Québec’s Restrictive Approach to Biometric Data Poses Challenges for Businesses Working on Security Projects

The recent decision by the Commission d’accès à l’information du Québec (CAI) regarding a popular grocer’s biometric data project in Quebec has far-reaching implications for other businesses considering or currently using biometric technologies. This pivotal decision not only highlights the CAI’s stringent approach to privacy protection but also sets a significant precedent for any company utilizing or considering utilizing biometric technologies in Quebec. Businesses will want to closely monitor developments to ensure compliance with Quebec’s privacy laws and adapt their practices accordingly.

Quick Hits

The CAI emphasized the broad interpretation of “identity” and “verification” under Quebec’s privacy laws.
The decision highlights the quasi-constitutional nature of privacy protection in Quebec.
The CAI emphasized that if consent involving the capture and comparison of biometric data for identification purposes cannot be obtained, a project—even one focused on security—may not be approved in Quebec.

A prominent grocery store in Quebec proposed implementing a biometric data bank for facial recognition to combat theft and fraud in its stores. The system aimed to identify individuals involved in shoplifting or fraud by comparing surveillance footage with a database of biometric data. However, the CAI’s investigation focused on the project’s compliance with Quebec’s privacy laws, specifically the Act respecting the protection of personal information in the private sector and the Act to establish a legal framework for information technology.

Distinction Between Verification and Identity

A critical aspect of the CAI’s decision was the broad interpretation of “identity” and “verification” under Quebec’s privacy laws. The CAI determined that the grocer’s facial recognition system constituted a form of identity verification, as it involved capturing and comparing biometric data to identify individuals. This interpretation means that any process involving the capture and comparison of biometric data for identification purposes requires explicit consent from the individuals concerned, as mandated by Article 44 of the Act to establish a legal framework for information technology.

The CAI rejected the grocer’s argument that their system did not constitute identity verification because it did not confirm the exact identity of every individual entering the store but rather identified those who matched the biometric profiles of known offenders. The CAI clarified that the act of identifying individuals based on biometric data, even if it is to determine if they belong to a specific group (e.g., known shoplifters), still falls under the category of identity verification.

Explicit Consent Requirement

The CAI highlighted that under Article 44 of the Act to establish a legal framework for information technology, any process that involves the verification of identity through the capture and comparison of biometric data requires the explicit consent of the individuals concerned. The CAI noted that the grocer’s project did not plan to obtain such explicit consent, thereby violating the legal requirements. This requirement for explicit consent is a critical point for other businesses to consider. Any business using biometric technologies may want to confirm that they obtained explicit consent from individuals before collecting and using their biometric data. Failure to do so could result in significant legal repercussions and potential prohibitions on the use of such technologies.

Quasi-Constitutional Nature of Privacy Protection

The CAI’s decision highlights the quasi-constitutional nature of privacy protection in Quebec. Privacy laws in Quebec are designed to offer robust protection to individuals, and the CAI has broad powers to enforce these laws. This means that businesses may want to be particularly diligent in their compliance efforts, as the CAI is likely to take a restrictive approach to the use of biometric data and other sensitive personal information.

Next Steps

The CAI’s decision on the grocer’s biometric data project has significant implications for other businesses using biometric technologies. This development is important as it highlights the necessity of strict adherence to privacy laws, especially when handling sensitive biometric data. Specifically, the broad interpretation of “identity” and “verification,” the explicit consent requirement, and the quasi-constitutional nature of privacy protection in Quebec all provide cause for businesses to be diligent in their compliance efforts. Businesses may want to ensure they obtain explicit consent from individuals before collecting and using biometric data. The CAI’s decision on the grocer’s project serves as a critical reminder that privacy protection is taken very seriously in Quebec, and businesses may want to be proactive in ensuring their practices comply with the stringent requirements of the law. Given the CAI’s broad powers and the quasi-constitutional nature of privacy protection in Quebec, businesses can expect more restrictive decisions in the future.

Ogletree Deakins’ Montréal and Toronto offices, Cybersecurity and Privacy Practice Group, and Technology Practice Group, will continue to monitor developments and provide updates on the Cross-Border, Cybersecurity and Privacy, and Technology blogs.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Technology

Ogletree Deakins is uniquely situated to provide tech employers and users (the “TECHPLACE™”) with labor and employment advice, compliance counseling, and litigation services that embrace innovation and mitigate legal risk. Through our Technology Practice Group, we support clients in the exploration, invention, and/or implementation of new and evolving technologies to navigate the unique and emerging labor and employment issues present in the workplace.

Learn more

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly and transmits easily. As the law adapts to technical advancements, we effectively advise our clients as they work to comply with new developments and best practices for protecting the privacy of the data that their businesses collect and retain.

Learn more

Cross-Border

Often, a company’s employment issues are not isolated to one state, country, or region of the world. Our Cross-Border Practice Group helps clients with matters worldwide—whether involving a single non-U.S. jurisdiction or dozens.

Learn more

Practice Groups

Industry Groups

Insights

Resources

Subscribe

Innovation

Client Pledge

Authors

Erin Schachter

Ryan T. Smith

Topics

Browse More Insights

Technology

Cybersecurity and Privacy

Cross-Border

Request webinar recording for Québec’s Restrictive Approach to Biometric Data Poses Challenges for Businesses Working on Security Projects

Fill out the below to receive more information on the Client Portal:

Request Transcript

Rates and Rate Structures

Fill out the form below to receive more information on our Rate Structures:

Fill out the form below to receive more information on OD Comply:

Fill out the form below to share the job Québec’s Restrictive Approach to Biometric Data Poses Challenges for Businesses Working on Security Projects

Practice Groups

Industry Groups

Authors

Erin Schachter

Ryan T. Smith

Topics

Browse More Insights

Technology

Cybersecurity and Privacy

Cross-Border

Sign up to receive emails about new developments and upcoming programs.