Written by Alessandra Puopolo
What are the key private sector laws that govern facial recognition technology in Canada?
In Canada, there is no legislation that explicitly governs the use of facial recognition technology (FRT), and private companies are increasingly using FRT for a variety of purposes including: identity verification, fraud prevention, and to monitor consumer behaviour. At the federal level, businesses engaging in commercial activities are governed by the Personal Information Protection and Electronic Documents Act (PIPEDA), which has not been substantially updated since its enactment in 2000. While the federal government has recently proposed a series of new legislative reforms to modernize Canada’s private sector privacy legislation, these reforms are unlikely to adequately protect individuals’ rights and personal information against the use of FRT.
At the provincial level, several provinces have enacted legislation that is substantially similar to PIPEDA and have introduced increased legislative protection for individuals’ privacy rights. Significantly, in 2021, Quebec became the first jurisdiction in Canada to take legislative action to update its privacy legislation and include specific requirements on industry use of facial recognition technologies.
Federal Legislation: The Personal Information Protection and Electronics Documents Act (PIPEDA)
What are the key provisions of PIPEDA?
Enacted in 2000, PIPEDA governs how privacy sector organisations in Canada can collect, use, and disclose personal information in the course of commercial activity.
Commercial activity has been applied and interpreted broadly to include social networking sites that use personal information for the purpose of enhancing users’ experience and organisations offering free services when consider in the context of their entire business activities.
Principle 4.3 of Schedule 1 requires that organisations must obtain individuals’ knowledge and consent when collecting, using, or disclosing their information. Moreover, section 6.1 stipulates that such consent is only valid if an individual “would understand the nature, purpose and consequences of the collection, use, or disclosure of the personal information to which they are consenting.”
Section 5(3) of PIPEDA provides that notwithstanding valid consent, organizations can only use personal information for appropriate circumstances. In its Guidance on Inappropriate Data Practices, the Office of the Privacy Commissioner of Canada (OPC) has outlined five no-go zones for data processing, including profiling that would lead to discriminatory treatment contrary to human rights law and purposes that would cause significant harm to an individual.
What are some of the issues with PIPEDA?
One of the most glaring issues with PIPEDA is that it has not been substantially updated for decades. With the advent of new technologies, specifically the growth of digital processes and artificial intelligence (AI) that have transformed how data is collected, used, and disclosed, Canada requires up-to-date private sector legislation specifically crafted with a view to address these developments.
PIPEDA does not distinguish between different types of personal information. In its current form, it does not prescribe the necessary specific and heightened protections for highly sensitive data, such as biometric information (e.g., facial images, fingerprints, etc.), including how and when such information can be used, collected, stored, and shared. Specific regulations are required to delineate no-go zones and ensure adequate disclosure for particularly invasive technologies such as FRT. Additionally, PIPEDA does not provide the OPC with necessary enforcement powers, such as the ability to perform proactive audits to ensure compliance with privacy legislation or to impose meaningful penalties for violations, such as fines and other penalities. Currently, such remedies can only be granted by the courts.
Provincial and Territorial Legislation: A Patchwork
Provincial governments in Alberta, British Columbia, and Quebec have each enacted their own privacy laws to govern the private sector that are substantially similar to PIPEDA. Additionally, many provinces and territories have their own health privacy legislation that regulates the collection, use, and disclosure of personal information in the healthcare sector, including healthcare providers, service providers, and agents. Despite these legislative frameworks, like their federal counterparts, most of these statutes are out of date and were enacted long before many of today’s technologies, such as artificial intelligence, were substantially developed and deployed.
Privacy Law Developments in Quebec
In 2021, the Government of Quebec adopted new legislation (Law 25: An Act to modernize legislative provisions as regards to the protection of personal information) to modernize the province’s privacy laws with many of the provisions entering into force in September 2023. The legislation will apply to organisations headquartered in Quebec, or those that hold personal information of Quebec residents.
