Privacy Commissioners Comment on Vaccine Passports
As the number of Canadians who have received their first dose of one of the COVID-19 vaccines increases and case numbers continue to decline across the country, we are seeing the slow easing of the public health orders and restrictions which, among other things, closed restaurants, limited occupancy, and curtailed travel. As a result, governments and businesses have begun to shift their focus on post-pandemic recovery, as re-opening plans continue to be rolled out.
To help facilitate this re-opening, and to encourage higher vaccination rates, “vaccine passports” are being considered by businesses, industries and various levels of government as a means of confirming a person’s COVID-19 vaccination status. In Canada, Quebec has already started to issue downloadable QR codes that individuals can keep on their phones to prove that they have been vaccinated. While vaccine passports may ultimately take a variety of different forms – from physical certificates to smart phone credentials – in essence, they represent a record containing personal health information that individuals may be required to disclose to employers or in exchange for certain goods, services or access.
On May 19, 2021, the Federal, Provincial, and Territorial Privacy Commissioners (the “Privacy Commissioners”) released a joint statement relating to certain privacy concerns raised by the development of vaccine passports (the “Statement”). Citing a need to incorporate “privacy best practices” in order to achieve protections commensurate with the sensitivity of individuals’ personal health information, the Statement serves to remind of the serious privacy issues that should be considered alongside the potentially significant benefits that vaccine passports may ultimately facilitate. However, the Statement leaves open important questions of interpretation, some of which are discussed further in the Commentary section below.
Summary of the Statement
In the Statement, the Privacy Commissioners recognize that vaccine passports could offer substantial public benefit, including the promotion of personal liberties, fewer restrictions on social gatherings, and accelerated economic recovery. However, they caution that vaccine passports may also represent an encroachment on civil liberties that should only be pursued after careful consideration. The Statement recommends that any vaccine passport be developed and implemented in compliance with federal and provincial privacy laws, and should incorporate privacy best practices to ensure the highest level of privacy protection, given the sensitivity of the personal health information collected and disclosed.
The Privacy Commissioners propose that when developing and approving vaccine passports, the necessity, effectiveness and proportionality of the vaccine passports and the contexts in which they are used must be considered to ensure that they comply with the principles underlying Canadian privacy law.
The Privacy Commissioners further suggest that vaccine passports must be limited in terms of the time and scope of their use, advocating that they should be decommissioned “if, at any time, it is determined that they are not a necessary, effective or proportionate response to address their public health purposes.”
Recognizing that private businesses will be some of the primary users of vaccine passports, the Privacy Commissioners recommend that private sector entities requesting that individuals present a vaccine passport in order to receive services or enter premises must ensure that they have the legal authority to make such a request. In the view of the Privacy Commissioners, this authority should come from legislation or a public health order that clearly specifies: (1) the existence of the legal authority to request or require a vaccine passport; (2) to whom the authority is being given; and (3) the specific circumstances where the authority is operative.
The Privacy Commissioners also suggest that, absent legislation or a specific public health order, consent may provide sufficient legal authority for the implementation of vaccine passports by private sector entities. However, in such instances the Privacy Commissioners contend that: (1) consent must be voluntary and meaningful; (2) the information must be necessary to achieve the purpose; (3) the purpose must be appropriate in the circumstances; and (4) individuals must have a true choice, i.e., consent must not be required as a condition of service.
In contrast, the Privacy Commissioners suggest that, when it comes to public bodies, consent alone will not be a sufficient basis upon which to proceed and implement vaccine passports. In particular, they interpret public-sector legislation to the effect that consent may not be meaningful where a government or public body has a “monopoly” over a particular service.
(a) Balancing of Rights
The Statement appears broadly aimed at a range of audiences, including legislators, government entities and commercial businesses. Unfortunately, the Statement does not always distinguish which group(s) each recommendation is directed towards. For example, the Statement includes the following when discussing the balancing of rights in connection with a vaccine passport:
“Above all, and in light of the significant privacy risks involved, the necessity, effectiveness and proportionality of vaccine passports must be established for each specific context in which they will be used.
● Necessity: vaccine passports must be necessary to achieve each intended public health purpose. Their necessity must be evidence-based and there must be no other less privacy-intrusive measures available and equally effective in achieving the specified purposes.
● Effectiveness: vaccine passports must be likely to be effective at achieving each of their defined purposes at the outset and must continue to be effective throughout their lifecycle.
