As countries around the world continue their efforts to combat the novel coronavirus (COVID-19), governments are increasingly turning to technology to enforce "social distancing" rules and related measures designed to contain the spread of the virus. For example:
- in Italy, Germany and Austria, telecommunications companies are now sharing smartphone location data with governments to monitor whether individuals are complying with self-isolation rules;
- in Israel, the government is using location data to trace the movement of individuals who have contracted COVID-19 and identifying people who should be quarantined as a result of close contact; and
- in Canada, the Government of Alberta recently indicated that it plans to implement location-tracking measures to enforce quarantine orders.
This blog explores how smartphone location-tracking measures would be considered within the context of Canadian private sector and public sector privacy laws. This blog does not explore smartphone location-tracking in the context of health information laws, as it is assumed that the smartphone location data would be obtained separately from any specific health information.
Legislation
In determining whether government institutions can collect, use and disclose smartphone location data for purposes related to enforcing "social distancing" rules and related measures designed to contain the spread of the COVID-19 virus, the analytical framework in Canada involves examination of the following statutes, depending on the level of government seeking to obtain the smartphone location data:
- Personal Information Protection and Electronic Documents Act (PIPEDA): applies generally to private-sector organizations in Canada that collect, use or disclose personal information in the course of commercial activities, including federally-regulated businesses (e.g., banks, telecommunications companies) and businesses that handle information crossing provincial or national borders. Note that Alberta, British Columbia and Québec have their own provincial private-sector privacy laws which apply to the collection, use or disclosure of personal information within each province and which are substantially similar to PIPEDA; and
- Privacy Act: applies to certain federal government institutions in respect of personal information that the federal institution collects, uses and discloses; or
- Freedom of Information and Protection of Privacy Acts (FIPPA) (Note, while each province has equivalent legislation, names may vary): applies to personal information collected, used and disclosed by provincial and municipal government institutions (sometimes referred to as "public bodies").
"Personal information" in the above-referenced statutes refers generally to any information about an identifiable individual. Accordingly, smartphone location data linked to an individual will be subject to the privacy framework. On the other hand, where government institutions can collect, aggregate and anonymize or de-identify information that cannot be linked back to an identifiable person, then collection, use and disclosure of such information is likely not subject to such privacy laws.
Technical Background
From a technical perspective, there are multiple mechanisms by which location data from a smartphone can be determined, including through a device's built-in global positioning system (GPS) or from the signal a device transmits to nearby cell towers. The resulting location data may be collected by businesses such as telecommunications companies (e.g., through phone calls transmitted to nearby cell towers) and smartphone app developers (e.g., by using a mobile device's built-in GPS) such as apps providing social media, mapping or weather services. In addition, government institutions may directly collect smartphone location data using apps created by the governments themselves.
Collection and Disclosure of Smartphone Location Data by Organizations
Under PIPEDA and its provincial counterparts, the purpose for
which personal information is collected must generally be
identified by the organization at or before the time the
information is collected and consent to such collection must be
obtained, unless the collection falls within a specified exception.
To the extent that an organization collects an individual's
smartphone location data, the purpose for doing so will often be
disclosed at or before the time of collection, including, as may be
set out in its privacy policy. It is unlikely, however, that such
purpose disclosures and related consents contemplate disclosure for
the purpose of enabling the enforcement of COVID-19 social
distancing and related measures.
Nevertheless, governments wishing to access smartphone location
data about identifiable individuals in the face of COVID-19 may
obtain such data from a number of different organizations; however,
an appropriate legal mechanism must be utilized in mandating
organizations to disclose this data without notice to or the
consent of the individual. Under PIPEDA and its provincial
counterparts, organizations may disclose personal information
without the knowledge or consent of the individual only under
certain circumstances. In the context of COVID-19, the relevant
exceptions may include circumstances where the disclosure is:
- made to a government institution that has made a request for the information and which has indicated that the disclosure is requested for the purpose of administering or enforcing any law of Canada, a province or a foreign jurisdiction, or
- required by law.
Therefore, where the federal or a provincial government enacts
legislation requiring compliance with self-isolation rules
by law, for example, it is conceivable that organizations may be
required to disclose information requested by the relevant
government institution for the purpose of enforcing or
administering such laws. For example, the federal government and
most provinces have enacted legislation which requires all persons
entering their borders to self-isolate for 14 days.
In addition, Canadian governments could pass legislation expressly
requiring organizations to disclose smartphone location data. Such
legislation could take a variety of forms, including stand-alone
legislation, an order or regulation under existing legislation, an
amendment to the COVID-19 Emergency Response Act or, if
used, under a regulation passed through the broad powers prescribed
by the Emergencies Act.
Collection and Use of Smartphone Location Data by Government Institutions
Under the Privacy Act, a federal government institution
may collect and use personal information without consent of the
individual to whom it relates for any purpose where, in the opinion
of the head of the institution, the public interest in disclosure
clearly outweighs any invasion of privacy that could result from
the disclosure. Under provincial FIPPA regimes, personal
information may generally be collected and used without consent if
doing so will avert or minimize harm to the health or safety of any
individual. Therefore, under the federal and provincial public
sector privacy frameworks, governments may assert that the public
interest in preventing the spread of COVID-19, and thereby
protecting the health of individuals, outweighs any possible
invasion of privacy arising from the use of smartphone location
data to enforce "social distancing" rules and related
measures.
Alternatively, under both the federal and provincial regimes, a
government institution may forego the consent requirement where it
is authorized to do so by law. Therefore, governments may pass
legislation (i.e., in a form as discussed above) authorizing the
collection and use of smartphone location data to enforce
"social distancing" rules and related measures without
consent of the individuals to whom it relates.
Privacy Protections Once Smartphone Location Data in the Hands of the Government
One of the main concerns that has been raised with the collection and use of smartphone location data by government institutions is whether such location data will continue to be collected and used after the COVID-19 pandemic has ended, and if so, for what purposes?
Under the Privacy Act and provincial FIPPA regimes, if personal information is no longer needed for the purposes it was originally sought, then the information cannot continue to be used, and must be retained and destroyed in accordance with the provisions outlined in the applicable privacy statute.
Government institutions will also be required to comply with all of the other privacy protections outlined in the applicable public sector privacy statute, including: (i) limiting the collection of information to that which is necessary for the specified COVID-19-related purpose; (ii) ensuring the accuracy of such information; (iii) using appropriate security safeguards for such information; (iv) openness of its policies and practices in respect of such information; and (v) the individual's access to such information.
In addition, government action is subject to the Canadian Charter of Rights and Freedoms; section 8 of the Charter provides that "[e]veryone has the right to be secure against unreasonable search or seizure." In regards to privacy, the Supreme Court of Canada has adopted a purposive approach to section 8 "that emphasizes the protection of privacy as a prerequisite to individual security, self-fulfillment and autonomy as well as to the maintenance of a thriving democratic society" (R v Spencer, 2014 SCC 43 at para 15).
Accordingly, any government action with respect to the use or disclosure of smartphone location data other than to enforce "social distancing" rules and related measures will have to appropriately address these fundamental requirements.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.