|

Add a bookmark to get started

Bookmarks info
woman holding phone
8 de enero de 20259 minute read

Considering the implementation of biometric systems within your Quebec enterprise? Read this first.

Written by:Carly MeredithFrançois Tremblay

Recent advances in technology have made the use of biometrics increasingly attractive for businesses as a means to achieve increased efficiency, security and convenience. The use of such technologies which analyze a person’s unique physical, behavioral or biological characteristics in order to establish or prove their identity must, however, be balanced against the requirements of data protection, employment and human rights legislation. This presents a particular challenge in the province of Québec, where the recent reform of privacy legislation (known as Law 25) has considerably strengthened the framework applicable to the collection, use and disclosure of personal information.

Current regulations in Quebec

Pursuant to the Act to establish a legal framework for information technology (the “Technology Act”), a Quebec enterprise that intends to establish a database of biometric characteristics and measurements must be disclosed to the Commission d’accès à l’information (the “CAI”) promptly and not later than 60 days before it is brought into service.

The CAI has created a form for this purpose in which the applicant is required to declare information to the CAI, including, among other information, a description of the database, its technological characteristics, the categories of individuals from whom this information will be collected, the type of biometric data that will be collected (i.e. fingerprints, facial recognition, shape of the retina, voiceprint, saliva, etc.), the purposes for which this information will be collected, the objectives sought with the implementation of such a system, the factual elements which demonstrate the necessity for such a database and a description of the evaluation undertaken within the enterprise to consider the privacy risks associated with the implementation of such a database.

If it is not satisfied that the adoption of the database is in compliance with applicable law, the CAI has the power pursuant to the Technology Act to suspend, prohibit the bringing into service or order the destruction of such a database. The CAI also has the authority to make orders determining how such databases are to be set up, used, consulted, released and retained, and how measurements or characteristics recorded for personal identification purposes are to be archived or destroyed.

Considerations for employers

The desire for the implementation of biometric systems has, in our experience, been particularly prevalent in the employment sector among employers wishing to implement biometrics for timekeeping purposes or to monitor employee performance or safety, such as through the installation of dash cams equipped with sophisticated technological features in company vehicles.

While employers may have laudable objectives in mind when considering the adoption of biometric systems in the workplace, any entity considering the implementation of biometric systems within their enterprise, should be mindful of their burden under applicable privacy laws in Québec, including the Technology Act and the Act respecting the protection of personal information in the private sector and its associated regulations (the “Private Sector Act”), of demonstrating to the CAI the necessity of implementing such systems when weighing the serious and legitimate objectives sought by the enterprise collecting this information against the privacy implications for the individuals subject to same. This is a high burden which will not be met by showing that the use of a biometric system is merely useful or convenient for the business.

The Transcontinental decision

As demonstrated in a recent ruling by the CAI against Imprimeries Transcontinental inc. rendered on September 4, 2024 (the “Transcontinental Decision”), it is not enough to simply report the implementation of a biometric database to the CAI.

In the context of the COVID-19 pandemic, Transcontinental had adopted an authentication system to control access to the company’s premises. This included a facial recognition functionality, as well as a functionality capturing the body temperature of individuals wishing to gain access to Transcontinental’s premises. While the temperature-taking functionality was discontinued once the urgency of the COVID-19 pandemic subsided, Transcontinental continued to avail itself of facial recognition technology citing the importance of controlling access to its premises. After having reported the creation of the biometrics database to the CAI on October 2, 2020, Transcontinental received a letter from the CAI on June 20, 2024 (nearly four years after the creation of the biometrics database was initially reported to the CAI) advising that the CAI could come to the conclusion that Transcontinental was in violation of the Private Sector Act and provided Transcontinental with 60 days to provide its observations to the CAI, failing which the CAI could render a decision.

Transcontinental did not submit any additional observations or documents within the 60 days and the CAI proceeded to render a decision in which it found that Transcontinental was in violation of the Private Sector Act and ordered it to cease the collection of biometric information, to cease using facial recognition for the purposes of controlling access to company premises and to destroy the biometric measurements and codes that had been collected. The CAI found that while Transcontinental was pursuing a legitimate objective, it failed to demonstrate that the collection of this information was being done in response to real and live issue which would override the privacy implications associated with same.  

