Canada’s largest printer was ordered to cease using facial recognition technology to monitor access to its facilities and to destroy all biometric information it previously collected by Quebec’s privacy watchdog in a decision that serves as a stark reminder that there is a high legal threshold for using biometric systems in the province, according to data and privacy experts.
The use of biometrics in both the private and public sectors is on the upswing in Quebec, with the latest figures from Quebec’s privacy commissioner, the Commission d’accès à l’information (CAI), revealing that 124 entities declared they used biometrics in fiscal 2023-2024, nearly a 60 per cent jump over the previous year. Biometrics, the automated recognition of an individual’s unique body and behavioural characteristics such as fingerprints, facial and voice recognition, and retina scans, is a billion-dollar business, with the global biometrics market estimated at US$50.08 billion in 2024 and expected to surge to more than US $60 billion in 2025, according to Precedence Research. Employers are using it for access control, security, time-keeping, monitoring employee performance or safety, note pundits.
Read More
“What’s happened is that this technology now has just become so much more accessible to everybody that there are a lot of companies that see advantages in that technology for different reasons,” remarked Carly Meredith, co-leader of Quebec’s privacy and data protection group at DLA Piper in Montreal. “But this decision is a warning that just because the technology is out there, it doesn’t mean that you can lawfully use it.” According to Amir Kashdaran, a Montreal IP, privacy and data protection lawyer with McMillan LLP, the decision makes plain that Quebec’s privacy regulator will adopt a rigorous approach when assessing the legality of the collection and use of biometric data. Organizations faced with the “usual, ordinary and expected problems that every business needs to deal with” must consider less privacy-intrusive alternatives such as access codes before implementing biometric systems, said Kashdaran, a former general counsel with a global software development company. “This is an important decision as it really reiterates that you need to strictly comply with the law if you use biometrics in Quebec,” added Kashdaran. The decision, the first dealing with biometrics since the Quebec toughened its privacy laws in 2022, does not mean that the CAI has closed the door on the use of biometric systems, noted Antoine Guilmain, a Montreal lawyer with Gowling WLG who co-leads the firm’s national cyber security and data protection group. While the CAI ruling falls in line with a series of decisions issued by the Quebec privacy overseer over the years, with only one decision issued in 2021 passing the so-called necessity test, Guilmain asserts that “it’s not the technology that’s the problem, it’s the way it’s being used and the lack of evidence over the specific issues guiding the use of biometrics.” The decision stems from a CAI investigation into the biometric practices of Transcontinental Printing Inc., North America’s third-largest printer. In October 2020, the printer informed the CAI that it implemented a facial recognition and temperature screening system during the COVID-19 pandemic to control employee access to its premises as a workplace health and safety measure, and that it obtained the consent of its employees to collect and process the biometric data. Concurrently, the company said that the biometric system also met the requirements of a Customs-Trade Partnership Against Terrorism Certificate (CTPAT),a voluntary program led by U.S. Customs and Border Protection (CBP) to improve the security of private companies’ supply chains against terrorism. In Quebec, the use of biometric data is governed by both public and private sector privacy legislation as well as the Act to Establish a Legal Framework for Information Technology (Quebec IT Act). Though neither the public and private privacy laws specifically deal with biometrics, it does stipulate it is a sensitive category of personal information under Quebec privacy legislation, and the CAI has over the years underlined that its unique and immutable nature makes it particularly sensitive. Under the Quebec’s unique biometric filing requirements, the Quebec IT Act imposes specific obligations – organizations must obtain the express consent of people, must declare their use of a biometric system for identification purposes to the CAI before its use, and must declare the creation of a biometric database to the CAI at least 60 days before its deployment. On top of that, the CAI has investigation and inspection powers, and it may issue orders under the Quebec IT Act determining how the data should be set up, used, consulted, released, retained, archived or destroyed. The simultaneous application of these two distinct laws, each with its own unique requirements, creates a particularly intricate legal framework for organizations to navigate, remarked Guilmain. “This is the most complex framework in Canada, and probably one of the most complex systems in the world, precisely because we have these dual laws that come into force at the same time,” said Guilmain. The CAI uses a two-stage necessity test to assess the legality of establishing a biometric database. The test requires organizations to demonstrate that the collection of personal information is legitimate, important and real, and must establish that the invasion of privacy is proportionate to the objectives that are pursued. In the ruling, 1024350-S, issued in September 2024 but only came to light recently, the CAI found that Transcontinental’s collection of biometric data for access control did not meet the requirements of the Act respecting the protection of personal information in the private sector (Québec Privacy Sector Act). The CAI held that organization failed to meet the first prong of the necessity test and did not establish that that its objective of using a facial recognition system for access control was “real” or “important,” even though its security objective was deemed to be “legitimate.” The CAI also did not accept Transcontinental’s contention that the CTPAT certification requirements required the use of biometric data, noting that it was a suggested method, not a required one. “The onus is on the organisation to demonstrate why this objective is real,” said Guilmain. “And this burden of demonstrating the real objective will be met by very tangible and concrete elements, antecedents, indicators, statistics, a whole host of elements. Organization must present its case properly and demonstrate to the CAI that there really are very specific reasons justifying the use of biometrics.” The CAI also found that the printer did not pass the second prong of the necessity test, and failed to demonstrate how the benefits of collecting personal information to operate the biometric system outweighed the invasion of privacy associated with the collection of such sensitive data. “The immutable nature of this information makes it particularly information particularly sensitive in the event of a confidentiality incident and malicious use of this information can have serious consequences for the consequences for the individuals concerned,” said the CAI. The decision also held that while employees may have consented to the collection, use and disclosure of their biometric information, it does not absolve the employer from its obligation of demonstrating that the collection of such sensitive information is justified and necessary, noted Meredith. “You have to be able to show that you’re collecting it for a legitimate purpose and that you’re minimizing the data collection to what you need in order to meet that purpose,” explained Meredith. “That actually applies even outside of the biometric space. So that applies with respect to all personal information that a company might be collecting.” In light of the CAI decision and Quebec’s high legal threshold, organizations will have to consider less privacy-intrusive alternatives before considering the implementation of a system that collects and uses biometric information, said Kashdaran. “in Quebec, the law is designed to say you need to know what your goals are,” added Kashdaran. “There has to be a special reason why you need to process biometric information. And you need to respect the requirements of the law, and pass the necessity test. Get those things done, then you’re in a much better position to comply.” The decision also underscores the need for organizations to continuously evaluate the personal information it is collecting, and the reasons for it, noted privacy experts. Nearly four years elapsed between the time Quebec’s privacy regulator received notification that the printer was using biometrics and the time CAI investigated the matter. “What’s interesting for the legal community is that the CAI can actually launch that investigation many, many years after (it received notification), but you still have to be able to justify that you’re properly using biometric information,” said Kashdaran. “So you cannot even rely on the fact that if you’ve given a notice and they haven’t responded back to you, it doesn’t mean that they’ve agreed to your stance.” This story was originally published in Law360 Canada.Convoluted legal framework
Burden lays with employer
RELATED:
Leave a Reply