1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar

PIPEDA, disclosure without consent and COVID-19 in Canada

On Saturday April 4, 2020, newspapers in Québec reported the geolocation of a person infected with COVID-19 through cell phone data by the Québec City Police Service (SPVQ). Lawful access was based on section 108 of the Québec Public Health Act, which provides for the issuance of an order by the public health director to “do everything reasonably possible to locate and apprehend the person whose name appears in the order.” As the COVID-19 crisis deepens, it is fair to expect the practice to expand. This article seeks to provide some guidance for an organization facing a request from law enforcement authorities to obtain geolocation data for public health purposes.

The starting point is the prohibition under the Personal Information Protection and Electronic Documents Act (PIPEDA) for an organization to disclose personal information without consent save in exceptional circumstances listed in section 7(3). The exception relevant to COVID-19 is subsection 7(3) (c.1) (ii), allowing an organization to disclose personal information without consent to a government institution that (i) has identified its lawful authority to obtain the information; and (ii) indicated that the disclosure is requested for the purpose of enforcing any law of Canada. Beyond legislative provisions, case law has recognized “exigent circumstances” as grounds for lawful authority. 

In 2016, the Ontario Superior Court went a step further in R. v Rogers Communications siding with Rogers and Telus, which had refused to grant the Peel Regional Police a “tower dump” of cell phone data to investigate a robbery. What is of most relevance here is that the court went beyond recognizing the reasonable expectation of privacy in cell phone data. It also found Rogers and Telus to have a contractual obligation towards their customers to challenge and refuse to comply with a warrant manifestly unconstitutional, as was the case for the requested indiscriminate “tower dump” for the purpose of investigating a robbery. 

The decision shed new light on the exceptions to the prohibition to disclose personal information without consent. It was also a bittersweet victory for the private sector, as the court recognized not only the right of an organization not to comply with a warrant it judges unconstitutional, but also its contractual duty to do so. Here are some parameters that may assist in decision-making in the face of a request for cell phone location data in relation to fighting the spread of COVID-19: 

  1. Don’t just look for warrants. In R. v Spencer, in 2014, the Supreme Court of Canada (SCC) clarified that the exception of 7(3) (c.1) (ii) did not only apply to warrants, but more broadly “to the authority of police to conduct warrantless searches under exigent circumstances or where authorized by a reasonable law.” An access request for cell phone data under public health legislation may be based on other lawful authority than a warrant.
  2. Assess “exigent circumstances.” In 2017, in R. v Paterson, the SCC provided guidance in assessing “exigent circumstances.” The SCC insisted that the circumstances must make obtaining a warrant “impracticable,” they must create a situation of “urgency,” and they must call for immediate action to preserve public safety.
  3. Request identification of lawful authority. Public health legislation creates exceptional powers for government, including those to access personal information for public safety, executed by peace officers. An organization must request identification of lawful authority to obtain the information and specification of the legal provision to be enforced before disclosing without consent.
  4. Notify the customer. Once the information is provided, if notifying the customer would not defeat the purpose of the information request, the right to privacy of the individual calls for notification to ensure transparency and accountability to the customer.
  5. Issue Transparency Reports. As a matter of accountability to customers and openness regarding the protection of personal information, organizations are encouraged to provide Transparency Reports stating how often, and in what circumstances, they provide information about their customers to government authorities. For more information on these reports, the Government of Canada has issued Transparency Reporting Guidelines.

Of course, seeking legal counsel minimizes risk of violating PIPEDA in these unprecedented times. For more information, please contact Chantal BernierKirsten Thompson, or another member of Dentons’ Privacy, Cybersecurity and Data Protection group. 

PIPEDA, disclosure without consent and COVID-19 in Canada

Privacy law in the context of pandemics

Chantal Bernier, National Practice Leader, Privacy and Cybersecurity, and Trevor Neiman, Dentons Canada, adapting “Pandemics in a Connected World: Integrating Privacy with Public Health Surveillance,” by Chantal  Bernier, Liane Fong and Timothy M. Banks, in the University of New Brunswick Law Journal, volume 66 at page 117.

The ongoing COVID-19 pandemic illustrates and confirms the immense pressures both public and private entities face to widely collect, use and share individuals’ personal health data in order to facilitate a coordinated pandemic response.

Public health interventions include numerous forms of personal data collection, analysis and dissemination. Pandemic response plans will generally call for the active surveillance of ill persons’ symptoms and health status, reporting the identity of ill or suspected ill individuals, and the tracing of anyone who may have come into contact with an infected person.

