On October 11, 2023, the Office of the Privacy Commissioner of Canada (OPC) launched a public consultation on new draft guidance on biometric technologies.
The draft guidance provides information on privacy obligations, considerations, and best practices for handling biometric information. It is divided into two documents: Draft Guidance for processing biometrics – for organizations and Draft Guidance for processing biometrics – for public institutions.
ICLMG analyzed and commented on the draft guidance for public institutions both during a virtual call with OPC staff, and online. Here are our answers to the consultation questions relevant to our mandate:
1. Identifying appropriate purposes:
Are there specific uses of biometrics that should be considered inappropriate? Should we define these no-go zones in the guidance?
Yes, we believe that there should be specific no-go zones established in the guidance for both private and public institutions. This includes:
- The use of biometrics for real-time surveillance in public spaces (for example, at protests, in airports, at the border, at shopping malls, at sports arenas, etc.)
- Biometrics should never be used for indiscriminate, mass surveillance
- Biometrics should never be used to attempt to evaluate emotions or feelings
- Biometrics should never be used to attempt to ascertain gender or sexual orientation
- Biometrics should never be used to attempt to ascertain or predict the activities of groups of protected classes of people (ie, predictive policing of specific communities)
Greater consideration should also specifically be given to the collection and use of biometrics in immigration and asylum cases, given the sensitivity in these cases. While we do not have specific suggestions for no-go zones at this time, renewed focus on what is appropriate or inappropriate in this sector is necessary.
[…]
4. Accountability:
Are there requirements in the guidance that should be specifically directed towards vendors/manufacturers of biometric equipment, and the organizations that choose to use such equipment for the collection of biometric data?
For both private and public institutions, we would suggest guidance that they be proactive and public about their use of technology, and which technology, they use to collect biometric data; how they select which technology to use; what safeguards are in place; and how to request information about the use of their biometric information and what recourse individuals have. This would go beyond their being prepared to respond to questions upon request and rather ensure information is as accessible as possible.
We are also strongly supportive of the guidance under the “Accountability” section for public institutions explaining that they “must do [their] due diligence to ensure accountability of third party service providers and that they are acting lawfully.”
5. General:
Are there any other outstanding areas of regulatory uncertainty that this guidance can help clarify? If so, what are they and why do you think they should be included?
We are concerned that current privacy and national security laws grant intelligence agencies, and to a lesser degree law enforcement agencies, exceptions to the obligations that other public institutions must follow. This would allow, for example, intelligence agencies to collect and use biometric information in ways that would not be allowed for other institutions; allow them to not disclose their use of biometric data; and deny individuals the ability to know how their information is being used or to request its destruction. We would suggest that a specific mention be made in the guidance that all government agencies, including national security and law enforcement bodies, are expected to adhere to this guidance.
Further, we would suggest a caveat that while this guidance is in relation to the Privacy Act, that it should also be taken into consideration when government departments disclose or collect information under other acts, with the specific example of the Security of Canada Information Disclosure Act (SCIDA). For example, considerations around limiting collection, limiting use, disclosure and retention, safeguards and accuracy should also be considered when considering the disclosure of biometric data under SCIDA.
*****
ICLMG maintains its long-standing opposition to the use of facial recognition technology, especially by law enforcement and intelligence agencies. Please take action below to protect our rights from facial recognition:
We also encourage you to read the submission made by La Ligue des droits et libertés, one of our members (in French only).
Since you’re here…… we have a small favour to ask. Here at ICLMG, we are working very hard to protect and promote human rights and civil liberties in the context of the so-called “war on terror” in Canada. We do not receive any financial support from any federal, provincial or municipal governments or political parties. You can become our patron on Patreon and get rewards in exchange for your support. You can give as little as $1/month (that’s only $12/year!) and you can unsubscribe at any time. Any donations will go a long way to support our work. |