Significantly, these new amendments substantially update some protections for individuals’ personal information, including biometrics. Under the new framework, businesses must notify the Commission d’accès à l’information du Québec (CAI) before deploying any biometric identification techniques, including FRT, and they must obtain individual’s express consent before collecting biometric information. The new legislation also prescribes increased fines for non-compliance, with financial penalties ranging from $15,000 – 25 million or 4% of an entity’s worldwide turnover for the fiscal year. Notably, this legislation is the first of its kind in Canada. Additionally, the CAI has also prohibited entities from combing thermal cameras with FRT systems.
“[In Quebec] biometrics may not be used for identification purposes without the express consent of the person concerned. No biometric characteristic may be recorded without that person’s knowledge. Only a minimum number of biometric characteristics may be recorded and used.”
– Diane Poitras, President, Commission d’accès à l’information du Québec (ETHI Committee)
Recent Developments in Canada's Federal Private Sector Privacy Legislation
Bill C-27: The Digital Charter Implementation Act
In June 2022, the Canadian government introduced Bill C-27: The Digital Charter Implementation Act, 2022, that proposes to significantly update Canadian privacy legislation by repealing Part 1 of PIPEDA, would enact the Consumer Privacy Protection Act, and establish the Personal Information and Data Protection Tribunal Act. Additionally, Bill C-27 seeks to develop a statutory framework for artificial intelligence via the AI & Data Act (AIDA). However, the proposed legislation is unlikely to adequately protect individuals’ privacy, personal information, and related rights because it:
• does not engage with many of the recommendations outlined in the ETHI Report detailed in the next section below;
• does not explicitly prohibit the use of FRT in certain circumstances (“no-go zones”) such as by police or industry to facilitate mass surveillance. In comparison other jurisdictions, such as the European Union have proposed such legislative constraints;
• will only apply to high impact AI systems;
• is silent on special protections for sensitive personal information such as biometric data including faces, fingerprints, and vocal patterns. Instead, almost all types of data are treated the same;
• focuses only on individual harms, rather than collective harms;
• lacks adequate and future-proof definitions of key terms such as artificial intelligence; and
• prioritizes the rights of businesses over individuals in Canada, permitting businesses to collect and use individuals’ information without their consent for certain activities.
ETHI Committee: FRT & AI Study and Report
In 2022, the Standing Committee on Privacy and Ethics (ETHI) conducted public consultations and published a report reviewing the status of facial recognition technology and artificial intelligence in Canada. Among its findings, the ETHI Committee recommended that the government should:
• require industries to publicly disclose their use of FRT (Recommendation 1);
• increase its investment in initiatives to study the impact of AI on various demographic groups, increase digital literacy, and educate Canadians about their privacy rights (Recommendation 8);
• explicitly define acceptable uses of FRT and prohibit other uses, including mass surveillance (Recommendation 11);
• implement the right to be forgotten, requiring services providers and other entities to delete user’s personal information after a set period of time (Recommendation 14);
• implement an opt-in-only requirement for the collection of biometric data by private sector entities and prohibit collection as a requirement for service (Recommendation 15);
• strengthen the ability of the OPC to levy meaningful penalties for violations of PIPEDA (Recommendation 16);
• amend PIPEDA to prevent the capture of images from the internet and public spaces for use in FRT databases (Recommendation 17); and
• enact a moratorium on the use of FRT by industry until adequate legislation is in place (Recommendation 18).
Government Response and Looking Forwards
In February 2023, François-Philippe Champagne, the Minister of Minister of Innovation, Science and Industry, replied to the ETHI Committee’s report on behalf of the government. The reply did not adequately detail how the government intends to address many of the issues and recommendations raised in the report. Significantly, the government did not propose any significant adjustments to Bill C-27 that would have reflected the ETHI Committee’s recommendations. Overall, the government’s reply faltered in multiple key areas, including by failing to:
• engage with the calls for a federal moratorium on the use of FRT;
• assume a leadership role in responsible tech policy;
• update that current Treasury Board Directive on Automated Decision Making that regulates the use of FRT by federal agencies;
• engage with key stakeholders in developing Bill C-27; and
• ensure that Bill C-27 will protect individuals’ privacy rights.
The proposed legislation was delayed in the 2023 Spring session of Parliament and will be reviewed by the Standing Committee on Industry and Technology in the Fall of 2023.