● Proportionality: the privacy risks associated with vaccine passports must be proportionate to each of the public health purposes they are intended to address. Data minimization should be applied so that the least amount of personal health information is collected, used or disclosed.”
These principles are presented as being generally applicable to both governments and businesses, but as they relate to businesses, they fail to consider bona fide business interests. Taking the Personal Information Protection and Electronic Documents Act (“PIPEDA”) as the example, Section 5(3) states that “An organization may collect, use or disclose personal information only for purposes that a reasonable person would consider are appropriate in the circumstances”, which is read in light of PIPEDA’s purpose (set out in Section 3) of balancing the right of privacy of individuals with the legitimate needs of businesses. As noted by the OPC in its guidance document on Section 5(3) (quoting A.T. v. Globe24h.com), “the courts have generally taken into consideration whether: ‘1) the collection, use or disclosure of personal information is directed to a bona fide business interest, and 2) whether the loss of privacy is proportional to any benefit gained.’”
The balancing of bona fide business interests with the privacy rights of individuals is fundamental to Canada’s current private sector privacy laws. By comparison, the Statement focuses on necessity, effectiveness and proportionality to achieve a public health purpose and does not include any consideration of legitimate business needs. As such, the considerations set out in the Statement would not be entirely accurate if they were applied to businesses.
(b) Legal Authority
In the Statement there is a suggestion that, for businesses and other entities that are subject to private sector privacy laws, the clearest authority under which to proceed with adopting some form of vaccine passport program would be a newly enacted public health order or law requiring the presentation of a vaccine passport to enter a premises or receive a service. This approach could help prevent a patchwork of policies and systems throughout the private sector, and leave the burden of analysis regarding the legal basis for such programs and how they should be regulated, with policy-makers.
At least in the context of the travel industry, Health Minister Patty Hajdu has indicated that the federal government embraces the concept of vaccine passports and is considering possibilities for a standardized approach to certification forms for vaccinated Canadians that wish to travel internationally.
A consideration of any existing legal authorities that may be relied upon by businesses in other industries wishing to introduce a requirement for vaccine passports may also be worthwhile. For example, individual provinces in Canada already have laws that require students to show proof of immunization against certain diseases. Also, various provincial occupational health and safety laws impose general duties on employers to ensure the health and safety of workers, but the use of such laws to require vaccines has not been broadly tested in Canada.
With respect to the issue of consent as a legal basis for vaccine passports, the Statement sets out the following:
“…consent may provide sufficient authority if it meets all of the following conditions, which must be applied contextually given the specifics of the vaccine passport and its implementation:
● Consent must be voluntary and meaningful, based on clear and plain language describing the specific purpose to be achieved;
● The information must be necessary to achieve the purpose;
● The purpose must be one that a reasonable person would consider appropriate in the circumstances;
● Individuals must have a true choice: consent must not be required as a condition of service.”
The first three bullets above are broadly aligned with the requirements of private sector privacy laws (to use PIPEDA as the example, see Section 5(3) and PIPEDA Principles 2 (Identifying Purposes) and 3 (Consent)). The fourth bullet, however, is a notable departure from private sector privacy laws, which recognize that an individual’s consent may be required as a condition of service in various circumstances. For example:
- the Model Code to PIPEDA explains in clause 4.3.3 that “An organization shall not, as a condition of the supply of a product or service, require an individual to consent to the collection, use or disclosure of Personal Information beyond that required to fulfil the explicitly specified and legitimate purposes” (PIPEDA Principles clause 4.3.3); and
- the Guidelines for Obtaining Meaningful Consent state the following: “Individuals cannot be required to consent to the collection, use or disclosure of personal information beyond what is necessary to provide the product or service…For a collection, use, or disclosure to be a valid condition of service, it must be integral to the provision of that product or service such that it is required to fulfill its explicitly specified and legitimate purpose.”
The above examples make clear that consent may be required as a condition for service in various circumstances. This is a commonly accepted practice in our daily lives (for example, providing a driver’s license to rent a car or to enter a pub). There does not appear to be any reason why the use of vaccine passports (or other verifications of vaccines) by private businesses should be treated any differently, especially where doing so negates a business’s reasonable interest (especially in contexts of heightened risk or occupational health and safety concerns) in implementing a mandatory proof of vaccine requirement.
