As countries around the world continue their efforts to combat the novel coronavirus (COVID-19), governments are increasingly turning to technology to enforce "social distancing" rules and related measures designed to contain the spread of the virus. For example:
- in Italy, Germany and Austria, telecommunications companies are now sharing smartphone location data with governments to monitor whether individuals are complying with self-isolation rules;
- in Israel, the government is using location data to trace the movement of individuals who have contracted COVID-19 and identifying people who should be quarantined as a result of close contact; and
- in Canada, the Government of Alberta recently indicated that it plans to implement location-tracking measures to enforce quarantine orders.
This blog explores how smartphone location-tracking measures would be considered within the context of Canadian private sector and public sector privacy laws. This blog does not explore smartphone location-tracking in the context of health information laws, as it is assumed that the smartphone location data would be obtained separately from any specific health information.
In determining whether government institutions can collect, use and disclose smartphone location data for purposes related to enforcing "social distancing" rules and related measures designed to contain the spread of the COVID-19 virus, the analytical framework in Canada involves examination of the following statutes, depending on the level of government seeking to obtain the smartphone location data:
- Personal Information Protection and Electronic Documents Act (PIPEDA): applies generally to private-sector organizations in Canada that collect, use or disclose personal information in the course of commercial activities, including federally-regulated businesses (e.g., banks, telecommunications companies) and businesses that handle information crossing provincial or national borders. Note that Alberta, British Columbia and Québec have their own provincial private-sector privacy laws which apply to the collection, use or disclosure of personal information within each province and which are substantially similar to PIPEDA; and
- Privacy Act: applies to certain federal government institutions in respect of personal information that the federal institution collects, uses and discloses; or
- Freedom of Information and Protection of Privacy Acts (FIPPA) (Note, while each province has equivalent legislation, names may vary): applies to personal information collected, used and disclosed by provincial and municipal government institutions (sometimes referred to as "public bodies").
"Personal information" in the above-referenced statutes refers generally to any information about an identifiable individual. Accordingly, smartphone location data linked to an individual will be subject to the privacy framework. On the other hand, where government institutions can collect, aggregate and anonymize or de-identify information that cannot be linked back to an identifiable person, then collection, use and disclosure of such information is likely not subject to such privacy laws.
From a technical perspective, there are multiple mechanisms by which location data from a smartphone can be determined, including through a device's built-in global positioning system (GPS) or from the signal a device transmits to nearby cell towers. The resulting location data may be collected by businesses such as telecommunications companies (e.g., through phone calls transmitted to nearby cell towers) and smartphone app developers (e.g., by using a mobile device's built-in GPS) such as apps providing social media, mapping or weather services. In addition, government institutions may directly collect smartphone location data using apps created by the governments themselves.
Collection and Disclosure of Smartphone Location Data by Organizations
Nevertheless, governments wishing to access smartphone location data about identifiable individuals in the face of COVID-19 may obtain such data from a number of different organizations; however, an appropriate legal mechanism must be utilized in mandating organizations to disclose this data without notice to or the consent of the individual. Under PIPEDA and its provincial counterparts, organizations may disclose personal information without the knowledge or consent of the individual only under certain circumstances. In the context of COVID-19, the relevant exceptions may include circumstances where the disclosure is:
- made to a government institution that has made a request for the information and which has indicated that the disclosure is requested for the purpose of administering or enforcing any law of Canada, a province or a foreign jurisdiction, or
- required by law.
Therefore, where the federal or a provincial government enacts legislation requiring compliance with self-isolation rules by law, for example, it is conceivable that organizations may be required to disclose information requested by the relevant government institution for the purpose of enforcing or administering such laws. For example, the federal government and most provinces have enacted legislation which requires all persons entering their borders to self-isolate for 14 days.
In addition, Canadian governments could pass legislation expressly requiring organizations to disclose smartphone location data. Such legislation could take a variety of forms, including stand-alone legislation, an order or regulation under existing legislation, an amendment to the COVID-19 Emergency Response Act or, if used, under a regulation passed through the broad powers prescribed by the Emergencies Act.
Collection and Use of Smartphone Location Data by Government Institutions
Under the Privacy Act, a federal government institution may collect and use personal information without consent of the individual to whom it relates for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure. Under provincial FIPPA regimes, personal information may generally be collected and used without consent if doing so will avert or minimize harm to the health or safety of any individual. Therefore, under the federal and provincial public sector privacy frameworks, governments may assert that the public interest in preventing the spread of COVID-19, and thereby protecting the health of individuals, outweighs any possible invasion of privacy arising from the use of smartphone location data to enforce "social distancing" rules and related measures.
Alternatively, under both the federal and provincial regimes, a government institution may forego the consent requirement where it is authorized to do so by law. Therefore, governments may pass legislation (i.e., in a form as discussed above) authorizing the collection and use of smartphone location data to enforce "social distancing" rules and related measures without consent of the individuals to whom it relates.
Privacy Protections Once Smartphone Location Data in the Hands of the Government
One of the main concerns that has been raised with the collection and use of smartphone location data by government institutions is whether such location data will continue to be collected and used after the COVID-19 pandemic has ended, and if so, for what purposes?
Under the Privacy Act and provincial FIPPA regimes, if personal information is no longer needed for the purposes it was originally sought, then the information cannot continue to be used, and must be retained and destroyed in accordance with the provisions outlined in the applicable privacy statute.
Government institutions will also be required to comply with all of the other privacy protections outlined in the applicable public sector privacy statute, including: (i) limiting the collection of information to that which is necessary for the specified COVID-19-related purpose; (ii) ensuring the accuracy of such information; (iii) using appropriate security safeguards for such information; (iv) openness of its policies and practices in respect of such information; and (v) the individual's access to such information.
In addition, government action is subject to the Canadian Charter of Rights and Freedoms; section 8 of the Charter provides that "[e]veryone has the right to be secure against unreasonable search or seizure." In regards to privacy, the Supreme Court of Canada has adopted a purposive approach to section 8 "that emphasizes the protection of privacy as a prerequisite to individual security, self-fulfillment and autonomy as well as to the maintenance of a thriving democratic society" (R v Spencer, 2014 SCC 43 at para 15).
Accordingly, any government action with respect to the use or disclosure of smartphone location data other than to enforce "social distancing" rules and related measures will have to appropriately address these fundamental requirements.