Use of biometric data: Québec’s Privacy Commissioner keeps the bar high

The use of biometrics is growing in both the private and public sectors. In its latest progress report (2023-2024), Quebec’s privacy commissioner, the Commission d'accès à l'information (“CAI”), stated that it received 124 declarations (including 118 from businesses), which represents an increase of 59% over the previous year. While this increase can be partly attributed to the fact that the Act to modernize legislative provisions as regards the protection of personal information (“Law 25”) includes a requirement to notify the CAI before using biometric data (an obligation that was previously limited to the creation of a biometric database), we can certainly expect this trend to continue over the next few years.

For the first time since Law 25 came into force, the CAI has had the opportunity to render a decision on the use of a facial recognition system by a business in the printing sector. The decision, published late last year, is only the tenth in this area. It is another illustration of the CAI's rigorous standards regarding biometric systems.

Québec’s legal framework for biometrics

The use of biometric information (images, fingerprints, voice, hand shape, etc.) is governed by a double legislative framework. On the one hand, the Act respecting the protection of personal information in the private sector (the “Private Sector Act”) (for businesses) or the Act respecting access to documents held by public bodies and the protection of personal information (the “The Access Act”) (for public bodies) applies whenever an organization uses biometric information to identify a person directly or indirectly. On the other hand, the Act to establish a legal framework for information technology (the “Quebec IT Act”) stipulates that any organization wishing to use a biometric system to verify or confirm an individual's identity or to create a database of biometric characteristics or measurements is also subject to the requirements of the Quebec IT Act.

The Private Sector Act and the Access Act do not specifically address biometrics, except to stipulate that biometric information constitutes sensitive information. However, the other obligations applicable to personal information, such as collecting only the necessary information and being transparent, do apply to the processing of biometric data.

The Quebec IT Act imposes specific obligations concerning biometrics, including (a) the express consent of the persons concerned and (b) prior disclosure to the CAI. A declaration form (in French only) is available on the CAI website for this purpose. The Quebec IT Act also stipulates that the biometric system must only use the minimum number of characteristics or measurements required for identification.

Under these laws, the CAI has investigation and inspection powers. With regard to biometric databases, the Quebec IT Act provides that the CAI may issue orders determining how such data is to be set up, used, consulted, released and retained, as well as how it is to be archived or destroyed. Should a database be found to be non-compliant with the law, the CAI may also suspend or prohibit the bringing into service of such a database or order that it be destroyed.

The CAI’s recent decision

In October 2020, a company Transcontinental Printing Inc. (the “Company”) informed the CAI that it had created a biometric database as part of its implementation of a facial recognition system aimed at controlling access to its premises to ensure their security and, incidentally, meet the requirements of the Customs-Trade Partnership Against Terrorism (the “CTPAT”) certification. The CAI investigated the Company's practices and ordered that it cease collecting and using biometric information.

To assess the legality of creating a biometric database and using a facial recognition system, the CAI used a two-stage necessity test (the “Necessity Test”). The Company must demonstrate that:

1. The objective pursued by the data collection is legitimate, important and real;
2. The invasion of privacy is proportionate to the intended objective.

Although the Company obtained the consent of its employees to use their biometric information, the CAI reiterated that a company isn’t exempt from these requirements, even with the consent of the person concerned.

1. Is the objective legitimate, important and real?

The CAI considers it legitimate for the Company to want to ensure its facilities' security and take measures to control access to its premises.

As to whether the database serves a real objective, the CAI considered that the information provided by the Company failed to establish any specific incident, problem or security issue. Firstly, the CAI considered that the Company's compliance with the CTPAT standard does not require using facial recognition; even if this method was suggested, the standard allows for less intrusive means of controlling access to premises. Moreover, the CAI noted that the risk of copying and sharing identification cards, which the Company cited as an alternative means of controlling access to its premises, is hypothetical and does not constitute a real problem experienced by the Company.

As to the importance of the objective, the CAI considers controlling access to a business’ premises a standard business objective. While the CAI recognized that a business' operations or a particular situation might justify a higher level of security, such as that provided by biometric systems, it considered that the Company's operations in the printing industry do not appear to present any particular risks that would require such a level of security.

2. Is the invasion of privacy proportional to the stated objective?

To assess the proportionality test, the CAI places the burden on the Company to establish that:

1. The data collection is rationally connected to the stated objective;
2. The level of invasion of privacy caused by the collection of personal information is minimized;
3. Collecting this personal information is clearly more useful to the Company than harmful to the persons concerned.

The CAI considers that collecting biometric information for use in a facial recognition system is rationally connected to controlling access to the Company's premises.

However, the Company must ensure that it minimizes the invasion of privacy by assessing the possibility of using other, less intrusive means. The CAI reiterated that the risk alleged by the Company regarding the copying or lending of identification cards is hypothetical. It considered that the Company had provided no evidence that an access card could be copied, and expressed the opinion that the inconvenience associated with managing the loss and replacement of cards was part of standard business practice. It found that other, less privacy-intrusive means were available to the Company to control access to the premises.

