shared de-identified and aggregated mobility data with the federal government during the COVID pandemic.
Among the report’s recommendations, Citizen Lab calls on the federal government to change its recent private sector privacy legislation so Canadians are notified and have a say when private organizations plan to share their data with governmental institutions.
The report, “Minding Your Business A Critical Analysis of the Collection of De-identified Mobility Data and Its Use Under Socially Beneficial and Legitimate Business Exemptions in Canadian Privacy Law,” was authored by Amanda Cutinha and Christopher Parsons. Citizen Lab is an interdisciplinary laboratory at the University of Toronto’s Munk School of Global Affairs & Public Policy.
Mobility data that is de-identified – stripped of markers revealing the identity of its source – and which does not contain the risk of re-identification is not considered personal information in Canadian privacy law, says Cutinha, a commercial litigator and associate at Miller Thomson in Toronto.
“There isn’t a governance framework right now for the protection of that data,” she says. “That data can be shared with the Government of Canada. It can be shared with whomever, without the knowledge and consent of individuals.”
That permitted the data-sharing in 2020 between Telus, the infectious-disease-outbreak intelligence platform, BlueDot, and the Government of Canada.
At the outset of the pandemic, the Public Health Agency of Canada contracted with Telus and BlueDot to help the government model and monitor the spread of COVID-19. When the contracts ended and the Public Health Agency posted a request for proposals to obtain more cell phone data, the House of Commons Standing Committee on Access to Information, Privacy, and Ethics held committee sessions to explore the federal government’s collection and use of this information. The committee’s report concluded that federal privacy law needed modernization.
Bill C-27, the Digital Charter Implementation Act, 2022, is currently in second reading in the House of Commons. The legislation repeals and replaces parts of the Personal Information Protection and Electronic Documents Act (PIPEDA) related to collecting, using, and disclosing personal information for commercial activity in Canada.
But according to the Citizen Lab report, Bill C-27 fails to correct the shortcomings in federal commercial privacy law. Under the legislation, the government can continue to collect information, including mobility data, “so long as uses were socially beneficial and without clearly demarcating what will or will not constitute such uses in the future.”
The “socially beneficial purpose exemption” allows organizations to disclose a person’s mobility information without their knowledge or consent if the information is de-identified, is made to a government institution, and the disclosure is made for a “socially beneficial purpose,” says Cutinha. Bill C-27 defines a socially beneficial purpose as a “purpose related to health, the provision or improvement of public amenities or infrastructure, the protection of the environment or any other prescribed purpose.”
“That purpose has been defined very broadly in the legislation… It allows for decisions about what’s socially beneficial to kind of permeate data sharing. And that can be really problematic when decisions about what’s socially beneficial are highly politicized.”
The report uses the example of access to abortion care services. Mobility data can reveal that a person has travelled to Planned Parenthood or a healthcare centre providing reproductive care. Some governments could use that information to allow for greater access to those services, says Cutinha, but other governments may do the opposite.
The Citizen Lab report recommends the federal government change Bill C-27 so that the socially beneficial purpose exemption requires that an organization inform people if their de-identified data are disclosed and allow them to opt out. The report recommends that the organization articulate the socially beneficial purpose, that receiving the de-identified information confirms consent obligations have been complied with, and that the Privacy Commissioner is consulted and approves of the disclosure.
The report also recommends that the socially beneficial purpose be publicly disclosed and approved by the Privacy Commissioner and that an “adverse effect assessment” be conducted.