Criminal Lawyers’ Association Position on Digital COVID-19 Contact Tracing

The Criminal Lawyers’ Association (CLA) is one of the largest speciality legal organizations in Canada, with over 1,600 members. It is a voice for criminal justice and civil liberties in Canada. The CLA has intervened in numerous landmark cases before the Supreme Court of Canada concerning digital privacy rights (e.g., Vu, Fearon, Spencer, Marakah), drawing on its expertise on the impact of state action on individual liberties.

In the context of the current COVID-19 pandemic, many governments have begun to consider and deploy contact tracing apps aimed at tracking and containing the spread of the virus. Such apps have been put into use in Singapore, Australia, and Alberta.

The CLA is concerned that if not appropriately circumscribed, the use of contact tracing apps in Canada could have serious impacts on Canadians’ civil liberties, particularly their privacy rights. Canada’s Federal, Provincial, and Territorial Privacy Commissioners[1] have issued a joint statement of principles on the development and use of tracing apps, which the CLA generally endorses.

The CLA wishes to elaborate upon these principles as set out below.

  1. Adoption of digital contact-tracing must be subject to oversight and accountability.

The federal government has a role to play in setting national standards for the collection, use, and sharing of personal information through digital surveillance tools for contact tracing and tracking. The CLA calls upon the Government of Canada to set reasonable standards under its criminal law and/or emergency powers jurisdiction to ensure that any data collection powers and any data collected through digital surveillance are:

  • de-identified and aggregated, with technical, physical, and administrative protections against re-identification and disaggregation. This prevents against identification of individuals and protects against potential vigilantism, and other forms of discrimination against individuals and groups based on actual or perceived infection-status;
  • encrypted and subject to meaningful legal and technical security protections around both data collection and storage;
  • subject to meaningful limits around the type and range of personal information that can be collected. Only information necessary for established public health uses should be collected;
  • maintained subject to strictly-enforced time-limits. These time limits should include specified end dates that are conservative, with the option to extend if required. Personal information maintained in any centralized databases should be destroyed when the crisis ends; and
  • not shared with law enforcement, border authorities, other agents of the state, or commercial entities, with any exceptions to this blanket prohibition being clear and narrowly circumscribed .

Any new surveillance and data-collection powers must also be subject to independent oversight, accountability, and due process measures. All proposed surveillance and data collection powers must be subject to privacy impact assessments at both the implementation and operation stages, with review by the relevant privacy commissioner or appropriate independent third parties appointed for this purpose. Additionally, governments should consider references to the courts for assessment of legality and constitutionality of proposed new powers of digital surveillance and data collection.

There needs to be ongoing monitoring and evaluation of measures by the relevant privacy commissioner or independent third party for effectiveness at achieving the measures’ objective, for minimal intrusion, and for security. If the monitoring and evaluation is to be done by the relevant privacy commissioner in a jurisdiction, the power to conduct independent audits must be given to those privacy commissioners who do not yet have this power (at present, some Canadian jurisdictions’ privacy commissioners have the power to conduct audits, while others do not) legislatively or through the appropriate legal tool.

Due process mechanisms must exist to enable individuals to seek recourse with respect to breaches, or misuse through new digital contact surveillance powers, or to correct inaccurate or biased information collected or stored under such powers. This should be accomplished by giving individuals the right of complaint to the relevant privacy commissioner and a right of action enforceable in the courts.

  • Data collection must be purpose-limited, for public health purposes only. Any permitted secondary use of data must be narrow and clearly circumscribed.

Surveillance-based measures must be for the purpose of collecting information for public health purposes only, and not for other reasons. Data must not be collected for law enforcement or other governmental or commercial purposes. There must be strict divisions between health authorities and law enforcement authorities in terms of access to and use of data being collected through a contact tracing app. Data collected for public health purposes must not be made available to law enforcement, border authorities, other agents of the State, or commercial entities. Any exception to this general prohibition must be clear and narrowly circumscribed.

Australia’s recently enacted Privacy Amendment Act (“Australian Legislation”) governing the collection, storage, and use of personal information by its COVID tracing application, are instructive in this regard.[2] The Australian Legislation makes it a criminal offence to use, collect, or disclose COVID app data, except in clearly and narrowly circumscribed circumstances.[3] Importantly, the Australian Legislation protects against law enforcement use or retention of COVID app data even where a law enforcement agency has legitimate access to an individual’s mobile communications device under other lawful authority (pursuant to a warrant, legislation, or incident to arrest).[4]

The CLA encourages the adoption of a regulatory or legislative scheme similar to the Australian example. Disclosure or use of any COVID app data for anything other than public health purposes should be prohibited. In particular, law enforcement should not be permitted to access or use such information for anything other than enforcement of the data and rights protection scheme.

