CAUTION: We have been advised that fraudulent emails with a modified domain name have been sent by a source purporting to be from Aird & Berlis LLP. These communications are not legitimate and are not from Aird & Berlis LLP. Disregard any such emails and do not engage with the sender or the email in any way. Please report the attempted fraud by contacting the Canadian Anti-Fraud Centre and by emailing Aird & Berlis LLP at

Back to all blog posts

Posted in: Data Security/Privacy | TheSpotlight Categories

Mar 27, 2020

Geolocation and the Fight Against COVID-19

Could the Emergencies Act Overrule Privacy Law Protections for Cellphone Location Data?

By Paige Backman and Stephanie D’Amico

(1) The longstanding tension between public safety and civil liberty

While COVID-19 is a “novel” coronavirus, the tension it stokes between public welfare and personal freedom is anything but new. In the 1970s, our nation had a divided response to the federal government’s invocation of the War Measures Act to suppress terrorism during the October Crisis. More recently, the same themes emerged in debates about the controversial Patriot Act in the wake of 9/11 in the United States. The delicate balance between public safety and civil liberty is a fixture of democratic society and has, once again, come to the fore as the world grapples with a global pandemic for the first time in more than one hundred years.

Today, the battle is between public health and personal privacy. An increasing number of jurisdictions are leveraging geolocation data from cellphones to combat COVID-19, and many are wondering whether such extraordinary measures can or will be implemented in Canada to help “flatten the curve.” Geolocation data tracks every person’s movements, day and night, so long as they have their mobile phone with them and it’s turned on. It can inform where you are and who you are with. In the ordinary course, mobile phone tracking and other digital surveillance activities would, at minimum, butt heads with both the Charter and Canada’s existing privacy legislation. However, the extraordinary powers in the federal Emergencies Act (the successor legislation to the repealed War Measures Act) could, in theory, empower the legal use of geolocation data to fight the pandemic.

(2) The use of geolocation data to prevent the spread of COVID-19

Globally, mobile carrier data has been used in a range of different ways to buttress health authorities’ efforts to combat COVID-19. In general, geolocation data is typically used in three ways: (1) to ensure compliance with quarantine and social distancing protocols; (2) to retrospectively review the movements of those who have tested positive for the virus in order to prevent community spread; and (3) to provide real-time alerts to people in proximity to someone who has tested positive for the virus.

Taiwan, for example, has implemented an “electric fence” which collects geolocation data from cellphones to monitor and enforce quarantine. The system alerts law enforcement officials if citizens under quarantine leave their address or turn off their phones. Regular phone calls are made to ensure those ordered to self-isolate are not venturing out in public and leaving their phones at home. There are considerable fines for violating quarantine.

Singapore has developed the “TraceTogether” App which, among other things, allows the government to use retrospective location data to review the movements of citizens who have tested positive for the virus in order to track and reduce community spread.

The Israeli government drew attention last week for ordering hundreds of citizens to self-isolate via text message because location data collected by the ISS indicated they had been in proximity to a person who had tested positive for COVID-19.

Some of the most extreme and Orwellian uses of geolocation data have been seen in China, where citizens’ access to checkpoints is restricted based on a colour-based QR code which corresponds to a person’s health status. South Korea, Italy, Germany and Austria are among the other jurisdictions sharing geolocation data with health authorities in an effort to help combat the virus. Discussion of technological intervention has begun in the United States.

(3) Protections for geolocation data under Canadian privacy law

The Canadian Charter of Rights and Freedoms (the “Charter”) does not specifically mention privacy or the protection of personal information. However, Section 7 of the Charter states that an individual’s right to life, liberty and security of person is a fundamental human right and Section 8 of the Charter similarly protects our fundamental human right to be free from unreasonable searches from the government. Further, the Supreme Court of Canada has expressly determined that the right to privacy, as set out in the Privacy Act, is a “quasi-constitutional” human right. The values set out in the Privacy Act have been found to be closely linked to those fundamental rights set out in the Charter as being necessary to a free and democratic society.

The Personal Information Protection and Electronic Documents Act (“PIPEDA”) applies to private-sector organizations across Canada that collect, use or disclose personal information in the course of a commercial activity. This includes telecommunications companies and mobile carriers which, for the most part, are the entities that collect and have access to the geolocation data that could be weaponized against COVID-19.

A fundamental purpose of PIPEDA and its provincial counterpart legislation across Canada is to formalize by statute applying to the private sector protections for “personal information” and to ensure that the collection, use or disclosure of personal information, including individuals’ location and movement, occurs only with consent.

PIPEDA defines “personal information” broadly as “information about an identifiable individual.” It includes information that can identify an individual directly or through reasonably available means. The geolocation data to be used by government to enforce quarantine protocol or to provide real time alerts would be considered personal information.

