Québec Privacy Act sets ‘high legal threshold’ for biometric data collection

Québec could end up becoming the Illinois of Canada – at least in terms of how seriously it legislates data privacy. A feature from Osler law firm explores how the provincial privacy commissioner has dialed up its enforcement activities, and how the “rigorous approach” the Commission d’accès à l’information (CAI) takes to biometric data collection under the Québec Privacy Act could sway similar legislation across the country.

CAI deems facial recognition for access control unnecessary for printing firm

Osler cites a case from September 2024, wherein the CAI initiated an investigation into the biometric practices of a printing company, and subsequently issued a decision ordering the company to stop using facial recognition technology for employee access control, on the grounds that biometric data collection was not necessary or proportionate under the circumstances.

Osler says that, “while consistent with the CAI’s past orders and guidance, the decision highlights the high legal threshold for using facial recognition and other biometric identification technologies in Québec.”

The CAI’s increasing taste for enforcement comes with stiff financial penalties, making noncompliance a costly proposition. “Under the Québec Privacy Act, administrative monetary penalties can reach up to $10 million or 2 percent of worldwide turnover, whichever is greater.”

Objective of biometric data collection must be ‘legitimate, important and real’

The Québec Privacy Act classifies biometric data as a sensitive category of personal information. Collection must be for “a serious and legitimate reason, and be limited to only the information necessary for such purpose.”

As such, the province has unique filing requirements for biometrics: organizations must obtain express consent, “declare their use of a biometric system for identification purposes to the CAI before its use, and declare the creation of a biometric database to the CAI at least 60 days before deployment.”

Per its two-pronged test system, “the organization must establish that the objective pursued by the collection is legitimate, important and real,” and “that the invasion of privacy resulting from the collection is proportionate to the objective pursued.”

In the case of the printing company, its use of facial recognition failed the first prong of the test, “as it could not demonstrate that its objective of using a facial recognition system for access control was ‘real’ or ‘important.’” It failed the second on the grounds that employee privacy was not sufficiently minimized.

Conduct a privacy assessment, and don’t flub it on evidence: Osler

Osler has suggestions on how to maintain compliance and avoid fines from an increasingly dogged privacy commissioner. In general, the guidance is to be specific and thorough in demonstrating that a biometric system serves “an important and real” purpose: “generalized allegations or speculative risks are typically insufficient.”

Organizations should be able to demonstrate a high threshold for proportionality, and keep in mind that security for biometric data is not the same as maintaining privacy.

“Claims that biometric solutions are more effective or that alternatives pose hypothetical risks (e.g., badge sharing or ‘buddy punching’) are unlikely to be convincing unless supported by actual, documented evidence.”

Osler recommends that organizations conduct a privacy impact assessment (PIA) prior to implementing biometric systems to demonstrate compliance with all relevant privacy obligations. Presentations to the CAI should include robust documentation with facts and statistics to support the business case, and should work with internal and external stakeholders to take into account all legal and regulatory obligations.

Article Topics

biometric data  |  biometric identifiers  |  biometrics  |  CAI  |  data privacy  |  data protection  |  facial recognition  |  Quebec