Two recent decisions by Québec’s data protection authority, the Commission d’accès à l’information (the “CAI”), should serve as cautionary tales for any business contemplating the deployment of biometric information processing in Québec. These cases show that, even though Québec’s explicit regulation of biometric information is not new, there is renewed regulatory interest in its enforcement.
At the centre of both cases is the Act to establish the legal framework for information technology (“AELFIT”) and more specifically articles 44 and 45, which require entities using biometric information to identify or authenticate an individual to take the following steps:
- obtain express consent from the individual prior to collection;
- limit the information collected to what is necessary to achieve the purpose for the collection; and
- notify the CAI before deploying the biometric authentication or identification system.
Additionally, if an entity intends to create a database of biometric information, it must disclose this to the CAI 60 days prior to deployment. The CAI has the right to modify, suspend or prohibit the deployment.
The CAI’s Recent Decisions
Each of the CAI’s recent decisions concerned the disclosure of a biometric database.
Printing business’s use of facial recognition technology unjustified
The first case involves a printing company that had created a biometric database during the Covid-19 pandemic that would do two things: (i) verify an employee’s temperature and (ii) use facial recognition technology to identify employees accessing the business’s premises.
In 2021, the company informed the CAI that it no longer used the temperature function but was maintaining the facial recognition feature for security purposes and as a means of complying with the Customs Trade Partnership Against Terrorist requirements (“CTPAT”) – a voluntary security standard the company had adopted. The company had obtained its employees’ consent to use the facial recognition system. Nevertheless, in September 2024 the CAI found that the company had not sufficiently justified the security reasons for using the facial recognition technology and, despite the fact the employees had consented to the use of their information, suspended the deployment.
Grocery store’s use of biometric information lacked required consent
The second case involves a grocery store that, to prevent fraud and shoplifting, was seeking to pilot two biometric solutions. Both solutions required the photographing of customers as they entered and exited the premises, the translation of the brute image into a mathematical code, and the comparison of this code against a database of biometric images. The brute image would then be destroyed. The CAI prohibited the pilot program because, among other things, the store would not be able to obtain the individual’s express consent to have their biometric information used as per art. 44 of the AELFIT.
Five Key Takeaways from the Decisions
1. Biometrics is on the CAI’s radar
The CAI appears to be proactively auditing voluntarily disclosed projects to create biometric databases. Although the regulatory body’s right to amend, suspend or prohibit the deployment of these databases is not new, a business’s duty to disclose its creation of such a database 60 days before deployment was introduced in 2021 as part of Law 25’s overhaul of Québec’s privacy legislation. Both the printing company and the grocery store cases follow a self-disclosure event rather than a complaint by a disgruntled employee or client.
2. All biometric data is sensitive personal information
The CAI proceeds under the presumption created by An act respecting the protection of personal information in the private sector that all biometric data is necessarily sensitive, although it has not yet defined biometric information, other than grouping it into three categories (morphological, behavioral, and biological) and providing examples of each in its guidelines on the subject.
This is unfortunate because while certain forms of biometrics, such as fingerprints and bodily fluids, are evidently highly personal and sensitive information because they are intimately linked to an individual, the mathematical formula or numeric code into which they are transformed is not, in and of itself, highly sensitive – especially when the original data is destroyed, such as in the cases described above.
Arguably, a failure to distinguish between the various processes involved in biometric identification or authentication is counterproductive to privacy protection. If designed and deployed appropriately, such technologies could actually serve to better protect rather than violate an individual’s privacy. For example, a practice of printing up images of suspected shoplifters’ faces from video footage and pasting them near a cash register in a convenience store with the label “these people are thieves” is arguably more invasive of an individual’s privacy – and for the same reasons cited by the CAI in the grocery store decision – than having these images transformed into a mathematical code and analyzed by an algorithm outside of public view.
3. Consent is mandatory
If a business deploys systems that use biometric information for authentication or identification purposes, the individual’s explicit prior consent is required. This was one of the CAI’s principal reasons for prohibiting the deployment of the grocery store’s pilot projects. The CAI, however, did not have much scope for interpretation given the wording of art. 44 AELFIT, which does not include exceptions to the use of biometrics such as for public safety, law enforcement, or fraud prevention.
It will be interesting to see how the interpretation of art. 44 evolves, given that AELFIT also applies to the public sector and a number of provincial government initiatives involve the use of biometric information for authentication and identification with a view to improving efficiencies, reducing fraud, and increasing security.
4. The reason for collection must be real
The reason for using a biometric database to identify or authenticate an individual must be real and supported by facts. A hypothetical security risk or a voluntary adherence to a certain security standard are insufficient. Once the reason is clearly defined, only the biometric information that is necessary to counter the exact risk may be processed. In the case of the printing company, full facial recognition technology was an over collection to counter a vague security risk – especially since less intrusive measures such as security cards were available.
5. Be prepared for paperwork
Disclosure of the use of biometric identification and authentication is not the same process as the disclosure of the data bank. While the former is essentially a question of completing a 10-page form and providing a few backup documents (such as proof of consent requests and manufacturing information on the biometric service provider), the latter involves an in-depth risk assessment including a privacy impact assessment (“PIA”) that will be scrutinized by the CAI.
PIAs are not a one-size-fits-all exercise. Not every PIA need be complex. Rather, they should be adapted to the sensitivity and quantity of information involved. A typical PIA will include the following sections:
- a description of the planned program and its objectives;
- an assessment of the program’s privacy compliance as well as its potential impacts on individuals’ privacy; and
- the measures planned to minimize impacts to individuals’ privacy and to comply with applicable legislation, policies, directives and guidelines, as well as best practices.
Conclusion
Two recent CAI decisions on the use of biometric databases signal the data protection authority’s intention to actively regulate the use of biometrics for the purposes of identification and authentication in the province. These decisions also fuel the critics of AELFIT, who have been calling for its review for several reasons not the least of which is its inflexibility and perceived inability to age gracefully. It would be unfortunate for both public and private sector Québec entities to be prevented from using effective technology for legitimate purposes because of an overly rigid provision in AELFIT.
[View source.]
