In February, the Commission d’accès à l’information (Quebec’s access to information commission) banned a Quebec company that oversees grocery and pharmacy chains from creating a database containing images of their clients’ faces without their consent. The company wanted to use this database to put in place a facial recognition system for monitoring shoplifting and fraud.
Last year, more than 120 enterprises and public bodies in Quebec reported to the Commission d’accès à l’information that they collect biometrics. Enterprises include businesses and some non-profit organizations. Is this legal? And what can you do to protect your privacy?
The Commission d’accès à l’information is the Quebec government body that makes sure your right to privacy is respected. They can inspect enterprises and public bodies in Quebec, decide whether they’re respecting the law and order them to do so. Enterprises who don’t respect a decision from the Commission risk a fine that can go as high as 25 million dollars or 4% of their worldwide sales revenue.
What are biometrics?
Biometrics allow you to identify yourself using characteristics that are unique to your body, like your fingerprints, DNA, voice, or retina. You might already be using biometrics daily. For example, you might open your phone with your fingerprint or face, identify yourself to your bank using voice recognition, or use your fingerprint at work to manage your hours and pay.
Biometrics are sensitive personal information. They’re directly linked to your identity and your privacy. Consider thinking twice before using them.
What are the rules?
Enterprises and public bodies must follow strict legal rules to collect and use your biometrics in Quebec (French only). They must inform the Commission d’accès à l’information before collecting biometrics in a database or using them to identify someone. The Commission can investigate and decide if the planned collection or use of biometrics respects the law and the right to privacy.
Also, enterprises and public bodies must get your consent. You have the right to know if your biometrics will be collected in a database and to understand how they will be used. If they want to use your biometrics for a reason other than the one you consented to, they usually have to ask you again for your consent.
But that’s not all! Enterprises and public bodies must have a serious reason to create a biometrics database. This means that the biometric database must be necessary to solve a real and important problem. For example, the Commission d’accès à l’information has decided that collecting fingerprints to allow clients to check out faster at a store is not a serious reason.
If one of these requirements isn’t met, the Commission can ban an enterprise or a public body from collecting or using your biometrics.
Make sure your privacy is respected
You have rights and options for protecting your personal information and right to privacy. If you have concerns about how your biometrics are being used, you can contact the enterprise or public body directly. You can also file a complaint with the Commission d’accès à l’information (CAI)