Now that 2021 is upon us, we can finally close the book on 2020 — a most remarkable year that will have a lasting impact on privacy, both personally and professionally. A quick look at back will help put things in perspective, and allow us to appreciate how far we’ve come — and what lies ahead for future generations.
Nine months ago, on March 11, 2020, the world as we knew it changed. That was the day that the World Health Organization declared the novel coronavirus COVID-19 a global pandemic, and our lives entered a pregnant pause like no other.
In the months since then, pandemic-related emergency orders issued by Canadian governments affected all aspects of life and work, and compelled us to quarantine and withdraw from society. As scientists, politicians, and medical authorities guessed how long it might take for the new affliction to be vanquished, the world went into confinement. But unlike the elites of earlier times — who were attended to throughout their pregnancies by midwives, ladies-in-waiting, and female family members — the COVID confinement has not been a source of comfort or relaxation for many.
On the contrary, relaxing pastimes, like sitting alone on a park bench, walking a dog, or watching your child play, were outlawed. People isolated during confinement, anxious about sudden financial instability, or overcome by rapid changes that disrupted all semblance of work/life balance labored to maintain mental health.
On the positive side, many of us have been pleasantly surprised at the many kindnesses shown by strangers, by our resilience and ingenuity, and the usefulness of technology as a relief to Covid concerns. The pandemic also provided an extraordinary opportunity for technologies to be leveraged in overcoming the challenges wrought by the pandemic.
Digital online mental health and addictions platforms made available through Government-sponsored programs offered quick access to resources, and directed sufferers to private counseling services (some of which use personal information for fundraising and research).
Virtual healthcare services — sometimes rolled out before PIA reviews could be completed — were promoted as a necessity to keep people safe, and out of hospitals, as we were discouraged from going to doctors’ offices, clinics, and hospitals. The campaigns left people with few options but to use online healthcare; and that short-term success promises to have profound lasting-power.
On May 1st — before Canada’s information and privacy commissioners issued a joint statement setting out the privacy principles to be used in contact tracing apps — Alberta took its place alongside 25 countries that had introduced contact tracing apps to assist the people who actually do the contact tracing (and, by year end, more than 40 had introduced similar apps) by launching the ABTraceTogether contact tracing app, despite concerns related to its functionality, its privacy shortcomings, and uncertainties about data collection and retention. (By December 21st, only 287,251 Albertans — a mere 6 percent of the province’s population — were using the ABTraceTogether app.)
Although characterized as “absolutely critical” tools to contain the spread of COVID-19, many countries suspended, replaced, or relaunched their COVID tracing apps, or supplemented them with wearable tags and bracelets once reserved for sex offenders and people out on bail, and the dismal uptake of the apps inspired Google and Apple to build one in to their operating systems.
Some of the contact and proximity apps allowed governments to spy on their citizens, and track where people go, who they are near, when and for how long. Other apps alerted users (at least those who read the ‘privacy’ policy) that “all information” provided “will be made available publicly” and shared with “healthcare providers, researchers, and others working to stop COVID-19” — who might be anywhere in the world — and “as required or permitted by applicable laws” which doesn’t exclude much. Yet others offer no privacy statement at all.
Contactless and online purchasing was promoted to allow everyone (who has a credit or debit card) to avoid touching filthy lucre even though there is little to no evidence that contaminated surfaces can spread the virus. Digital transactions also facilitated tracking purchases and people, and provided a bonanza for porch pirates to profit by pilfering packages.
Occasional media reports of porch pirates stealing packages left on doorsteps, and rare reports of video doorbell systems that recorded criminal activity, have been exploited to encourage the use of smart doorbells. Inspired by device vendors, more than 600 police departments encouraged homeowners to install video doorbells, and allow law enforcement ready access to the video stream. Promoted as valuable tools to avoid contact with visitors and the people delivering purchases ordered online, and to improve personal, family, and community safety, the devices capture any activity in the doorbell’s field of view. Fortunately, police promise not to store video footage “indefinitely,” and to “return” any video used in a police investigation “once it is no longer required as part of any court proceedings” (which, especially in cold cases, can be decades).
Nations aghast at China’s use of QR code-scanning to control people’s movements quickly adopted similar technologies. New contactless access and check-in systems relying on QR codes or facial recognition allow businesses, governments, and property managers to enforce pandemic protocols and business objectives while identifying and tracking visitors.
France, Israel, Spain and Singapore were among the countries that launched quarantine trackers and drones equipped with high-resolution cameras and facial recognition to help enforce social distancing measures, peer into homes to enforce quarantine, and facilitate the identification of Covid quarantine scofflaws — even as police acknowledged shortcomings and high false positive rates that have led Washington state, San Francisco, Cambridge (US), the California Legislature and other jurisdictions to ban or halt the use of facial recognition technology.
