Two weeks ago, Canada’s IdentityNORTH held its tenth annual conference—this time, digital—gathering government and industry leaders around a virtual roundtable to discuss trends, challenges, and predictions for the digital identity arena. Of import were the country’s forthcoming digital vaccine credentials, a debated topic among provincial privacy commissioners.

British Columbia’s Privacy Commissioner Michael McEvoy was among the most outspoken.

“The question to start with is, what is going to be on that credential?” the Commissioner asked.

“Is it just your vaccine status? Does it have to add where you were vaccinated when you were vaccinated, the lot number on the vaccination, the kind of vaccine? It may be that internationally, some countries are only going to recognize certain kinds of vaccines.”

McEvoy is a longtime believer in the certain future of “identity and authentication,” and as he articulated his take on the credentials at hand, his own credentials as a veteran commissioner became ever more clear.

“As privacy commissioners,” he says, “I think our view is, the less information the better—minimize what you need to put on a credential. And then there’s a question about how that then is communicated to the reliant party in a safe, secure way, and that it’s only going to be used in a temporary fashion.”

The vaccine passport, however, is not the only thing on Commissioner McEvoy’s mind.

From Lawyer to Commissioner

McEvoy has been involved in mitigating privacy and access issues for over 25 years, first as a lawyer in private practice and then as a ministerial adviser to the Attorney General of British Columbia in 1992.

“The Attorney General was tasked with advancing new freedom of information and protection of privacy legislation, and I assisted him in those efforts,” he says. “I was taken with the subject, though I would say the privacy part of the legislation received less attention than the freedom of information issues back in those days. One could see hints on the horizon of the challenging privacy policy issues to come as digital technologies were beginning to accelerate.”

One thing he did not foresee was the creation of the office of privacy commissioner—a non-partisan role founded in 1993, and one he would eventually inhabit by unanimous motion of the Legislative Assembly in 2018.

“I joined the Office of the Information and Privacy Commissioner for British Columbia in 2007 as an adjudicator. I decided more than 50 inquiries under provincial access and privacy law before I was appointed Deputy Commissioner in 2013.”

Since his appointment as commissioner, his chief goal has remained consistent: “[strengthen] access to information and protection of privacy.” He’s led numerous investigations with this in mind.

Prior to his appointment, McEvoy helped lead the Information Commissioner’s Office of the UK’s investigation into the Cambridge Analytica scandal following the 2016 election. He also serves as a chair to the governing committee of the Asia Pacific Privacy Authorities (APPA) and the Registrar of Lobbyists for British Columbia.

Commissioning in COVID-19

“I see the future of [my] role continuing to be vitally important,” the Commissioner, who finishes his term in 2024, said. “We will continue to grapple with the impact of rapid-expanding technologies—technologies we cannot yet even envision.”

COVID-related technologies are among such unforeseen innovations. It explains his current preoccupation with British Columbia’s vaccine passports, for which he says a pan-Canadian solution would be the “ideal.”

“Each province will likely have something of its own system. My vision would be that, although each province will have perhaps a slightly different way to do things, the principles underlying how they do it will be the same,” McEvoy says.

The framework is simple: create an interoperable credential with minimal information that can be accessed by public and private sectors, first in British Columbia and then the rest of Canada. He adds that the credential should be “open source,” mitigating public concerns and ensuring that their data “is going to be used in an appropriate and proper manner.”

But in this cyber age, trust is a fleeting concept. McEvoy knows this well—on both a governmental and interpersonal level.

“One of the challenging things, of course, is how do we trust each other’s credentials,” he asks.

“These technologies have gotten to a place where it is very challenging for regulators because many of these companies operate everywhere. But in many ways, they’re accountable nowhere.”

It’s an issue that’s becoming more familiar to many involved in the space.

“As a society, as governments and as regulators,” says McEvoy, “we need to get our heads around it.”

And by heads, he means fresh legislative movement.

“That’s number one in my mind right now,” he says. “I believe our laws are beginning to fall, fall behind and not keep up with changes in technologies, but across the country as well, because we need to develop a harmonious set of laws across Canada.”

British Columbia is the only jurisdiction in Canada and the United States without mandatory breach notification requirements—a tackleable issue for McEvoy. He also deems administrative monetary reform as vital to British Columbia’s imminent tech legislation.

British Columbia, though, isn’t necessarily behind—“I think the United States is going to have to stiffen its spine as well,” McEvoy warns.

The Ideal Canadian Digital Identity

McEvoy’s takes are well-informed. As also the chair of the Asia-Pacific Privacy Authorities, of which contains 20 different jurisdictions, he gets to observe a phenomenon that’s rarely discussed in the digital identity space.

“It’s interesting,” he says, “because there’s different cultures around privacy.”

This, in turn, makes for slight divergences in tech legislation among countries. Things however have been changing.

“I think you’re seeing, to some extent, privacy laws beginning to converge globally.”

And while there’s still an underlying commitment to a global take on digital privacy and protection, there’s no doubt that McEvoy is at the forefront of creating a uniquely-Canadian privacy system, one that’s informed by its provincial culture, geographical layout, and technical history.

McEvoy’s optimism to build the Canadian identity system—and, eventually, a pan-Canadian vaccine passport—is palpable. Still, as any government official committed to integrity, he worries.

“Without naming any names, [I worry about] some of the big corporate players who would love to be—and in fact are—in that space.”

It’s a team effort for McEvoy. He sees his fellow privacy commissioners, the unique populaces they represent, and even the corporate players as integral to creating a foundation of trust that will underpin British Columbia’s and greater Canada’s digital identity schema.

“There’s a common cause here between regulators, government and industry […] There are so many wonderful things about technology that add convenience to our lives and make our lives better,” he says. “And what we want to ensure is that the public has trust and confidence in those technologies and that they’re used for the purpose of good. Sure, companies are going to make money. That’s absolutely right. We want to encourage innovation. But that’s only going to happen if all of us have trust and confidence in those technologies.”

In each part of this process, it all comes down to one thing: “protecting your personal information in the course of it,” says the Commissioner.

ABOUT THE WRITER

Olivia Baker is a tech editor and journalist at Identity Review, where she writes on tech policy and national digital identity technologies.

Contact Olivia Baker at olivia@identityreview.com.

Do you have information to share with Identity Review? Email us at press@identityreview.com.