The CLA asks that the rights-protective regulatory or legislative scheme it seeks make clear that law enforcement may not collect, access, search, or seize digital contact tracing information for the purposes of investigating or prosecuting offences under the Criminal Code or other federal or provincial legislation or regulation. Even where law enforcement has appropriate legal authority to seize and search individuals’ mobile devices to investigate Criminal Code or other offences, they may not access, seize, use or retain such COVID app information as may be contained on a device. As is the case in Australia, any data incidentally collected pursuant to authorized seizure of non-COVID app data must be deleted as soon as possible and may not be used for any law enforcement purpose.

For clarity, the CLA maintains that even regulations like Ontario Regulation O. Reg. 120/20[5] that authorize the sharing of COVID infection status information with first responders, including law enforcement, do not authorize sharing of digital contact tracing information with law enforcement. Digital surveillance tools for contact tracing are intended to collect more information than simply infection status, including movements in time and space, association and contact with others, and possibly further personal information. Regulation intended to protect first responders cannot justify the disclosure of digital tracing information.

  • Any decision to recommend or deploy digital surveillance tracing technologies must account for vulnerable populations.

Mandatory use of contact tracing applications will disproportionately impact already marginalized populations, including individuals experiencing poverty, addiction, and mental health issues, who are less likely to have access to the smartphone technology required to run contact tracing apps. Research suggests that anywhere between 14 and 19% of Canadians 18 years of age and older do not own smartphones.[6] A recent survey in the American context also revealed that those 65 and older are disproportionately less likely to own a smartphone.[7] Any planned deployment of tracing apps must account for impacts on vulnerable and marginalized populations. For example, will additional consideration or public health supports be provided to those who are unable to use the app?

  • Surveillance tools other than anonymized, non-location-tracking digital tracing applications have the potential for serious rights violations, especially if used in combination with each other. Their use should be discouraged and, where employed, strictly regulated.

Favoured options for COVID digital tracing in Canada at present involve Bluetooth-based, non-location tracking, anonymized applications. There are, however, a number of other surveillance technologies in use around the world, and in development in Canada and elsewhere, that could result in greater rights violations than current favoured options.

The CLA maintains that surveillance technologies that have the potential for serious rights violations should be resisted by Canadian governments or public/quasi-public bodies. The use of such tools should be discouraged and where employed, subject to strict rights-protective regulation.

John Struthers, CLA President
Jill Presser, CLA Criminal Law and Technology Committee Co-Chair
Lisa Jørgensen, CLA Director
Pam Hrick, CLA Criminal Law and Technology Committee Member

[1] “Supporting public health, building public trust: Privacy principles for contact tracing and similar apps”, May 7, 2020, available at: https://www.priv.gc.ca/en/opc-news/speeches/2020/s-d_20200507/.

[2] Parliament of the Commonwealth of Australia, Privacy Amendment (Public Health Contact Information) Act 2020, No. 44, 2020, assented to May 15, 2020, available at: https://www.legislation.gov.au/Details/C2020A00044 (“Australian Legislation”).

[3] Australian Legislation, s. 94D

[4] Australian Legislation, s. 94D(3)(c)

[5] O. Reg. 120/20: Order Under Subsection 7.0.2(4) of the Emergency Management and Civil Protection Act, R.S.O. 1990, c. E.9,available at: https://www.ontario.ca/laws/regulation/r20120.

[6] Ian Hardy, “86% of Canadians own a smartphone, says CTA report”, November 5, 2018, Mobile Syrup. Available at: https://mobilesyrup.com/2018/11/05/86-percent-of-canadians-own-smartphone/; CRTC Communications Monitoring Report 2019, p. 318, available at: https://crtc.gc.ca/pubs/cmr2019-en.pdf

[7] Craig Timberg, Drew Harwell, and Alauna Safarpour, April 29, 2020, Washington Post, available at: https://www.washingtonpost.com/technology/2020/04/29/most-americans-are-not-willing-or-able-use-an-app-tracking-coronavirus-infections-thats-problem-big-techs-plan-slow-pandemic/.

One response to “Criminal Lawyers’ Association Position on Digital COVID-19 Contact Tracing”

  1. John Carter says:

    Thanks for sharing this informative article. The principles you mention here are helpful.

Leave a Reply

Your email address will not be published. Required fields are marked *

For security, use of Google's reCAPTCHA service is required which is subject to the Google Privacy Policy and Terms of Use.

I agree to these terms.