ResearchTransparency and Accountability

Pandemic Privacy Explained

On September 28, the Citizen Lab published an analysis of COVID-19 data collection practices. In this post, we discuss the significance of the findings with report authors.

What are the main findings of this report?

This report focused on how data was collected during the COVID-19 pandemic in the United States, United Kingdom, and Canada, the extent to which privacy inhibited pandemic responses in Canada, and how Canadian privacy legislation introduced during the pandemic would problematically have rewritten federal commercial privacy law had it not died on the order paper. 

In analyzing how COVID-19 data has been collected in the United States, United Kingdom, and Canada, we found that the breadth and extent of data collection constituted entirely novel technological responses to a health crisis despite the fact that many of the adopted methods could be mapped onto a trajectory of past collection practices. We also found that the ability for private companies such as Google and Apple to forcefully shape some of the technology-enabled pandemic responses speaks to the significant ability of private companies to guide public health measures that rely on contemporary smartphone technologies.

Throughout the pandemic concerns have arisen that privacy, or privacy law, would prevent governments from adequately collecting, using, or sharing data to mitigate the spread of COVID-19. We did not find that privacy law was responsible for the problems that have arisen throughout Canadian governments’ responses to the pandemic. Privacy, health, and emergencies laws that were in place since the outset of the COVID-19 pandemic ensured that governments and private organizations alike were able to mobilize information to combat the pandemic.

Finally, in assessing potential future privacy legislation that emerged in the wake of the pandemic, we found that the Canadian government’s proposed legislation could have significantly extended the ability of private organizations to collect, use, or disclose personal information without individuals’ consent. Moreover, had the Canadian-style legislation been adopted into law then it would have failed to include a human rights-based focus, with the effect of insufficiently protecting Canadians’ personal information at a time where such protections are sorely needed

Given the many differences between countries, what do we gain by doing comparative analyses? 

We conducted a comparative analysis of the different technologies which were adopted to combat COVID-19. This approach let us better understand and assess how private organizations influenced state behaviours, while also making clear that the processes that we were seeing were not limited to one country but were instead representative of a broader trend. Focusing on how collection technologies were used a single country, in contrast, would not have afforded us the ability to draw equivalently broad conclusions.

When it comes to our legal and legislative analysis, we focused on a single jurisdiction to assess whether there were common trends in legislation that empowered governments in Canada to collect, use, and disclose personal information to combat the pandemic. By triangulating between three provinces—British Columbia, Ontario, and Quebec—as well as the federal government, we were able to make stronger claims about the relatively unrestricted ability of governments to handle personal information during health emergencies than had we focused only on federal laws, or the laws of a single or pair of provinces.

How have different political cultures informed pandemic responses?

When looking at how collection technologies were used to support the pandemic response, we deliberately conducted a comparative analysis that included the United States, United Kingdom, and Canada. Doing so let us assess the extent to which these countries, which have different political cultures as well as health provisioning systems, would adopt collection technologies, and the extent to which their approaches would differ. Based on our study, we found that common trends in technology uptake occurred despite differences in nations’ political cultures. Specifically, in all jurisdictions we saw a willingness on the part of private industry to repurpose pre-existing consumer surveillance systems to facilitate disease surveillance, a push and pull between states and Apple and Google with the effect of states capitulating and adopting a data collection system built by Apple and Google, and a general adoption of privacy-protective means of collecting disease symptom information from individuals who installed symptom checker applications on their smartphones. 

Both the technologies deployed to combat COVID-19 as well as the legal rationales underpinning them are often framed as unprecedented, but the report notes that they have “historical legacies.” How do these approaches speak to deeply rooted approaches to health and civil liberties?

In the case of the technologies that we examined—which were built or configured to enable states to surveil, identify, and interrupt the spread of disease—they were part of a lineage of disease surveillance processes, practices, and techniques. However, the actual modes of surveillance, which often re-purposed existing communications infrastructures for mass surveillance to facilitate the mitigation of the pandemic, were unprecedented in scope.

When looking at laws that were in place at the start of the pandemic, in Canada, we found that governments had developed an extensive legislative framework to facilitate data collection, use, and sharing. This framework was created, in part, as a response to the 2003 SARS outbreak, where concerns had been raised in its aftermath that commercial privacy laws might impede responses to future pandemics. The key lessons from the SARS pandemic, which focused significantly around ensuring governments could collect, use, and share information efficiently, were not learned. As a result, there is precedent in Canada for governments failing to address a health crisis, and many of the failures that arose in SARS have been mirrored in the current health crisis. 

What role do private companies play in the collection and sharing of public health data?