(d) Consent in Quebec
Interestingly, the Statement indicates that “[i]n Quebec, consent cannot form the legal basis for vaccine passports”. The Statement suggests that requesting the presentation of vaccine passports in Quebec would require that the information is necessary to achieve a specific purpose, one that is serious and legitimate.
This interpretation appears to stem from the requirements for valid consent under Section 14 of Quebec’s Act Respecting the Protection of Personal Information in the Private Sector, which states:
“14. Consent to the collection, communication or use of personal information must be manifest, free, and enlightened, and must be given for specific purposes. Such consent is valid only for the length of time needed to achieve the purposes for which it was requested.
Consent given otherwise than in accordance with the first paragraph is without effect.”
However, if it is possible for an individual to know the purposes for which they are presenting their vaccine passport and the uses that will be made of their personal information (for example, to permit the individual to travel or enter an event venue), it seems to be a stretch to conclude absolutely that consent cannot form the legal basis for vaccine passports in Quebec. While consent may not be valid in respect of uses unknown to the individual, that complication would not be unique to Quebec.
(e) Evidence of Vaccine Effectiveness
In connection with the discussion of necessity, effectiveness, and proportionality, and the legal authority for the introduction of vaccine passports, the Statement includes the following:
“So far we have not been presented with evidence of vaccine effectiveness to prevent transmission, although members of the scientific community have indicated that this may be forthcoming.”
The effectiveness of vaccines is a relevant consideration for justifying the collection and use of the personal information contained in a vaccine passport for such purposes as currently contemplated by governments and businesses.
However, the determination of vaccine effectiveness based on scientific evidence is a matter for Health Canada and public health officials, rather than the Privacy Commissioners, who have no expertise in the field (or jurisdiction to make such determinations). Before authorizing a vaccine, Health Canada must assess the scientific and clinical evidence to determine (among other things) if a vaccine is effective, with difficult decisions to be made in the midst of a global health crisis. It is not clear why the Statement suggests that there is any role of a privacy regulator to make a potentially conflicting determination as an adjunct to a privacy evaluation. Comity between regulators would suggest deference generally, and especially during a health crisis.
Further evidence of vaccine effectiveness based on real life use may be forthcoming, but, in the meantime, government and public health officials in Canada claim that all COVID-19 vaccines in Canada are “effective”, “saving lives”, and that they provide protection for the vaccinated person and the community around them. In the context of a public health emergency, public health orders and recommendations to protect the public are often based on evolving evidence. As such, any suggestion that it is necessary to wait for further evidence of vaccine effectiveness in order to solidify the privacy law analysis around the necessity of vaccine passports, particularly in the face of the current evidence of vaccine effectiveness espoused by the relevant authorities, could have an unintended detrimental impact on the timing of pandemic recovery efforts.
The Statement references “trust” as a requirement for vaccine passport programs under consideration. The Statement suggests that for vaccine passports introduced by and for the use of public bodies, consent alone is not a sufficient basis upon which to proceed under existing public sector privacy laws.
While the basis for trust as a requirement is not anchored in the text of current Canadian privacy law, it has been considered in the broader policy context of privacy laws as relating to the relationship between individuals and government. In its reference document published in 2010 titled “A Matter of Trust: Integrating Privacy and Public Safety in the 21st Century”, the OPC stated:
“Without privacy, without protective boundaries between government and citizens, trust begins to erode. Good governance requires mutual trust between state and citizen. Otherwise, alienation and a sense of inequality begin to spread, circumstances under which no program for public security can be tenable or effective in the long term. Where citizen trust hits a low point, in fact, such security measures may be undermined, ignored, circumvented — or in the most egregious cases — passively or actively resisted.”
Nevertheless, the Privacy Commissioners’ emphasis on trust alongside consent, as a privacy concept, is noteworthy.
We recognize that change resulting from COVID-19 is happening in real-time. Our team will continue to monitor these developments and any further guidance from the Privacy Commissioners related to vaccine passports, and provide additional updates and commentary as necessary.
For more information about the content of this update, or to discuss legal issues arising in your organization’s response to COVID-19, please contact Lara Nathans, Trevor Lawson, or one of the authors.
The McCarthy Tétrault COVID-19 Recovery Hub is full of relevant, detailed and accessible information about the COVID-19 pandemic, vaccine rollout, and other matters that affect Canada’s economy and your business.