There are various provisions in PIPEDA which would arguably permit the disclosure of personal information – in this instance, geolocation data – to government institutions without the consent of the individuals. For example, Section 7(3) of PIPEDA provides that:

(3) an organization may disclose personal information without the knowledge or consent of the individual only if the disclosure is…

(c.1) made to a government institution or part of a government institution that has made a request for the information, identified its lawful authority to obtain the information and indicated that

(i) it suspects that the information relates to national security, the defence of Canada or the conduct of international affairs,

(ii) the disclosure is requested for the purpose of enforcing any law of Canada, a province or a foreign jurisdiction, carrying out an investigation relating to the enforcement of any such law or gathering intelligence for the purpose of enforcing any such law,

(iii) the disclosure is requested for the purpose of administering any law of …

(d) made on the initiative of the organization to a government institution or a part of a government institution and the organization

(i) has reasonable grounds to believe that the information relates to a contravention of the laws of Canada, a province or a foreign jurisdiction that has been, is being or is about to be committed, or

(ii) suspects that the information relates to national security, the defence of Canada or the conduct of international affairs;

(d.1) made to another organization and is reasonable for the purposes of investigating a breach of an agreement or a contravention of the laws of Canada or a province that has been, is being or is about to be committed and it is reasonable to expect that disclosure with the knowledge or consent of the individual would compromise the investigation;

(i) required by law.

(4) Use of the Emergencies Act to compel disclosure of geolocation data

Under the Emergencies Act, the federal Cabinet can proclaim a “public welfare emergency” in response to the COVID-19 pandemic. A public welfare emergency has not yet been declared, but the Trudeau government has indicated that the invocation of the Act is not off the table, particularly if the provinces support or request the declaration of a national emergency.

The Emergencies Act imbues the federal government with a broad swath of powers. If a public welfare emergency were declared, Cabinet may be in a position to pass regulations mandating the disclosure of mobile carrier data to aid in the fight against COVID-19. Subsection 8(1) of the Emergencies Act provides that during a public welfare emergency, the Governor in Council may make orders and regulations which are reasonably believed to be necessary to deal with the emergency. The subject matter for possible orders is expansive and includes powers for the requisition, use or disposition of property1 and to regulate the distribution of essential goods, services and resources.2 The broad wording and untested nature of these provisions are such that mobile carrier data could be considered “property” under paragraph 8(1)(c), or be declared an “essential resource” under paragraph 8(1)(e).

The Emergencies Act also includes the ability to impose fines and imprisonment for violation of orders and regulations created under the Act, measures which have already been implemented in jurisdictions with less robust human rights protections. The exercise of Cabinet’s authority under the Emergencies Act is subject to limited judicial oversight.

(5) Conclusion

To date, geolocation data has not been overtly used in Canada to combat COVID-19. However, given the urgent need to respond to the pandemic, measures which would be unthinkable in normal times may be seen as viable options to help contain the outbreak. For some, the availability and use of geolocation data presents a techno-utopian resolution to a public health crisis; for others, it is a work of dystopian speculative fiction waiting to happen. No matter where one lands, the pandemic brings into sharp relief the need to evaluate whether and to what extent diminished data privacy and enhanced surveillance technologies should be tolerated in the context of a public health emergency.

Organizations with questions about privacy or data security can contact our Privacy & Data Security Group.

1 Emergencies Act, R.S.C., 1985, c.22 (4th Supp.), s.8(1)(c)

2 Emergencies Act, R.S.C., 1985, c.22 (4th Supp.), s.8(1)(e)

Areas of Expertise

Related Blogs

Posted in: Court Decision | Privacy

Insights TheSpotlight
Ontario Recognizes False Light Tort of Invasion of Privacy By Paige Backman Feb 24, 2020 Hidden in the text of a strongly-worded family law case, Yenovkian v. Gulian, 2019 ONSC 7279, a new and timely tort based on invasion of privacy was recognized – Publicity Placing Person in False Light.

Posted in: Data Security/Privacy | Privacy | Data Protection

Insights TheSpotlight
Federal Privacy Law – Is It About to Change: Part Deux? By Donald B. Johnston Jan 13, 2020 In my last blog, I speculated about whether privacy law is about to change and promised to write more about it. My speculation was sparked by the 2018-2019 Annual Report to Parliament made by the Office of the Privacy Commission. Here’s a bit more about this excellent report.

Posted in: Privacy

Insights TheSpotlight
Federal Privacy Law – Is It About to Change? By Donald B. Johnston Dec 19, 2019 The 2018-2019 Annual Report to Parliament of the Office of the Privacy Commissioner is interesting reading, and it shows that the OPC has been doing some deep thinking about the nature of privacy and has been looking around the world at the philosophies of privacy in other jurisdictions.

Posted in: Privacy | Court Decision | Data Security/Privacy

Insights TheSpotlight
“Privacy is Not an All-or-Nothing Concept”: The Supreme Court of Canada’s decision in R. v. Jarvis By Donald B. Johnston and Brandon Carter Feb 20, 2019 On February 14, 2019, the Supreme Court of Canada released its decision in R. v. Jarvis, a case that centered on determining when and where a person will be criminally liable for observing or recording others, without their knowledge, for sexual gratification.