By Ritchie Po

COVID-19 has raised a number of privacy law issues. In particular, the proliferation of contact-tracing apps has resulted in a virtual “arms race” to develop effective measures to be used by public health bodies to locate sources of the virus and slow down the spread.

The Canadian government recently announced that they are collaborating with Shopify and Blackberry on an app that the Federal government would own and operate, set to launch as early as July 2020. Use of the app will be entirely voluntary but, if fully implemented, the personal data of as many as 30 million Canadians’ personal information will be given to the custody of the Federal government. How this app will differ from the Trace Together app developed and deployed in Alberta remains to be seen.

While details of the app have not yet been released, the larger question remains as to what privacy law challenges retailers face, and what they must do to remain compliant with public health measures. Here are some of the potential privacy issues that retailers may face in the era of COVID-19.

Retail Location Outbreak “Hot Spots”

In South Korea, aggressive-contact tracing included the mandatory download of an app programmed to send text alerts to people who have been to establishments where an outbreak has occurred or where an infected person may have shopped. The app uses GPS coordinates from customer mobile phones to identify anyone who may have been to the same location. While the text does not identify the name of the person(s) who were infected, it gives a specific date and a range of time of the transmission. The objective is to advise other customers who may have been there to take action by getting tested for COVID-19 and to abide by local public health laws.

In comparison, the new app for Canada, according to Prime Minister Justin Trudeau, will be “completely anonymous, because it's low maintenance, because it is completely respectful of your privacy, — including no location services or geotagging of any sort”. Despite this, retailers may still face challenges in their obligations to provide personal information to health authorities.

From a retailer’s standpoint, the disclosure of an outbreak to the public may have a negative effect on business, as prospective customers may wish to avoid a “hot spot”. Even if a retailer has taken extensive measures to add protective measures, such as wearing masks, sanitizing, installing plexiglass barriers, limiting traffic for social distancing, and spacing out merchandise and tables, this may still result in negative publicity.

There are, however, instances where Canadian retailers have proactively advised the public of outbreaks at their locations. In addition to notifying the media, Superstore and London Drugs sent e-mail advisories to all customers on their mailing list in order to advise them of outbreaks at certain locations, or instances where no outbreaks occurred but where staff have tested positive. By disclosing this themselves, without divulging any personally identifiable information about the affected employees, these brands demonstrated corporate responsibility and adherence to public health safety measures. Additionally, the self-reporting complies with local Occupational Health & Safety regulations.

Protecting Employee Privacy

One key responsibility retailers must adhere to is to safeguard employee privacy. Because an employee’s diagnosis of COVID-19 is his or her personal health information, it must be safeguarded in the same way as other sensitive personal data, such as Social Insurance Number, financial information, home address, and the like. Therefore, employers are not at liberty to disclose the identity of the employee who tested positive, at least not to the public at large. The same obligation applies to a retailer’s customers, although it may not always be possible for a brand to know which customer has tested positive, as patrons may simply browse or pay in cash, leaving no trace of their identity (except perhaps in surveillance videos recorded on security cameras).

Despite this obligation to safeguard privacy, retailers may be required to provide the personal information of their employees on Covid-19 to public health authorities that may require it. For instance, under the federal Personal Information Protection & Electronic Documents Act (PIPEDA), a private entity is obliged to disclose personal information they hold to a government institution that requests and requires it. Specifically, this would include instances where a public health body has the legislative authority to compel the disclosure of this personal information in a public health emergency, such as BC’s Freedom of Information & Protection of Privacy Act (FOIPPA). The intention of both the private and the public sector privacy legislation is to harmonize the circumstances under which personal information may be disclosed during a pandemic, and not to act as barriers to disclosure. Similarly, there are provisions under health laws that provide an additional avenue where personal information may be shared for public health reasons.

This does not mean that a retailer is free to provide all information they may have on their staff to a public health body. The retailer must disclose only the employee’s personal information as required by the public health authority for contact-tracing purposes. Retailers must not publicly disclose the name of the infected employee, as that person has their own privacy rights under the law. Additionally, “outing” the name may lead to unintended negative consequences, such as “doxing” on social media, and the resulting public humiliation that accompanies such nefarious practices.

Privacy Compliance: The Retailer’s Challenge

From a practical standpoint, what should retailers do to comply with privacy legislation? Although there is no uniform Canadian legislation at this point, there are a number of privacy laws and guidelines that may provide some workable solutions.

As a privacy best practice, retailers should only collect, use, and retain the personal information they need in order to do business, disclose it only to those who have a legitimate reason where it is necessary to do so, and destroy the data if it is no longer needed. The over-collection of personal information without a legal basis can lead to privacy complaints and discipline, such as the Loblaws gift card controversy from October 2019. In terms of regulatory penalties, look no further than the Competition Bureau’s hefty $9.5 million penalty against Facebook where third-party personal information was collected without proper consent or notice.

An example of a best practice comes from an Order issued by Dr. Bonnie Henry on the guidelines to re-opening and operating restaurants during a state of emergency. When a restaurant, café, or pub must collect and retain the contact information of one person per dining party, in order to provide provincial medical officers with the information required to perform contact tracing. It is not dissimilar to collecting the name, phone number, and e-mail of patrons who use OpenTable or other online restaurant booking services. After 30 days, the information must be destroyed in accordance with the Order.

The Future of Retail in Privacy

Retailers must operate on the principle of collecting only what they actually need, not what they think they need, and not over-collect personal information “just in case”. Retailers must always remember that they are responsible for the personal information they collect, and also ensure that they are not improperly disclosing personal information, which may lead to not only an invasion of privacy, but to large corporate fines. Privacy, even in the time of a global pandemic, must not be waived if a brand wants to maintain its integrity.