These responses will invariably reveal details about the actual or suspected ill, as well as information about their friends, neighbours, employers, and social or religious affinity groups, including persons’ names, addresses, personal contacts, travel histories, risk factors and health records.

While public health objectives are an imperative during a pandemic, the ill or assumed ill will be quick to highlight the privacy risks of response measures. Private or public dissemination of personal health information in the efforts to contain COVID-19 have led to discrimination and restrictions on freedom.  

In that light, an effective pandemic response requires commensurate safeguards to protect individual privacy. This article describes the rights and obligations of employers and employees, as well as those of health professionals and patients in relation to protecting privacy while pursuing public health objectives.

1. Privacy and pandemics management in the workplace

Privacy considerations for employers

Employers play a critical role in responding to the spread of COVID-19. Many employers are currently considering various kinds of measures to mitigate the spread of the virus and to safeguard the work environment. Employers are taking precautionary measures, such as excluding access to work premises to employees having traveled abroad and to employees showing symptoms of the virus, or limiting office access to visitors from certain regions of the world. These responses, and many similar measures, necessarily involve the collection, use and disclosure of personal information above what is normally required in the workplace.  

Where employers collect, use and disclose personal information to prevent or manage the risks associated with COVID-19, employers’ actions must be guided by applicable law, including Canada’s privacy legislation. The basic rule across Canada regarding personal information is that it cannot be collected, used or disclosed without consent, unless authorized or required by law.

With this in mind, here are the main rules to follow in the context of a pandemic:

  • As a preliminary rule, employers need to identify the minimal personal information they need to collect from their employees in the management of the COVID-19 pandemic. For example, additional contact information or personal travel plans may be relevant in protecting the workplace from COVID-19, and, therefore, assist in the effort to contain the pandemic. That being said, employers should limit this collection to the bare minimum necessary to fulfill that purpose. Use and disclosure of that personal information must also be minimal, limited to the strict purposes for which the information was collected.
  • Employers should obtain consent for this additional information, albeit with health and safety policies that could justifiably restrict access to the workplace where the employee refuses to provide essential information.
  • The form of consent obtained from employees must take into account the sensitivity of the personal information. Given the highly sensitive nature of health information, explicit consent will likely be required in most circumstances. For consent to be meaningful, employers must provide their employees with sufficient information so that they understand what they are consenting to, including the nature, purpose and consequences of the collection, use and disclosure of their personal health information. Consent will be considered express where it is the result of positive action from the individual.
  • Employers should put in place dedicated security measures to prevent any loss, theft, or unauthorized access, disclosure or use of an employee’s personal information provided in the context of managing the COVID-19 pandemic. In addition, the information must be kept for only as long as it is needed to serve the intended purposes of collection. Guidelines should be developed governing the retention and destruction of the personal information when the organization no longer needs it.

Employers must also apply any special considerations unique to their business. For instance, businesses with global operations should consider the implications of cross-border sharing of personal information. While cross-border sharing of personal information may be essential in a pandemic response to trace ill employees moving between a company’s various locations or offices, the sharing of such information must be implemented with strict safeguards in place. Cross-border sharing carries high risks, as once the personal information enters another jurisdiction, it will become subject to the laws of that jurisdiction. Therefore, measures should be adopted, including regarding the use and disclosure of the personal health information, to ensure that the information will be handled in a manner that meets the standards of Canada’s privacy legislation.

Employers must also consider where they may be unable to obtain consent from employees and how they will achieve their objectives in those circumstances. Where employee consent cannot be obtained, employers may be able to rely, in a narrow set of exigent circumstances, upon exceptions to consent contained in Canada’s privacy legislation. For example, the Canada Personal Information Protection and Electronic Documents Act (PIPEDA) permits the disclosure of personal information without consent, where disclosure is required in an emergency that threatens the health or security of an individual, subject to written notification requirements to the person to whom the information relates. In addition, an organization may disclose personal information to a government institution without that individual’s consent if the institution has made a request for the information, identified its lawful authority to obtain the information, and the disclosure is requested for the purposes of administering any law of Canada or a province.

Privacy considerations for employees

As each individual must play a part in the management of a pandemic in relation to their right to privacy, employees must contend with the broadened need for their employer to collect certain personal information. Responding to the pandemic broadens the justifiable need for personal information and brings some limitation to the right to exercise consent.