Takeaways for Quebec enterprises

The Transcontinental Decision serves up some important reminders for Quebec enterprises considering the collection of biometric information. In our view, Quebec enterprises should be mindful of the following, in particular:

  • Interestingly, the judgment publicly issued by the CAI redacts the name of the system and the name of the provider that was used by Transcontinental for the collection of biometric information. This underscores the fact that while different providers may have different features and security measures embedded within their systems, the buck ultimately stops with the enterprise using the system in question. This highlights the importance for Quebec enterprises of evaluating the lawfulness of implementing certain technological tools based on the particular characteristics within their enterprise.

  • Importantly, the fact that individuals may have consented to the collection, use and disclosure of their biometric information will not absolve the Quebec enterprise in question of its obligation of satisfying the CAI that the collection of biometric information is justified in the circumstances. Even though an enterprise may have obtained the express consent of data subjects, the enterprise bears the burden of establishing the necessity of collecting personal information in the particular circumstances at issue, a burden which, in the case of highly sensitive data such as biometrics, is difficult to meet.

  • Hypothetical problems or increased convenience will not allow enterprises to justify the necessity for the collection of biometric information. Even though the reason for implementation of a biometric database may be valid from a business perspective, a Quebec enterprise must be prepared to show the necessity of biometric collection for responding to issues which are actually present within the enterprise. Always consider whether there are less intrusive means of achieving the same objective and be prepared to show why those less intrusive means will not allow the enterprise to achieve its purposes.

  • Controlling access to premises or company systems is an issue faced by every enterprise, and may not, on its own, be sufficient to justify the use of biometrics. If your enterprise is looking to use biometrics for the purpose of access controls, be prepared to show why the characteristics of your enterprise make it particularly important to institute strict access controls namely due to the nature of the business or the activities being carried out within the controlled premises.

  • While the language used by the CAI in the letters that it submits to applicants merely indicates the possibility of the CAI taking further action in response to an application for the implementation of biometric systems, communications from the CAI should not be left unanswered. The CAI has sent a clear message in recent months that it is stepping up its enforcement actions. The generally sensitive nature of biometrics and the requirement to disclose the use of such technologies in the Technology Act means that enterprises relying on biometrics are likely to face increased levels of regulatory scrutiny going forward.

  • Even though a significant amount of time may have elapsed between the biometrics notification to the CAI and the CAI’s response to same, do not assume that no response means that the CAI has accepted the implementation of biometric databases within your enterprise. In its correspondence and guidance, the CAI consistently reminds Quebec enterprises that the purpose of the notification mechanism is not to approve or certify that a given biometric system or database is legally compliant. Evaluating the personal information that your enterprise is collecting and the reasons for same should be an ongoing exercise based on the particular external and internal conditions affecting the enterprise so that you are in a position to justify this collection in the event the regulator comes knocking.

  • Always remember that biometric information is highly sensitive personal information, and must be protected, managed, and disposed of accordingly. Scrutiny by the regulator is but one risk among several associated with the collection of this type of personal information. Think of the repercussions in the event of a confidentiality incident which results in unauthorized access to the biometric information and the corresponding risk for your enterprise such as a class action brought by affected data subjects, for example. Give biometric information – and all personal information for that matter- the protections it deserves.

  • Quebec enterprises should also be mindful of the requirement in the Private Sector Act to conduct a privacy impact assessment prior to any project to acquire, develop or overhaul systems involving the processing of personal information. Given the sensitive nature of biometric data and the potential legal and practical implications of implementing such technologies within a business, this assessment exercise should be particularly thorough and well-documented.

If you are considering the implementation of technologies which collect biometric information within your Quebec enterprise, we invite you to contact the authors of this article who will be able to advise you on the considerations specific to your enterprise to ensure compliance with applicable privacy legislation.

Print

Related capabilities

EmpleoDatos, privacidad y ciberseguridad
Avisos legalesPolítica de cookiesPolítica de privacidad Mapa del sitio

DLA Piper es una firma de abogados global que opera a través de varias entidades legales distintas e independientes. Para obtener más información sobre esas entidades y sobre la estructura de DLA Piper, consulte la página Avisos legales de este sitio web. Todos los derechos reservados. Publicidad de abogados. © 2023 DLA Piper