Blog

Privacy Considerations When Using Smartphone Location Data to Limit the Spread of COVID-19

April 13, 2020

Close

Written By Sina Kazemi, Sébastien Gittens, Stephen Burns, Ruth Promislow and Michael Whitt

As countries around the world continue their efforts to combat the novel coronavirus (COVID-19), governments are increasingly turning to technology to enforce "social distancing" rules and related measures designed to contain the spread of the virus. For example: 

This blog explores how smartphone location-tracking measures would be considered within the context of Canadian private sector and public sector privacy laws. This blog does not explore smartphone location-tracking in the context of health information laws, as it is assumed that the smartphone location data would be obtained separately from any specific health information.    

Legislation

In determining whether government institutions can collect, use and disclose smartphone location data for purposes related to enforcing "social distancing" rules and related measures designed to contain the spread of the COVID-19 virus, the analytical framework in Canada involves examination of the following statutes, depending on the level of government seeking to obtain the smartphone location data:

"Personal information" in the above-referenced statutes refers generally to any information about an identifiable individual. Accordingly, smartphone location data linked to an individual will be subject to the privacy framework. On the other hand, where government institutions can collect, aggregate and anonymize or de-identify information that cannot be linked back to an identifiable person, then collection, use and disclosure of such information is likely not subject to such privacy laws.

Technical Background

From a technical perspective, there are multiple mechanisms by which location data from a smartphone can be determined, including through a device's built-in global positioning system (GPS) or from the signal a device transmits to nearby cell towers. The resulting location data may be collected by businesses such as telecommunications companies (e.g., through phone calls transmitted to nearby cell towers) and smartphone app developers (e.g., by using a mobile device's built-in GPS) such as apps providing social media, mapping or weather services. In addition, government institutions may directly collect smartphone location data using apps created by the governments themselves. 

Collection and Disclosure of Smartphone Location Data by Organizations

Under PIPEDA and its provincial counterparts, the purpose for which personal information is collected must generally be identified by the organization at or before the time the information is collected and consent to such collection must be obtained, unless the collection falls within a specified exception. To the extent that an organization collects an individual's smartphone location data, the purpose for doing so will often be disclosed at or before the time of collection, including, as may be set out in its privacy policy. It is unlikely, however, that such purpose disclosures and related consents contemplate disclosure for the purpose of enabling the enforcement of COVID-19 social distancing and related measures. 

Nevertheless, governments wishing to access smartphone location data about identifiable individuals in the face of COVID-19 may obtain such data from a number of different organizations; however, an appropriate legal mechanism must be utilized in mandating organizations to disclose this data without notice to or the consent of the individual. Under PIPEDA and its provincial counterparts, organizations may disclose personal information without the knowledge or consent of the individual only under certain circumstances. In the context of COVID-19, the relevant exceptions may include circumstances where the disclosure is:

Therefore, where the federal or a provincial government enacts legislation requiring compliance with self-isolation rules by law, for example, it is conceivable that organizations may be required to disclose information requested by the relevant government institution for the purpose of enforcing or administering such laws. For example, the federal government and most provinces have enacted legislation which requires all persons entering their borders to self-isolate for 14 days. 

In addition, Canadian governments could pass legislation expressly requiring organizations to disclose smartphone location data. Such legislation could take a variety of forms, including stand-alone legislation, an order or regulation under existing legislation, an amendment to the COVID-19 Emergency Response Act or, if used, under a regulation passed through the broad powers prescribed by the Emergencies Act.

Collection and Use of Smartphone Location Data by Government Institutions

Under the Privacy Act, a federal government institution may collect and use personal information without consent of the individual to whom it relates for any purpose where, in the opinion of the head of the institution, the public interest in disclosure clearly outweighs any invasion of privacy that could result from the disclosure. Under provincial FIPPA regimes, personal information may generally be collected and used without consent if doing so will avert or minimize harm to the health or safety of any individual. Therefore, under the federal and provincial public sector privacy frameworks, governments may assert that the public interest in preventing the spread of COVID-19, and thereby protecting the health of individuals, outweighs any possible invasion of privacy arising from the use of smartphone location data to enforce "social distancing" rules and related measures.

Alternatively, under both the federal and provincial regimes, a government institution may forego the consent requirement where it is authorized to do so by law. Therefore, governments may pass legislation (i.e., in a form as discussed above) authorizing the collection and use of smartphone location data to enforce "social distancing" rules and related measures without consent of the individuals to whom it relates. 

Privacy Protections Once Smartphone Location Data in the Hands of the Government

One of the main concerns that has been raised with the collection and use of smartphone location data by government institutions is whether such location data will continue to be collected and used after the COVID-19 pandemic has ended, and if so, for what purposes?

Under the Privacy Act and provincial FIPPA regimes, if personal information is no longer needed for the purposes it was originally sought, then the information cannot continue to be used, and must be retained and destroyed in accordance with the provisions outlined in the applicable privacy statute.

Government institutions will also be required to comply with all of the other privacy protections outlined in the applicable public sector privacy statute, including: (i) limiting the collection of information to that which is necessary for the specified COVID-19-related purpose; (ii) ensuring the accuracy of such information; (iii) using appropriate security safeguards for such information; (iv) openness of its policies and practices in respect of such information; and (v) the individual's access to such information.

In addition, government action is subject to the Canadian Charter of Rights and Freedoms; section 8 of the Charter provides that "[e]veryone has the right to be secure against unreasonable search or seizure." In regards to privacy, the Supreme Court of Canada has adopted a purposive approach to section 8 "that emphasizes the protection of privacy as a prerequisite to individual security, self-fulfillment and autonomy as well as to the maintenance of a thriving democratic society" (R v Spencer, 2014 SCC 43 at para 15).

Accordingly, any government action with respect to the use or disclosure of smartphone location data other than to enforce "social distancing" rules and related measures will have to appropriately address these fundamental requirements.

If you have any questions regarding the information in this article, please contact a member of the Bennett Jones Privacy & Data Protection and Cybersecurity groups. In addition, please visit our COVID-19 Resource Centre for other COVID-19-related materials.

Authors

Related Links



View Full Mobile Experience