The Québec privacy regulator (Commission d’accès à l’information du Québec, or CAI) recently rendered a significant decision concerning biometric information and the creation and registration of a bank of biometric characteristics or measurements in Québec. The CAI prohibited the use of a bank of biometric characteristics or measurements proposed by Metro Inc. (Retailer) for the purpose of identifying, by means of facial recognition, persons who have previously been involved in shoplifting or fraud in certain of its establishments, based on images captured by video surveillance tools.
Notably, the Retailer argued it did not seek to actually verify or confirm the exact identity of individuals, but rather to prevent shoplifting and fraud based on a “match” of faces entering the store with faces captured from CCTV shoplifting and fraud incidents. The CAI nonetheless found that the act of confirming whether or not individuals belonged to a specific group of people constructed verification of identity within the meaning of the applicable legislation.
LEGAL CONTEXT
In Québec, under sections 44 and 45 of the Act to establish a Legal framework for information technology (LFIT), a company wishing to use biometric information must disclose its intention to the CAI if it:
- Verifies or confirms a person’s identity by means of a process that captures biometric characteristics or measurements; or
- Creates a bank of biometric characteristics or measurements.
Section 44 of LFIT also requires that a person’s identity may not be verified or confirmed by means of a process that allows biometric characteristics or measurements unless the express consent of the person has been obtained.
In conjunction with the LFIT, Québec’s privacy law, the Act respecting the protection of personal information in the private sector (the Private Sector Act) specifies that biometric information is sensitive personal information.
FACTS
The Retailer wished to commence a pilot project to implement facial recognition technology in some of its establishments. The stated aim of this project was to counter shoplifting and fraud in some of the Retailer’s establishments.
According to the Retailer, facial recognition would be based on images captured by CCTV cameras installed at the entrances and exits of its establishments. These images would be compared by algorithms with reference images contained in the Retailer’s database of biometric characteristics or measurements.
If there were a match between the image captured by the CCTV cameras and the bank in question, an alert would be sent to store management.
The reference images contained in the database would be collected from images captured by the Retailer’s video surveillance cameras during shoplifting or fraud events involving people of legal age and which have been the subject of police intervention. These reference images would be deposited in the database.
The Retailer intended to test two different facial recognition systems, both of which essentially operated by taking the raw images captured by CCTV cameras, converting them into digital representations, which would then be compared against the digital representations of suspect images from CCTV footage of incidents.
The Retailer indicated it would not obtain express consent.
In compliance with sections 44 and 45 of LFIT, the Retailer notified the CAI of its intentions. The CAI reviewed the Retailer’s submission and issued a preliminary notice of order and ultimately, this decision.
The CAI stated that:
- The process proposed is one that captures biometric characteristics or measurements, engaging s. 44 of the LFIT.
- The process proposed consists of verifying or confirming a person’s identity, as defined in s. 44 of the LFIT, finding that it is sufficient that there be elements that simply enable that a person to be recognized and distinguished from another.
- The proposed process is mandatory (in other words, it is being applied to every person entering the establishment) and there is no alternative or ability to withdraw consent.
- Express consent is required in the circumstances being proposed, but the Retailer does not plan to obtain such consent.
- The invasion of privacy is disproportional given the sensitivity of the biometric information. The CAI noted that the proposed process was based on police interventions for shoplifting and fraud rather than on judgements recognizing the guilt of the persons involved and therefore was a breach of the right to be presumed innocent, which meant the proposed process could not support the legitimacy of processing requirement in section 4 of the Private Sector Act.
TAKEAWAYS FOR BUSINESS
This decision is important as it is reflects the CAI’s requirement that organizations meet a very high bar in order to justify the use of processes or technologies using biometric information, and applies it in a retail context. Notable takeaways are:
- Broad interpretation of the notion of identification: A facial recognition process is subject to the requirements of section 44 of the LFIT even if its sole purpose is to confirm whether or not the persons whose biometric characteristics are captured belong to a specific group of people. Indeed, it is not necessary to verify or confirm the exact identity of a person whose biometric characteristics or measurements are recorded in order to verify the identity of a person within the meaning of section 44 of the LFIT.
- Analyzing the biometric process as a whole: The Retailer had argued that the various steps of the process (face detection, image capture, feature extraction, comparison, and storage) meant that at the various stages, no biometric information was at issue and/or that no identification or verification had occurred. The CAI rejected this approach. The CAI assessed the entire facial recognition process proposed by the Retailer to determine whether it complied with section 44 of the LFIT. According to the CAI, a compartmentalized analysis of the phases of the facial recognition process would render the LFIT provisions meaningless. Thus, the simultaneity of the steps involved in validating or confirming identity as part of the facial recognition process is not decisive.
- Digital identity: The CAI noted the technological context at the heart of the LFIT, combined with the fact that biometric characteristics and measurements are inherently digital. As a result, the CAI concluded that the digital context meant that the term “identity” used in section 44 of the LFIT goes beyond legal identity, which is linked to a person’s civil status and is used in administrative or formal procedures, and refers more to the notion of digital identity. It went on to say that, to this end, digital identity is made up of various attributes that enable a person to be recognized and distinguished from another, and a person’s biometric characteristics and measurements are part of his or her digital identity.
- A broad and liberal interpretation of the LFIT’s provisions on biometric information: Sections 44 and 45 of the LFIT should be given a broad and liberal interpretation.
- The creation of biometric information is not a secondary use but a new collection: The Retailer argued that argued that section 12 of the Private Sector Act would allow it to use the biometric information of people entering its establishments for secondary purposes, without their consent. It was of the view that the information had already been collected by CCTV cameras already in place for security reasons, and that the proposed use was a purpose consistent with that. The CAI rejected this, saying that the collection of video surveillance images and the collection of biometric measurements or characteristics constitute two distinct collections of personal information that should not be confused.
- Requiring a person to verify or confirm his or her identity using biometric information: In this case, the CAI concluded that a person cannot enter one of the establishments in question without having his or her image recorded on video surveillance and, consequently, having his or her biometric characteristics or measurements captured and analyzed. In so doing, the Retailer requires that the verification or confirmation of its customers’ identity be carried out by means of a process that captures biometric characteristics or measurements within the meaning of section 44 of the LFIT. The CAI is of the opinion that, in the absence of the express consent of the person concerned, such a requirement is contrary to section 44 of the LFIT.
- Invasion of privacy: The CAI declared that the Retailer’s proposed biometric data bank constitutes a significant invasion of the privacy of the individuals concerned (within the meaning of section 45 of the LFIT), since the biometric personal information would be collected without their consent.
In light of this decision and the guidelines published by the CAI on the use of biometric information, companies doing business in Québec ought to be extra cautious when developing tools, practices or projects involving biometric information.
For more information on this topic, please contact Alexandra Quigley or other members of the Dentons Privacy and Cybersecurity group.