Finally, the CAI found that the Company failed to demonstrate how the benefits of collecting personal information to operate the biometric system outweighed the invasion of privacy associated with the collection.

Comment

This decision again demonstrates the CAI's stringent requirements regarding the use of biometric systems and its strict interpretation of the necessity criterion in this context. The CAI also reaffirms the importance of documenting the necessity of collecting biometric information, even if an organization has the consent of the persons concerned and implements security measures.

It is worth noting that, with one exception, CAI decisions have consistently found that the use of biometrics does not meet the Necessity Test criteria. In addition to the decision discussed in this article, the CAI has not deemed the collection of biometric information to be necessary for the following purposes:

• Improved payroll management (Auberge Sacacomie)
• Employee identity verification and improved management of working hours (Selenis Canada)
• Reducing the business' environmental footprint, improving the customer experience and reducing fraud (Les 3 Piliers Inc.)
• Commercial use (Clearview AI)
• Preventing a business-wide COVID-19 outbreak and quickly identifying employees with a fever (Héritages Ébénisterie)

In the only decision in which the CAI ruled that the necessity criterion was met (Marché d'alimentation Marcanio et fils inc), it concluded that the use of biometrics to monitor employee hours satisfied both stages of the Necessity Test because very specific facts had been demonstrated:

• The manager could not be present to cover all the time slots of the employees under his supervision, given the number of employees, their varying schedules from week to week, and their different work areas;
• Prior to implementing the system, the business fell victim to time theft (fraud) and had dismissed employees for this reason;
• Employees who didn't have their card with them had to ask a supervisor to register their time in the time clock, leading to lost time for the employees and the business;
• Alternative measures to biometrics had been considered, but those were too costly and difficult to implement in their specific work environment;
• The introduction of the biometric system years earlier had eliminated time theft and lost time.

The CAI’s recent decision aligns with the principles set out in its previous decisions as well as the CAI’s guide to biometrics for organizations (the “Guide”) (available in French only). While the Guide isn’t legally binding, it does highlight the CAI's position on the issue. Among other things, the CAI insists that the use of biometrics must address a problematic situation and that the organization must specify and document the problem encountered in the pursuit of its objective. It is clear from the CAI decisions that the demonstration of the problem or situation to be solved must be based on tangible and convincing facts.

Does this mean that the organization must demonstrate that it has already suffered the disadvantages or risks that biometrics seeks to resolve? The CAI seems to suggest this in the present decision, pointing to a lack of evidence of identification cards being copied or lent and concluding that this is a “hypothetical risk.”

In our opinion, to meet the Necessity Test criteria, it should not be necessary to demonstrate that the incident has already occurred but rather that biometrics seek to resolve an important and real issue, even if that issue has yet to occur. For instance, consider a facility where radioactive metals are stored. In order to demonstrate the need for access control using reliable biometric technology, it would be unreasonable to demand proof that a security breach has already occurred. Similarly, in an industry where it is standard practice to use a biometric system to authenticate or identify employees or customers, the question is whether the harm sought to be prevented by the use of a biometric system should be required to have occurred in order to satisfy the Necessity Test. Indeed, it should be noted that organizations have an obligation to put reasonable security measures in place to protect the personal information they hold, and industry standards may be relevant in determining what measures are reasonable.

Lastly, while regulators agree on the challenges posed by biometrics, their approach seems to include some nuances. On the necessity criterion, the Office of the Privacy Commissioner of Canada (the “OPC”) appears to take a slightly more flexible approach than the CAI. The necessity criterion is echoed in the Draft Guidance for processing biometrics—for organizations, which was recently the subject of a consultation process. The OPC states that the organization must demonstrate that “the biometric program or initiative is necessary to meet a specific, legitimate and defensible need.” The OPC advises organizations to consider whether their “needs are rationally connected to a business goal that is pressing or substantial” and to document this clearly. The OPC believes the initiative should not go forward if the organization cannot explain how the “collection, use, or disclosure of biometrics is rationally connected to a pressing and substantial business goal.”

In conclusion, before making the mandatory declaration to the CAI, it is recommended that organizations planning to use biometrics:

• Pay particular attention to justifying the intended objective by documenting the real problems or issues to be resolved, the connection between collecting biometric information and the objective, and the proportionality of the collection to this objective. It is also useful to document the alternative means considered and the reasons why these are not appropriate in the circumstances, with reference to specific—not hypothetical—facts. In this respect, it is useful to consider the CAI’s positions as expressed in the Guide and the decisions cited above.
• Carry out a Privacy Impact Assessment (a “PIA”) to demonstrate the risk analysis and mitigation measures in place and the organization’s compliance with the legal obligations associated with particularly sensitive biometric information. Indeed, since September 2023, a PIA is mandatory for all projects involving the acquisition, development, or overhaul of information systems or the electronic service delivery systems involving the collection, use, communication, retention, or destruction of personal information.
• Finally, organizations would be well advised to seek legal support for these steps, given the sensitivity of biometric information and the CAI’s rigorous and restrictive approach.