Private companies have, and hold, significant roles in how health care is provisioned and in how governments can mitigate and combat the spread of disease. Given the global nature of the COVID-19 pandemic many companies were involved in the pandemic response. This included telecommunications companies and private advertising companies that collect huge volumes of our personal information every day, Google and Apple which transformed elements of their operating system to enable decentralized and privacy-protective exposure notification applications, and companies that designed applications to help individuals assess whether they had the symptoms of COVID-19. However, much of the data that was collected was already in the hands of private companies and they either resisted sharing some of it, in part due to privacy concerns, or were involved in not just collecting the data but also making decisions about what it meant. This put private companies in notable positions of influence over how states were informed of the efficacy of their policies. 

In the case of the exposure notification applications that use the Google/Apple exposure notification system, countries were forced to adapt to the limits laid out by Google and Apple regardless of what their own health care professionals said were needed to mount a public health response to the health emergency. While Google and Apple may have had good reasons for their decisions—such as to prevent disease surveillance applications from turning into mass surveillance tools by repressive governments—the fact remains that private companies dictated how public health workers would respond to the pandemic. This kind of resistance to states’ preferred modes of collecting data about a health emergency is notable, as is the fact that ultimately Google and Apple did transform elements of their operating system to create the largest, decentralized and privacy-protective, exposure notification system that’s ever existed. 

How have Canada’s privacy laws prevented or enabled collecting, sharing, and using personal information throughout the pandemic?

At the outset of the pandemic in Canada there were concerns that privacy might unduly prevent governments from collecting, using, or sharing personal information, with the effect that governments would be ill prepared to mitigate the spread of COVID-19. In our research, however, we did not find this to be the case: the web of health, emergencies, and privacy law that predated the COVID-19 pandemic ensured that governments and private organizations alike could mobilize data, as needed to combat the pandemic. 

While applications such as Canada’ COVID Alert were recognized by experts throughout Canada as being highly protective of individuals’ privacy rights, many Canadians still resisted installing the application on the grounds of fearing it would intrude upon their privacy. What does this situation suggest to you about how some Canadians interpret what is a legitimate, or illegitimate, intrusion into their privacy?

Canadian law empowers the government to collect significant amounts of personal information from Canadians, so long as there is a direct connection between the collection and the mandate of a given government agency. The Government of Canada, and their provincial counterparts, declined to exercise these powers under the law and instead ensured that the COVID Alert application would be opt-in, and that individuals would provide consent before any data collection took place. Despite being amongst the most privacy-protective government initiatives in recent memory, many Canadians hesitated to install the application. 

In our report, we discuss the need for governments to update their privacy legislation to ensure that Canadians can better understand how their data might be used once collected, as well as ensure that governments will not extend their uses of collected personal data once they have obtained it. At the same time, it behooves governments to publicly consult with Canadians to explain when they will obtain consent before using types of data, as well as build in processes where Canadians are made aware of data collection, use, or disclosure at a time when their decision is linked to the action the government wants to undertake. This might mean that before an agency, which had collected data, used it that the agency either informed or obtained further consent or approval from the affected individual. Doing so would help Canadians better understand how, when, and why their personal information was used, while also hopefully building trust that the government wasn’t carelessly handling or using their personal information.

As we look to the future, what are the issues policymakers need to grapple with?

We identify a set of issues policymakers will need to attend to as a result of what has been learned throughout the COVID-19 pandemic. First, the pandemic has shown that private companies can exert considerable influence over the technical systems that are used to monitor for, and subsequently help to mitigate, the spread of disease. Has the balance of influence during the COVID-19 pandemic been appropriate, or should state actors be empowered to compel private companies to more closely adhere to what public health officials believe are necessary actions? 

Second, many of the technical systems that were used to collect data during the pandemic were untested at their launch: governments have never tried to rely on mobile phone data, or exposure notification applications, or even digital symptom checkers at the scale they were employed during the pandemic. Because many of these tools were experimental in nature there is an ongoing, and vigorous, debate over their utility or efficacy, and in particular concerns that some systems and tools may have exacerbated pre-existing social inequities. How can we ensure that future experimental systems and tools can be deployed in equitable ways, and who should be responsible for assessing the bioethical implications of these tools and the associated government policies? 

Third, the pandemic has showcased that there is a divide between the privacy protections expected by some members of the public versus those guaranteed in law. Policymakers will need to contemplate how to regain trust that has already been lost, as well as propose privacy law reforms that satisfy individuals’ expectations of privacy while balancing those expectations against the needs of states to be prepared to respond to future health emergencies. The question before government officials is how can they undertake meaningful consultations so that Canadians feel heard in what they believe the government should do to better protect their personal information, and how will governments then act on what they hear?

Finally, proposed reforms to federal privacy legislation in Canada during the pandemic lacked human rights protections and, as a result, would have inadequately protected privacy and thus could compound distrust in how private organizations can handle personal information. Policymakers preparing legislation for the next parliament will need to respond to whether they want to re-introduce such deeply problematic legislation or if, instead, they want to follow international consensus and adopt privacy legislation that is grounded in human rights.