Public consultation on the Privacy Act – Submission – Anonymous #5

12 February 2021

Summary:

  1. Public versus private interests. Democratic governance. Public trust. The proposed changes envision increased flexibility with respect to disclosure of both personal and de-identified information. Does this allow the use of public instruments and authorities to collect personal information in order to further private interests that may be prioritized over the common good? Does this allow the State to use its monopoly on the legitimate use of authority to collect (and compel) personal information in order to further private (mostly commercial) interests? What happens if private uses of such information are not transparent? This is of particular likelihood and concern if and when personal information is de-identified and disclosed. Does this also increase the private control of information, where interests are primarily economic and do not necessarily benefit the general public and the common good? This raises questions about the power that comes to private entities as gatekeepers of information. Ultimately, this raises fundamental concerns about democratic governance and public trust.
  2. Value of data. Both personal and de-identified data hold tremendous strategic and economic value. The more complete a data set and the greater the number of points generated within a given set increases its range of potential uses. Government is in a particularly strategic position given its ability and authorities to collect personal data. Government’s role as gatekeeper and the intersectionality it has created with private (commercial) entities who act as intermediaries in mediating electronic access to government services for individuals introduces important questions about the role of the State in using public resources (its authority and the personal data it holds under its authority) to both directly and indirectly lend advantage to private interests. Underlying these considerations, government holds a key role in expanding the understanding and treatment of raw data beyond economic terms by considering its use and influence relative to human agency. The updates to the Privacy Act (PA) should consider an individual’s rights to be free from predictive analysis, particularly in relation to economic interests.
  3. Limits should be grounded in law, not policy. Updates to the pa present an opportunity to do so. Electronic applications for federal government services have become de rigueur, but limits on the collection and use of information such as internet protocol (IP) address and geo-location do not currently appear to be grounded in law. They should be. The lack of a legal footing outlining limits in this setting raises questions about scope of collection and use by government, as well as questions about transparency. If such information is collected on all individuals who interact with government using electronic means, should they not be informed of such collection? Is such collection necessary in order for government to conduct the initial purpose for which information is being collected from the individual? Is pre-emptive collection of additional information (such as IP address or geo-location) on the basis that it may later be useful (for anti-fraud or enforcement purposes, for example) fair? Would or should a court order (outlining reasonable grounds for collection) be necessary for such collection? If geo-location is collected, are cookies and invisible cookies (“perma-cookies”) used by government, enabling ongoing monitoring in relation to geo-location? In the interest of accountability, transparency and fairness, parameters for such collection, use and disclosure should be established in law. Currently, it appears that this is guided by policies. Policies are largely influenced by resource limitations. In the interest of accountability, transparency and fairness, parameters for such collection, use and disclosure should be established in law, not policies.
  4. Need for legislated independent oversight, regular audit, increased transparency and opportunities for individuals to challenge the collection, use and disclosure of their personal and de-identified information by both federal bodies and private entities when they are used as intermediaries to access government services. The changes proposed include transparency and accountability in generalized terms, but increased specificity and a wider range of measures are recommended. Beyond being informed that one will be subjected to artificial intelligence (AI) decision-making, transparency measures should be expanded to include being informed if personal information will be de-identified, disclosed and used as raw material in algorithm-development relating to artificial-intelligence or machine-learning based decisions. Individuals should also have the option to decline such use, de-identification and disclosure of their personal information. This would underline the State’s commitment to transparency, human agency and respect for individual choice.
  5. Electronic access to government services: a Trojan horse? Where government services are offered through electronic means, and particularly where this is the only means to access government services, the legislation should introduce measures to increase transparency and strengthen individual protections relating to over-collection and over-reach of data. Electronic access to government services also introduces questions about back-door disclosure policies by the commercial entities that serve as intermediaries to access such services (e.g. email providers, internet browsers, internet service providers). In parallel, does electronic access essentially oblige applicants to provide additional information to private commercial entities who have private interests in data collection? Do electronic means of interacting with government serve as Trojan horses for government and law enforcement, enabling government to access to a broader range of information (such as IP address and geo-location) that would usually require a court order?
  6. Over-collection and overreach (breadth and depth of collection, i.e. “harvest and hoard”). The collection of personal information (e.g. geo-location and arguably, IP address) that is not directly needed for the initial purpose for which it is collected raises questions regarding mis-use of authority. Where government services are increasingly offered through electronic means, yet processing requirements have not changed relative to pre-electronic processing, justification to collect additional information not initially required and without grounds because it may later prove useful is problematic. Is this additional information being collected about all electronic applicants without grounds to believe or even suspect non-compliance with government rules, regulations or legislation and without their knowledge or consent? Electronic applicants do not know. If federal bodies collect additional data about individuals “just in case”, without grounds to suspect or believe there is non-compliance or because such data may provide indications or patterns of non-compliance raises questions about whether such collection is reasonable and whether adequate authorities for such collection are being used (i.e. warrant or production order). The convenience and potential usefulness of such information in helping to formulate grounds for law enforcement purposes should not justify its collection under this form. Currently, there is lack of transparency and clarity about such collection and use, which limits opportunities to challenge such collection and use. The current review of the PA is an opportunity to address this lack of transparency and institute a legal framework of limits.
  7. De-identification - risk of re-identification
    Research in the past 10 years has demonstrated that de-identification is a non-viable privacy strategy. Scholarly consensus points to the relative ease with which de-identified or anonymized data can be re-identified. Nearly any information or data point collected from and about an individual (even if purportedly de-identified) should be treated as personal data. A principles-based approach towards personal information protection is vague and therefore insufficient. Specific details regarding what data will be collected, how it will be stored, where it will be stored and how it will be stored are of utmost importance, yet the proposed changes indicate that reduced specificity in this regard will be guided by principles, rather than prescription. This is overly abstract.
  8. Legislative crowding. Gaps created? Several pieces of legislation cover overlapping issues: privacy in a federal government context, privacy in a commercial context, consumer rights and economic interests. There are also provincial areas of responsibility in which privacy is also of particular concern in the digital context (health, public education) and where there is overlap with federal responsibility in a digital context (Personal Information Protection and Electronic Documents Act, PIPEDA). This legislative landscape may emphasize gaps and opportunities for mis-use of data, particularly where private (usually commercial) entities play a dominant role in the vast collection of personal data.
  9. Privacy and algorithmic and AI-based decision-making: Updates to the PA should differentiate algorithmic and AI-derived decisions on a minimum of two grounds: being subjected to AI decisions and the collection, use or disclosure of an individual’s personal information (including if it will be de-identified) as the raw material needed to fuel algorithmic and AI decision-making. Informing individuals about these terms and providing the option to decline should be required and would reinforce commitments to transparency and respect for individual choice and human agency.

