Reimagining privacy in times of COVID-19
Tuesday, May 26, 2020 @ 11:45 AM | By Sairam Sanathkumar
Alexander Graham Bell’s invention of the telephone, and the advent of the telegraph system boosted newspaper production and readership in the U.S. in the second half of the 19th century. With George Eastman’s invention of the Kodak one-button portable camera, journalism invaded citizens’ private lives more than ever, invoking the indignation of no less than President Grover Cleveland when images of First Lady Frances, 27 years younger to her husband, were unsparingly splashed without her consent on newspapers, magazines and product endorsements.
Warren’s and Brandeis’ message was alarmist for good reason at that time. Today, we are at another point in history when technology is changing the course of privacy regimes. There is an urgency to deploy available and developing technologies to contain the spread of COVID-19. Social distancing and lockdowns have helped slow down the spread, but it is imperative for the federal and provincial governments in Canada to open up the economy sooner than later. This is as much a duty of a welfare state as saving human lives.
Common sense is all it takes to know that mobility trends derived from cellphone data can be correlated with the rate of spread of the virus. Google’s mobility report of May 16 says there was a 40 per cent drop in mobility in retail and recreational centres, nine per cent in grocery and pharmacy locations, 47 per cent in transit stations, 30 per cent in workplaces and a 10 per cent surge in residential areas in Canada from April 4 to May 16. The report, which also gives the province-wise split, uses the median value as the baseline for the corresponding day of the week during the five-week period of Jan. 3 to Feb. 6, 2020. As the government looks at ways of reopening the economy, this data will become invaluable.
For example, it will be insightful to know the rate of increase in positive cases in a residential area where mobility spiked. If transit stations in or around the same area are opened up partially, say, by limiting the number of people at each station any given time, there will likely be a proportionate decrease in mobility in the nearby residential area. This data can be correlated with the rate of increase of positive cases in the same area and compared with the period of total lockdown, to see if relaxed restrictions have an adverse impact on the rate of spread of the virus. Data analytics can also be used to examine if sparsely populated areas see a surge in positive cases with increased mobility from densely populated areas.
Google’s report is based on aggregated and anonymized data from users who turned on location history on their handsets. If there isn’t a large enough pool of users, Google skips reporting any data. This is crucial for governments and private entities to ensure. The source pool of users and/or the geographic area should be large enough to enable de-identification. Also, clusters, such as areas where long-term home care centres or hospitals are located, may have the effect of reidentification, something the Privacy Commissioner of Canada warns about in a framework released on April 17. The framework asks organizations governed by the Personal Information Protection and Electronic Documents Act (PIPEDA) and the Privacy Act, to be “mindful about the unique challenges with location data.” Location datasets “can lead to re-identification, as they can reveal personal details, such as the location of an individual’s home, routine behaviours, and associations.” The framework also observes that “data sets on populations, or subsets of populations, may affect different subgroups or communities with disproportionate consequences.”
These directives, together with others such as identifying legal authority, ensuring necessity, proportionality, openness and transparency, etc., are absolutely the need of the hour. The trouble, however, is much older than COVID-19. The Office of the Privacy Commissioner of Canada can investigate complaints and issue findings, but, by itself, cannot enforce the law or take punitive action.
Canada has also been rather late to arrive at the party of contact tracing apps. Earlier this month, Alberta launched a voluntary app along the lines of Singapore’s TraceTogether app, that will use Bluetooth to identify contacts of a COVID-19 positive person. There are valid privacy concerns in Singapore’s app, but it is possible for such apps to have built-in essential privacy safeguards. Singapore’s TraceTogether collects the mobile number of the subscriber and hashes it with a unique ID. Both the number and ID are stored in a secure server that the public cannot access. Only the unique ID is exchanged via Bluetooth between and among phones in close proximity.
Data about nearby phones is stored in the subscriber’s phone. If the subscriber tests positive, he/she is required by law to help with activity mapping of their movements and interactions. The Singapore government can identify the subscriber with the unique ID only if he/she tests positive. Alberta’s app operates the same way. Both apps guarantee limitations of use and purpose, and retain contact logs data for 21 days. However, unlike in Singapore, those diagnosed with COVID-19 can decide if they want to disclose the contact logs to Alberta public health authorities.
There are, of course, other gaping questions on privacy that need answers and redress. On May 7, federal, provincial and territorial privacy watchdogs jointly issued key privacy principles for governments to ensure in rolling out contact tracing apps. Privacy Commissioner of Canada Daniel Therrien’s statement “everything hinges on design, and appropriate design depends on respect for key privacy principles” hits the nail on the head. If and once privacy concerns are addressed, the rest of Canada may look to using contact tracing apps.
Last week, Prime Minister Justin Trudeau said he hopes the app would be adopted nationwide. The rewards are likely to outweigh the risks as mobility resumes and economies start limping back to normalcy.
Sairam Sanathkumar is an internationally trained lawyer whose practice focuses on information technology, data privacy and intellectual property laws. He has been an in-house legal counsel for three global IT companies. He’s currently an articling student at Dentons Canada LLP.
Photo credit / elenabs ISTOCKPHOTO.COM
Interested in writing for us? To learn more about how you can add your voice to The Lawyer’s Daily, contact Analysis Editor Peter Carter at email@example.com or call 647-776-6740.