The broadened need for personal information  

While employees have the right to privacy in the workplace, employers may require the personal information demonstrably necessary to manage the workplace. The nature of a pandemic will generate a demonstrable need for employers to collect additional personal information from employees to ensure health and safety in the workplace. It follows that employees may be legitimately required to provide personal information and will have to comply as a matter of employee duty.

The notion of consent in a pandemic

While the general rule is that personal information, particularly sensitive information as personal health information is, cannot be collected without consent except in exigent circumstances, employees need to understand that the right to privacy may be lawfully limited where public health and safety imperatives prevail. As mentioned in relation to employers’ rights and obligations, employees must accept that the refusal to consent to provide health information necessary to the management of the pandemic in the workplace, may entail proportionate limitations of their rights as employees, such as denial of access to work premises.

2. Privacy and pandemic management in the health care system

The right to privacy also yields to public interest in the context of the efforts of the health care system in containing a pandemic. One major response to limiting the spread of infection is contact tracing, which is the practice of identifying and monitoring anyone who may have come into contact with an infected person. Specifically, the duty to disclose and the right to share personal information, including across borders, constitute lawful limitations to the right to privacy in a pandemic. That being said, the duty to minimize privacy intrusion and the duty to safeguard the personal information at hand, with due consideration for its sensitivity, are never extinguished.

The duty for patients to disclose

Taking the SARS outbreak as a precedent, the Ontario government designated SARS as a reportable, communicable, and virulent disease under the Ontario Personal Health Information Protection Act (PHIPA). Such a measure gives public health agencies the legislative authority to issue orders to detain and isolate individuals through written orders mandating quarantine.

At the federal level, the Quarantine Act also allows exceptional collection of personal information with the purpose of restricting the spread of a communicable disease. The right to privacy is limited in accordance with section 1 of the Canadian Charter of Rights and Freedoms, meaning “within such reasonable limits prescribed by law as can be demonstrably justified in a free and democratic society.” A duty to disclose can therefore be lawfully created.

Sharing personal information across borders

The privacy risks of sharing personal information across borders cannot be overstated. As the information comes in the hands of a foreign state, it also comes under the scope of that state’s laws of general application, which may or may not correspond to the level of human rights protection Canada affords. Sharing of personal information across borders, even with the imperative objective of containing a pandemic, should be minimal and circumspect to protect privacy.

While certain provincial personal health information protection laws allow cross-border sharing of personal information where the protection of health and safety require it, Canadian health authorities are bound by the World Health Organization’s (WHO) International Health Regulations. They are legally binding and apply to the international sharing of information to contain the rapid international spread of communicable diseases.

The obligation to safeguard

The general safeguarding principle of privacy law requires that personal information be protected at a level commensurate to its sensitivity. For health authorities who must collect and share personal information to respond to the crisis created by the COVID-19 pandemic, the following minimal safeguarding obligations apply:

  • Sharing of personally identified information should be kept to a minimum as demonstrably necessary, resorting instead to pseudonymized information (meaning where the identifying information is replaced by a number or bar code, or other “pseudonym” which can be traced back to the individual in a protected master list), or anonymized (meaning the information can non longer be traced back to an individual) where individual tracing is not necessary.
  • The personal health information shared should be kept exclusively to what is relevant to manage the pandemic. For example, even where individual tracing is necessary, not all health information relating to that patient is relevant and necessary to share in the effort to contain the pandemic.
  • Information sharing agreements should be in place to govern the sharing of personal information and impose the necessary safeguards to mitigate the privacy risks inherent to the sharing of personal information.
  • The sharing of personal information for the containment of a pandemic should be subject to strict prohibition, through the information sharing agreements, of the use of the personal information for any other purpose.
  • Finally, enhanced technological safeguards should be implemented in the wider sharing of personal information as required in the efforts to contain a pandemic.     

Conclusion

There is no question that effective pandemic control requires an exceptional degree of collection, disclosure and analysis of highly sensitive personal information. While we must  accept unusual collection, use and sharing of personal information, the right to privacy still commands minimization of the collection, use and sharing of that information, respect for consent unless overwhelming public interest must prevail and, in all cases, protection of the information to its high level of sensitivity.   

For more information, please contact Chantal Bernier or another member of Dentons’ Privacy and Cybersecurity group.

Privacy law in the context of pandemics

Brexit impact on privacy

On Friday, January 31, 2020, the United Kingdom (UK) left the European Union (EU) after 47 years as part of the union.

While the UK has ceased to be part of the EU when the clock struck midnight in Brussels, the UK and EU have agreed to a transition period until the end of 2020, to allow the UK to continue its current relationship with the EU, while future trading relationships are negotiated.