Questions & comments:

  1. If the PA and PIPEDA are to be more closely aligned, will PIPEDA also be updated? If so, how would this impact the range of permitted collection, use and disclosure of both personal and de-identified information between public and private bodies?
  2. Intersection with other federal legislation: how will this proposed new Act intersect with the newly tabled Consumer Privacy Protection Act (CPPA, https://parl.ca/DocumentViewer/en/43-2/bill/C-11/first-reading)? The CPPA introduces new disclosure provisions in which consent is not required where such disclosure would favour business operations (Subsections 18 – 28). If the PA and PIPEDA are to be more closely aligned, there appears to be some overlap with CPPA, and individuals are required to use commercial intermediaries (that appear to be subject to both PIPEDA and CPPA) in order to access government services, questions arise regarding which legislation applies, particularly regarding protections for the individual and permitted uses of both personal and de-identified information.
  3. Where the only means to access government services is through electronic means, the use of commercial intermediaries (e.g. email provider, internet browser, internet service provider) is necessary. Such commercial intermediaries are subject to PIPEDA and apparently also the CPPA. Which legislation prevails? An email provider or internet browser may disclose personal information to a business partner under the new CPPA provisions, but when personal information is collected in the course of an individual’s electronic application to a federal body and concurrently collected by the commercial entity for its business purposes, and considering that this is sometimes the only means for the individual to submit an application, this raises questions surrounding the legitimacy of the authority to collect that personal information through such means.