Anger over the Public Health Agency of Canada using anonymous cellphone data on millions of Canadians reveals an urgent need for privacy laws to be updated in this country, say analysts.
But the experts also say that Canadians probably have no idea of the extent to which their data is gathered, stored, and sold on a regular basis.
Tracey Lauriault, an associate professor at Carleton University, said “data brokers,” insurance and credit scoring companies, banks and firms involved in data analytics and AI are “doing this every single day and don’t have the same kind of scrutiny that we have in terms of the federal public service.”
“The government of Canada has to update its privacy laws,” said Christopher Parsons, a senior researcher at University of Toronto’s Citizen Lab.
“Hopefully, if there’s any good that comes out in the current tussle around PHAC getting access to this information, it’ll be to actually advance meaningful legislative reforms.”
Earlier this week, MPs from all three opposition parties called for a review after PHAC admitted using de-identified and aggregated data obtained from third parties to track Canadian travel patterns during the pandemic. It plans to continue doing so through at least 2023.
Opposition MPs described PHAC’s actions as “extremely alarming” and “an intrusion on the privacy of Canadians.” The House of Commons ethics committee will meet Thursday over the issue.
However, the data “was almost certainly collected lawfully and disclosed lawfully to the government of Canada, in an anonymized, aggregated format,” said Parsons.
But he added, “Individuals look and say, ‘This is inappropriate’ or ‘I don’t think that’s right.’ So even though it’s permissible, they don’t feel like they had a say. They don’t think that they would have said yes.”
He said the issue is that Canada’s privacy laws, The Personal Information Protection and Electronic Documents Act (PIPEDA) — which covers the private sector — and the Privacy Act — which covers the government – deal with personally identifiable information, not de-identified or anonymized data like PHAC used.
“There’s an increasing divide between what government can lawfully do in terms of collecting and using … personal information that had been anonymized and aggregated, and what individual Canadians think,” Parsons said.
Canada’s privacy laws don’t address, and many Canadians may not be aware of, the extent to which information about their physical location and what they do online is sold and re-sold by a wide range of companies.
Detailed location data are collected not only by telecoms, but by companies like Google and Fitbit, and “any number of apps that have nothing to do with mobility, but that are collecting that data in any event,” University of Ottawa professor Teresa Scassa said.
It’s part of a vast amount of information on all Canadians that’s collected, anonymized, and sold by the private sector. Companies like Google and Facebook collect data that they use to sell targeted advertising.
But there are also data brokers – companies that acquire and buy data from social media feeds, credit scoring companies, banks and loyalty cards – and then combine that with statistical information to create profiles, Lauriault said. From there, they can run analyses on this data for clients.
“A question might be, how many people have defaulted on their loans in Canada, where did they live and what is the nature of the loans that they’ve defaulted on?”
Lauriault said in Canada, there is little information available about these companies and what they actually know about Canadians. “We know almost nothing about them,” including where they buy data from and who their clients are.
She said, “We actually need to be able to look at what is going on within these companies, what is it that they’re buying and selling, and then we ought to be developing some legislation and some oversight.”
A 2018 draft report from the Samuelson-Glushko Canadian Internet Policy and Public Interest Clinic (CIPPIC) pointed out that data brokers don’t use that term to refer to themselves, using terms like marketing analytics, or a “data as a service” provider. It cited Acxiom, Oracle, Salesforce, and Adobe as examples of some of the companies in the field.
Anonymized data is used for profiling and targeted marketing, and “may also be used for artificial intelligence, to develop tools or products or services,” Scassa said.
Large Canadian telecoms have also gotten into the data business. PHAC obtained some of its data on Canadians’ location from Telus’ Data for Good program, which provides de-identified, aggregated data to governments, health authorities and researchers. In 2020, Bell bought data and analytics company Environics Analytics.
Parsons said if telecoms are making location data available for non-technical purposes, such as network planning, “they need to be much more transparent about what they are doing.”
PHAC also didn’t proactively explain what it was doing, Parsons noted. He added that “we’re just starting to figure out what has been done in Canada and other jurisdictions” when it comes to data collection for COVID-19 purposes.
Both Parsons and Scassa said the Privacy Act desperately needs to be updated. Parsons noted it was created in the 80s and hasn’t received meaningful updates since. A bill to update the private sector legislation, PIPEDA, died on the order paper when last year’s federal election was called.
Scassa said up until now, Canada’s privacy laws have been focused on information about identifiable individuals. “I think we need to be thinking about to what extent we also want some kind of transparency, oversight and governance when we’re talking about de-identified personal information,” she said.