A half-century after the term ‘telecommuting’ was coined, remote work finally helped many employers realize that business can proceed, even when people are out of sight. Deploying collaboration tools and other technologies to monitor employees and gauge their sentiments, while peering into their homes and private lives a bit too closely for many people’s comfort, led to objections that inspired some technology companies to improve privacy safeguards.
The ‘edtech’ sector also provided pandemic solutions, enabling remote schooling and virtual proctoring to proceed — leading legions of students and parents experiencing Orwellian privacy invasions to voice their displeasure.
As in-person conferences were cancelled and organizations rushed to hold virtual meetings and events, videoconferencing platforms scrambled to meet the sudden demand. (Side note: Organizations often have disaster plans; very few have success plans.) While people rushed to acquire and become familiar with the technology needed to navigate the new digital landscape, and create space in their environments that they would be comfortable revealing, they also encountered embarrassing moments, security problems, privacy issues and Zoom fatigue.
Throughout the year, as Covid contagion swelled, PACC monitored the pandemic’s impact on privacy and access to information, on practitioners’ operations, and on people’s discomfort with the prospect of having to allow colleagues and strangers into their homes — especially via technology that can record audio and video — and advocated for members, through media and virtual events in Canada, Singapore, and the United States.
In June, and Quebec introduced Bill 64, to modernize the province’s private sector privacy legislation. The amendments provide for severe monetary penalties, statutory damages, incident reporting, mandatory Privacy Impact Assessments, and other measures that are equivalent to — or exceed — the GDPR. That same month, the federal Information Commissioner reminded a Parliamentary committee that “Embarrassment is not an exclusion under the act” and that “Ottawa should treat access to information as an essential service during pandemic;” yet federal government ATIP offices had already slowed or stopped responding to access requests, and Alberta, Manitoba, and other provinces had extended the time limit for responding to access requests.
While many governments were criticized for being stingy with information, the Alberta government granted police access to health records, and Ontario police, firefighters and paramedics were granted access to personal health information — and use it they did, with Ontario police services conducting over 95,000 searches of the COVID-19 database while it was active.
As Ontario welcomed a new Information and Privacy Commissioner, July saw the European Court release its long-awaited ruling on the Schrems II case, creating further economic uncertainty in Canada and other Third Countries, and clarifying the need for consistency within the data protection profession. The month also saw PACC enter into a partnership with the CIO Strategy Council to develop national standards for the qualification and proficiency of data control professionals, with the PACC Professional Certification Program as the foundation of the initiative.
Increased recognition of the need for well-qualified data protection professionals was implicit in the Ontario consultation about private sector privacy legislation. In October, PACC conveyed members’ recommendations on the topic in its submission and, that same month the Standards Council of Canada published the General Data Protection Regulation Guidance for Canadian Businesses, which contains contributions from PACC members and was edited by PACC President Sharon Polsky MAPP.
October also saw the federal Information Commissioner again remind parliamentarians that Canadians care about access to information, and report that her office received more than 6,000 new complaints in the year — more than double the number in the previous year. As well, after more than two years of investigations, the federal Privacy Commissioner concluded that covertly collecting shoppers’ facial images without notice or consent violates PIPEDA; but the outcome was yet another reminder that the law and the Commissioner’s powers are inadequate.
To fulfill promises made by successive administrations to update the country’s privacy and access regime, November saw the Government of Canada introduce Bill C-11— the Digital Charter Implementation Act, 2020— intended to modernize Canada’s private sector privacy law that came into force at the turn of the century. Recognized as long overdue, and hailed as a significant improvement of Canada’s private sector privacy legislation, with fines that could exceed those under the GDPR, the proposed legislation preserves the problematic consent model that has facilitated the exponential growth of the $200BN data broker industry which traffics the personal and medical minutiae of our lives.
Scrutinizing problematic provisions to reduce red tape was a focus of the Alberta government which, to many Albertans’ consternation, included amending health privacy legislation to pave the way for telehealth, and fundamentally shifts the purpose for collecting personal information, with the new objective being to enable and provide access to health information. The changes also eliminate the need to conduct Privacy Impact Assessments, and require custodians to collect individually identifying health information where disclosure of the information is authorized by any enactment of Alberta or Canada (including municipal bylaws).
The opposite approach was taken in Ontario, which strengthened its health information privacy law and imposed new obligations for health information custodians, even as it embraced technology and digital identity verification as part of the Ontario Onwards Action Plan.
Among the pandemic’s many unanticipated benefits were the reduction in global carbon emissions, and the number of vehicle collisions. As auto insurers promised rebates during lockdowns, auto insurance legislation reaffirmed the importance of privacy protection and effective access to information.
As the most challenging year in living memory comes to an end, its economic, privacy and access-related impacts will reverberate for generations. For now, we celebrate a year of achievement, tenacity and forbearance borne of necessity and confinement, and appreciate that the pandemic has laid bare the importance of ensuring that data protection professionals are well prepared, well regarded, and well represented by an organization that is an effective voice for privacy and access.