As part of this transition period, the UK’s Information Commissioner Office has clarified that the EU’s General Data Protection Regulations (GDPR) will remain in effect until the end of 2020.

No changes required at this time, but …

If you or your clients offer goods or services in the UK, and process personal data of UK residents, the GDPR will continue to apply to the treatment and safeguarding of that personal data.

Similarly, the GDPR still applies, and data protection agreements (DPA) are still required as part of an agreement with organizations that process personal data of individuals from the UK.

The UK’s Data Protection Act of 2018 incorporates the GDPR into UK law. It remains to be seen what status the EU will give to personal data transfers to the UK: Will the EU allow such transfers or will it apply the same conditions as for the rest of the world?

Adequacy status for Canada

At the time of this writing, the EU Commission considered Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) adequate to receive and process personal data of EU residents in Canada without further conditions under the GDPR. However, this adequacy status is up for review in 2020 by the EU Commission.  

Even if Canada retains its adequacy status with the EU, it is not clear what regime the UK will adopt in relation to cross-border personal data flows. While it is fair to expect that the UK will look favourably at facilitating cross-border data flows towards North America in support of new trade agreements, UK businesses have recently started to show concern with the UK’s direction in that regard. Indeed, in the months leading up to the UK leaving the EU, organizations from the UK have started to ask for further assurances related to data protection from entities outside the UK, including Canadian businesses processing information of UK residents.

With all these uncertainties at play this year, do not be surprised if a UK business partner asks you to sign the Standard Contractual Clauses with respect to personal data of UK residents being stored or processed in Canada. 

What to expect

Following the transition period, there may be areas of uncertainty around the data protection landscape in the UK. It is likely, however, that the UK will keep its GDPR-based data protection legislation to address any concerns about the flow of personal data between the EU and the UK, and keep its flexibility in negotiating free trade agreements with North America.

Please contact a member of our Privacy and Cybersecurity group if you have any questions on the impact of Brexit and the privacy compliance obligations.

Brexit impact on privacy

Regulating the Internet – Really?

Date and time:
Start: June 11, 2019, 9:00 AM EST
End: June 11, 2019, 4:30 PM EST

Location: 
Shopify
150 Elgin Street
14th floor 
Ottawa, Ontario K2P 1L4
Canada

CPD accreditation
This program is eligible for 5 substantive hours required by the Law Society of Ontario.

On December 11, 2018, the House of Commons Standing Committee on Access to Information, Privacy and Ethics (ETHI) released its final report “Democracy Under Threat: Risks and Solutions in the Era of Disinformation and Data Monopoly”. The Report calls for increased regulation on the Internet.

Dentons and the International Commission of Jurists (ICJ), an international organization created 60 years ago to assert the rule of law as a matter of democracy, invite you to a complimentary all-day  conference that will address the specific challenges and solutions that arise in this context.

Topics will include:

  • Legal disruption: Impact of digital on the existing regulatory framework
  • From lock and key to encryption – Applying privacy law on digital
  • Can data monopolies exist within privacy and competition law?
  • The particular case of e-commerce
  • Are Internet giants the guardians of democracy on the Internet?

Speakers

  • Kevin Chan, Global Director and Head of Public Policy Canada – Facebook
  • Anthony Durocher, Deputy Commissioner – Competition Bureau Monopolistic Practices Directorate
  • Nathaniel Erskine-Smith, Member of Parliament for Beaches –East York, Vice-Chair of the Standing Committee on Access to Information, Privacy and Ethics (ETHI)
  • Joe Frasca, General Counsel – Shopify
  • Jacob Glick, General Counsel – North
  • Tamir Israel, Staff Lawyer – Canadian Internet Policy and Public Interest Clinic (CIPPIC)
  • Janet Lo, VP of Privacy & Consumer Legal Affairs – TekSavvy Solutions
  • Brenda McPhail, Director of Privacy, Technology & Surveillance Project – Canadian Civil Liberties Association
  • Errol Mendes, Professor, University of Ottawa and President, International Commission of Jurists (Canadian Section)
  • Vivek Narayanadas, Associate General Counsel, Privacy & Data Protection Officer – Shopify
  • Marina Pavlovic, Associate Professor – University of Ottawa
  • Mark Schaan, Director General, Marketplace Framework Policy Branch – Innovation, Science and Economic Development Canada (ISED) / Government of Canada
  • Chantal Bernier, Of Counsel and National Practice Leader, Privacy and Cybersecurity– Dentons Canada LLP
  • Monica Song, Partner – Dentons Canada LLP

Click here to view a more detailed agenda. 

