Quick Hits

  • The CAI found that Metro Inc.’s facial recognition pilot meets the necessity standard of the Act respecting the protection of personal information in the private sector (the Privacy Act).
  • Although it called facial recognition more intrusive than traditional video surveillance and the biometric data “sensitive,” the CAI held that the biometric bank does not “otherwise” infringe privacy under Article 45 of the Act to establish a legal framework for information technology (LCCJTI).
  • Necessity turns on a structured test: the objectives must be important, legitimate, and real, and the collection must be proportionate, rationally connected, minimized, and more beneficial than harmful.

Notably, the CAI reached that result after a demanding and often critical review of the technology’s privacy risks, concluding that the project’s benefits outweigh the intrusion, subject to a two-year reporting obligation and to its separate, still-contested February 18, 2025, decision on consent.

This 2026 decision is the second chapter of the same investigation. In its February 18, 2025, decision, the CAI held that Metro’s facial recognition amounts to identity verification requiring express consent under Article 44 LCCJTI, and prohibited the bank on that basis. That ruling, which we examined in our earlier article on Québec’s restrictive approach to biometric data, remains under appeal before the Court of Québec. The 2026 decision expressly leaves it untouched. The necessity “green light” is therefore conditional: the consent prohibition still stands unless and until it is overturned.

Metro proposed a pilot in up to ten grocery and pharmacy stores that would convert surveillance images of suspected repeat offenders into biometric templates, store them in a database, and flag matches in real time. The CAI was openly skeptical: it found the accuracy evidence thin, flagged real risks of false positives and demographic bias, and warned that relying on a police report rather than a conviction creates a “presumption of guilt.” Even so, it concluded that the collection is necessary and that the bank does not otherwise infringe privacy, allowing the project to continue subject to conditions.

Under Article 5 of the Québec Privacy Act, the organisation collecting personal information must prove the collection is necessary. The CAI works in two stages. First, it asks whether the objectives are important, legitimate, and real; the “real” element demands concrete, documented problems rather than general claims. To address this, Metro provided loss estimates (roughly C$30 million in external-theft losses in 2024) together with incident logs and rising security-agent costs. This information was redacted from the decision, but was part of the analysis. It satisfied the CAI that its anti-theft, anti-fraud, and safety objectives were genuinely grounded in each targeted store.

The CAI applied a notably high threshold for approval. Organisations may wish to note that the CAI expected Metro to clearly explain not only why the tool was necessary, but also to describe the functionality of the biometric scanning process in detail. The decision reveals that the CAI identified weaknesses in certain explanations provided regarding how the systems would operate in practice. The CAI observed that these intermediaries did not appear to be aware of the real efficacy of the system, making it difficult to obtain a clear picture of the technology’s reliability.

Organisations considering biometric tools may therefore wish to carefully vet vendors at an early stage, so that if a tool comes under regulatory scrutiny, the organisation is in a position to provide clear and accurate answers about how the technology functions. It would be prudent for organisations to avoid relying solely on vendor representations and instead seek to understand the tool’s mechanics sufficiently to explain them independently to a regulator.

Second, the collection must be proportionate. Applying the Court of Québec’s Société de transport de Laval test, the CAI weighs whether the collection is rationally connected to each objective, whether the intrusion is minimized, and whether the benefits clearly outweigh the harm to the people affected.

On minimization, the CAI credited Metro’s record and commitments: it had already deployed and exhausted less intrusive measures, agreed not to keep templates where no match occurs, limited the pilot to ten identified stores, and capped retention at eighteen months. The CAI stayed wary of pooling all biometric data in one central bank and recommended centralizing only where a regional link justifies it.

Weighing benefits against intrusion, the CAI gave deterrence limited weight and treated facial recognition as a complementary “tool,” not a stand-alone “solution.” On balance, it still found the project’s practical utility outweighs the harm, while reserving the right to revisit that conclusion.

Next Steps

The decision provides a cautiously encouraging signal for organisations in Québec that collect or process biometric data: such projects can survive CAI scrutiny, but only with rigorous, well-documented justification. Beyond biometrics, the decision offers broader lessons about the CAI’s approach to privacy enforcement under Québec’s privacy legislation (notably, the Act respecting the protection of personal information in the private sector, as amended by Law 25). Employers and other organisations may wish to consider the following takeaways:

Building an evidentiary record. The CAI required Metro to document internally why facial recognition was necessary for its specific objectives, and to demonstrate that alternative tools had been deployed and found insufficient. This approach is likely to extend to other high-impact data processing activities. Employers may want to maintain contemporaneous records explaining why particular data collection practices are necessary, what alternatives were considered, and why those alternatives did not meet the organisation’s legitimate purposes. General statistics or industrywide trends will not suffice; the CAI expects location-specific and purpose-specific justification.

