Contact-tracing app guidance from “Privacy Guardians”

On May 7, 2020, the Office of the Privacy Commissioner of Canada (OPC) and the provincial and territorial Information and Privacy Commissioners issued a joint statement on privacy principles for contact tracing and similar apps. (Aside: yes, not to be left out of the hero category, they really did refer to themselves as “privacy guardians”!)

The joint statement is interesting on a number of fronts. Although the joint statement was directed at government sponsored tracing apps, it has wider implications for private sector initiatives – particularly in the workplace. For example, NPR reported that PwC is in the process of developing a mobile app to track employees in close contact with one another. According to the NPR article, PwC is considering making its App mandatory in all of its offices. PwC is not alone. Wired reports that employers are considering deploying contact tracing apps, even as U.S. public health officials are saying “no thank you” to them.

So, what can we learn from the joint statement from the “guardians”?

ABTrace Together App

First, the joint statement comes in the wake of the Alberta launch of the ABTrace Together app.

The marketing launch for the ABTrace Together App is interesting. We are in the midst of a truly unprecedented interference with fundamental freedoms of mobility, association, and religious assembly – to name a few. In this context, the App is pitched as the fastest way to “re-open the economy” and, presumably, regain some freedoms. The potential coercive effect of these Apps cannot be lost on the Commissioners.

Currently, the App is voluntary. Users register their mobile phone number, which public health authorities will use to engage in contact tracing. Users must keep the App running and Bluetooth signals on in order for the App to work. The App uses Bluetooth signals to record when phones that are running ABTrace Together are in proximity to one another. The records are stored for 21 days locally on a user’s phone. If one of the users of the App is diagnosed with COVID-19, public health will ask for access to that user’s logs in order to get a list of recent codes that public health can associate with a phone number to conduct tracing. So, contact tracing will still be done by professionals.

The technology involved in the ABTrace Together App appears to be similar to other proposed Apps, including the PwC App.

Meaningful Consent

Not surprisingly, the Commissioners argue that the use of the apps must be voluntary. They assert that this is necessary to build public trust. Oddly though, the Commissioners argue that the proposed measures must have “a clear legal basis” and “consent must be meaningful”. Further, they argue that “separate consent must be provided for all public health purposes”.

No government in Canada is suggesting (thus far) that the price of recovering freedoms will be mandatory tracing apps. However, the Commissioners’ emphasis on consent is intriguing. The collection and use of personal information in public sector statutes is not generally grounded in consent and that is most definitely the case in the public health context. The Commissioners appear to be arguing for what they wish the public sector law was instead of what it is.

However much the Commissioners have obfuscated the public sector context, the Commissioners are certainly sending the private sector a strong message. PwC and other private sector employers whose employees are protected by Canadian privacy legislation should take note. Mandatory surveillance apps are going to be a tough sell to the “privacy guardians”.