On May 7, 2020, the Office of the Privacy Commissioner of Canada (OPC) and the provincial and territorial Information and Privacy Commissioners issued a joint statement on privacy principles for contact tracing and similar apps. (Aside: yes, not to be left out of the hero category, they really did refer to themselves as “privacy guardians”!)
The joint statement is interesting on a number of fronts. Although the joint statement was directed at government sponsored tracing apps, it has wider implications for private sector initiatives – particularly in the workplace. For example, NPR reported that PwC is in the process of developing a mobile app to track employees in close contact with one another. According to the NPR article, PwC is considering making its App mandatory in all of its offices. PwC is not alone. Wired reports that employers are considering deploying contact tracing apps, even as U.S. public health officials are saying “no thank you” to them.
So, what can we learn from the joint statement from the “guardians”?
ABTrace Together App
First, the joint statement comes in the wake of the Alberta launch of the ABTrace Together app.
The marketing launch for the ABTrace Together App is interesting. We are in the midst of a truly unprecedented interference with fundamental freedoms of mobility, association, and religious assembly – to name a few. In this context, the App is pitched as the fastest way to “re-open the economy” and, presumably, regain some freedoms. The potential coercive effect of these Apps cannot be lost on the Commissioners.
Currently, the App is voluntary. Users register their mobile phone number, which public health authorities will use to engage in contact tracing. Users must keep the App running and Bluetooth signals on in order for the App to work. The App uses Bluetooth signals to record when phones that are running ABTrace Together are in proximity to one another. The records are stored for 21 days locally on a user’s phone. If one of the users of the App is diagnosed with COVID-19, public health will ask for access to that user’s logs in order to get a list of recent codes that public health can associate with a phone number to conduct tracing. So, contact tracing will still be done by professionals.
The technology involved in the ABTrace Together App appears to be similar to other proposed Apps, including the PwC App.
Not surprisingly, the Commissioners argue that the use of the apps must be voluntary. They assert that this is necessary to build public trust. Oddly though, the Commissioners argue that the proposed measures must have “a clear legal basis” and “consent must be meaningful”. Further, they argue that “separate consent must be provided for all public health purposes”.
No government in Canada is suggesting (thus far) that the price of recovering freedoms will be mandatory tracing apps. However, the Commissioners’ emphasis on consent is intriguing. The collection and use of personal information in public sector statutes is not generally grounded in consent and that is most definitely the case in the public health context. The Commissioners appear to be arguing for what they wish the public sector law was instead of what it is.
However much the Commissioners have obfuscated the public sector context, the Commissioners are certainly sending the private sector a strong message. PwC and other private sector employers whose employees are protected by Canadian privacy legislation should take note. Mandatory surveillance apps are going to be a tough sell to the “privacy guardians”.
Necessity and Proportionality
Also making an appearance in the joint statement is the well-worn necessity and proportionality test. This test is used to assess the “appropriateness” of the collection and use of personal information. Again, private sector organizations should take notice. The appropriateness of workplace surveillance will need to meet this test if employees are protected by privacy laws.
The Commissioners state that governments must consider: (1) whether there is an evidence-based and specific need for the App; (2) whether the App is “carefully tailored in a way that is rationally connected” to the specific purposes for the App; (3) whether the App is likely to be effective at achieving the purpose; and (4) whether there are options that are less intrusive or that minimize data.
It will be interesting to see how Alberta Commissioner Clayton analyzed whether the ABTrace Together App meets the necessity and proportionality test. In a press release, Commissioner Clayton applauded Alberta Health for using a decentralized storage of de-identified Bluetooth logs which the individual could decide whether to provide to public health officers for contact tracing (at least at the moment).
The lesson here for the private sector is that decentralized storage of contact logs is likely to be more palatable (to the Commissioners – and probably users) than the centralized storage that is envisioned by employer Apps.
It also appears that Commissioner Clayton considered (or is considering) the functionality of the App narrowly and apart from the broader context of the mobile app ecosystem. I’m not convinced that private sector organizations will be given the same latitude by the Commissioners. Use of the App requires the user to broadcast the user’s Bluetooth signal, which is not used solely for the purposes of the ABTrace App but also by marketers who can use the signal for location tracking purposes, particularly indoors. Nowhere on the Government of Alberta’s website does the Government inform users of the App of the large Bluetooth ecosystem. However, in the private sector, it is arguable that meaningful consent would require this to be prominently disclosed as a potential privacy risks to the individual, at least under a strict reading of the OPC’s meaningful consent guidelines.
More importantly, it is not entirely clear that private sector organizations will be able to demonstrate necessity and that these apps are minimally intrusive to the level required by Commissioners. The fact that the App may be more efficient in permitting tracing will not be the decisive factor. Employers will have to consider the data already available to the employer about employee activities – such as logs of when they badge in and out and whether they have assigned work spaces or register for desk space. The total context of information that is already reasonably available to the employer will be a factor in determining whether additional surveillance is required.
Moreover, employers will have to grapple with the fact that Bluetooth tracking is imperfect and employers are not trained public health officials for the purposes of appropriate contact tracing. While the strength of the Bluetooth signal can assist in determining the distance between two individuals, it is not a perfect indicator. In an office setting, employees could be separated by a thin boardroom wall separator. Will that trigger a false positive connection? Who will interpret the results and decide who to contact and what training will that person have? How will notice be given without disclosing the health status of the individual who was allegedly infected? There seems to be an assumption among the developers of Apps for employers that contact tracing is not a skill but simply a matter of calling someone up and saying you were near someone that was infected. What then?
The Commissioners also argue that “exceptional measures” should be time-limited. Moreover, they argue that “personal information collected during this period should be destroyed when the crisis ends, and the application decommissioned”.
The Commissioners are clearly worried about normalizing this type of tracing and the potential for scope creep. And so they should be. At PwC, there is apparently thoughts that the App could be deployed for for other health crises – “a firm could toggle on when there’s a health crisis, such as a bad flu season, and then off, when the risk fades”. How long before these Apps are used for even broader purposes?
Final Word: What about this “guardian” stuff?
I can’t leave today’s post without reflecting on the Commissioners’ new re-branding as the “privacy guardians”. No humility for this lot, it seems. I appreciate that “Commissioner” is a stuffy word and the term “Ombudsperson” is prohibited in some offices (even if it is accurate). However, this “privacy guardian” self-reference is a bit much. Let’s leave the “super hero” category for front-line health workers and others placing their lives at risk. No doubt “privacy guardian” is better for search engine optimization and headlines. But, accuracy matters and the Commissioners ought to be and be seen to be independent and neutral – not politicized advocates.