Questions

Please contact Carla Vasquez, Events Manager, at carla.vasquez@dentons.com or +1 416 361 2377.

Dentons Canada LLP is committed to accessibility for persons with disabilities. Please contact us at toronto.events@dentons.com in advance of the event if you have any particular accommodation requirements. We will work with you to make appropriate arrangements.

Register now

Regulating the Internet – Really?

Impact of the European General Data Protection Regulation (GDPR) on Adequacy and 5 Tips to Weather the Changes

Recent media coverage has brought to light the internal deliberations of the Government of Canada regarding the possible impact of the entry into force in 2018 of the GDPR on Canada’s adequacy status to receive personal data from the European Union (EU).  Ten other countries, and the businesses in those countries, should examine the same question:  Andorra, Argentina, Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland and Uruguay. The EU-US Privacy Shield, to which U.S. companies may self-certify, has received adequacy status.

Two issues arise: i) since the provisions of the new GDPR are stricter than the current  European regime with which these eleven States have been deemed  adequate,  will adequacy survive the coming into force of the new GDPR? And,  ii) now that adequacy may be repealed, how should governments or business prepare in that regard?

The following seeks to summarize what to watch for and how to weather this significant,  yet still ill-defined legal development.

  1. Why is adequacy status important?

European privacy law prohibits the transfer of personal data outside of the EU, except to states that have been recognized as providing adequate privacy protection (GDPR, Chapter V). “Non-adequate” states may only receive EU data under onerous conditions, namely:

  • Individual consent, and even then this is not valid for employee information as the employer-employee relationship is one of authority which defeats the assurance of “free” consent; or,
  • Standard model clauses, adopted by the European Commission, that bind the parties to the same level as European data protection law and submits the party receiving the data to audits by the party transferring the data; or,
  • Binding Corporate Rules, which apply within “a group of enterprises engaged in a joint economic activity” (Article 43.1) and bind the companies within the group to the European standards of privacy law.

Non-EU states that have been recognized as providing adequate protection for privacy may receive transfers of personal data from Europe without “any specific authorization.” (Article 41.1)

With a European market of 500 million, this is a critical economic advantage.

  1. How is a State considered adequate?

Article 41.2 of the GDPR summarizes the conditions for adequacy:

  • Respect for “the rule of law, human rights and fundamental freedoms, relevant legislation both general and sectoral, data protection rules and  security measures, including rules for onward transfer of personal data to another third country or international organization, as well as the existence of effective and enforceable data subject rights and effective administrative and judicial redress for the concerned data subjects;
  • Existence of an effective data protection authority;
  • International commitment of the State to uphold protection of personal data.
  1. What is the difference between State adequacy and the EU-US Privacy Shield?

Because the U.S. does not have adequacy status for not meeting the criteria above, U.S. companies  require a specific legal instrument to receive EU personal data. That is the EU-US Privacy Shield under which U.S. companies self-certify and commit to:

  • European data protection standards;
  • The new scrutiny of the Ombudsperson to be created in the US as well as of the Department of Commerce and Federal Trade Commission;
  • Stronger requirements on consent ;
  • New Europeans’ access to remedies in the U.S.

It is noteworthy that the EU-US Privacy Shield process is still more burdensome than for companies in States that have adequacy status.

  1. What next for adequacy?

The coming into the force of the GDPR introduces the possibility for an adequacy decision to be “amended, replaced or repealed” (Article 41.3a) by a Commission decision. Moreover, the Commission will “monitor the functioning of decisions”  already adopted in view of adequacy remaining in force, being amended or repealed.

So nothing can be taken for granted.  The maintenance of adequacy will be earned with conformity to European standards on privacy law.

  1. Honing privacy compliance strategies in the context of adequacy

Here are the best practices from our clients transferring or receiving European personal data:

  • Identify legal obligations under the coming GDPR;
  • Perform a gap analysis to address possible compliance issues in advance of the GDPR coming into force;
  • Negotiate with sub-contractors contract clauses compliant with GDPR;
  • Include monitoring provisions in the contract clauses such as the right to audit the sub-contractor to ensure compliance.
  • Establish data centres or hire cloud services in States having adequacy or companies being self- certified under the EU-US Privacy Shield.

Adequacy status is a shared objective by governments and companies.

Impact of the European General Data Protection Regulation (GDPR) on Adequacy and 5 Tips to Weather the Changes