Vetting vendors and understanding the technology. The CAI’s investigation revealed that certain vendors and intermediaries could not adequately explain how their systems functioned, which created difficulties in demonstrating reliability. One supplier stated that he “had no idea” how the system creates facial signatures because he merely resells the technology; another could not specify error rates because the algorithm belonged to a third party. Employers deploying any technology that processes personal information may wish to conduct thorough due diligence on providers at an early stage. Employers may want to avoid relying solely on vendor representations and instead ensure the organisation can independently explain the technology’s mechanics, accuracy, and limitations to a regulator if required.

Minimising by design. The CAI credited Metro for narrowing the pilot to ten identified stores, committing not to retain biometric templates where no match occurs, and capping retention at eighteen months. For any sensitive data processing, organisations may wish to limit geographic scope, avoid unnecessary centralisation of data across locations, set short retention periods, and implement deletion protocols tied to specific triggers (such as where there is no match, no conviction, or no ongoing purpose). The CAI recommended against centralising data from physically distant or unrelated establishments, noting that broader centralisation increases the invasiveness of any surveillance.

Confronting accuracy and bias proactively. The CAI remained “perplexed” by the weak evidence of system efficacy and noted that algorithmic bias and false positives are “inherent” risks of AI-based systems, including facial recognition. For any AI or automated decision-making tool, it would be prudent to gather credible evidence of reliability, implement controls for demographic bias, and require trained human review before any consequential action is taken. The CAI accepted Metro’s commitment to human oversight as a mitigating factor, suggesting that organisations deploying similar tools may wish to build human-in-the-loop safeguards into their processes.

Minding consent and transparency obligations. This necessity ruling does not resolve the separate Article 44 LCCJTI consent question, which remains under appeal. Biometric identity verification may still require express consent, and organisations may wish to monitor the appeal closely. More broadly, the CAI expects clear transparency: Metro was required to produce detailed signage explaining the facial recognition system to individuals entering the stores. Under Law 25, employers and organisations must be prepared to provide meaningful notice about their data practices and to respond to access requests, which may include disclosing the existence of profiling or automated decision-making.

Expecting ongoing oversight. The CAI retained jurisdiction and imposed semiannual reporting for two years, with the express right to revisit its conclusion if the systems do not demonstrate sufficient efficacy or if bias or false-positive issues emerge. Continuing regulatory engagement is likely, so organisations operating high-impact data systems may want to build internal reporting processes that can satisfy such requirements. This supervisory approach may signal a broader trend under Law 25, where the CAI retains active oversight of sensitive data processing activities rather than simply granting one-time approvals.

Considering the quasi-constitutional nature of privacy protection. The CAI’s decisions reflect Québec’s position that privacy protection has quasi-constitutional status, warranting broad and liberal interpretation of protective provisions.

Ogletree Deakins’ Montréal office, Cybersecurity and Privacy Practice Group, and Technology Practice Group will continue to monitor developments and provide updates on the Canada, Cross-Border, Cybersecurity and Privacy, Retail, and Technology blogs.

Follow and Subscribe
LinkedIn | Instagram | Webinars | Podcasts

Author


Browse More Insights

Fingerprint Biometric Authentication Button. Digital Security Concept
Practice Group

Technology

Ogletree Deakins is uniquely situated to provide tech employers and users (the “TECHPLACE™”) with labor and employment advice, compliance counseling, and litigation services that embrace innovation and mitigate legal risk. Through our Technology Practice Group, we support clients in the exploration, invention, and/or implementation of new and evolving technologies to navigate the unique and emerging labor and employment issues present in the workplace.

Learn more
Modern dark data center, all objects in the scene are 3D
Practice Group

Cybersecurity and Privacy

The attorneys in the Cybersecurity and Privacy Practice Group at Ogletree Deakins understand that data now accumulates quickly, transmits easily, and—increasingly—is processed by artificial intelligence (AI) systems that introduce new dimensions of legal risk. 

Learn more
Glass globe representing international business and trade
Practice Group

Cross-Border

Often, a company’s employment issues are not isolated to one state, country, or region of the world. Our Cross-Border Practice Group helps clients with matters worldwide—whether involving a single non-U.S. jurisdiction or dozens.

Learn more
Inside a large shopping mall in Almaty
Industry Group

Retail

Ogletree Deakins is a retail industry leader with clients ranging from brick-and-mortar retailers to online merchants, and small businesses to Fortune 500 corporations. We represent companies in a range of retail sectors, including but not limited to: discount stores, department stores, luxury retailers, home goods and specialty stores, home improvement centers, grocers, pharmacies, online retailers…

Learn more

Sign up to receive emails about new developments and upcoming programs.

Sign Up Now