Privacy and Cybersecurity Law

Québec's reform of privacy legislation sheds new light on the rules applicable to biometrics. Both public and private sector privacy legislation1 and the Act to Establish a Legal Framework for Information Technology ("ALFIT")2 provide a framework for using these tools. However, these laws do not have the same scope and must be interpreted together for organizational compliance purposes.3

ALFIT applies only to biometric systems, while privacy laws4 target biometric characteristics and measurements as personal (sensitive) information, regardless of whether they are used in a biometric system.

The next bulletin in this series will provide more details about the consequences of this categorization for the applicable obligations and sanctions.

What is Biometrics?

Biometrics is an identification and authentication technique that relies on the computerized processing of a person's physical, behavioural or biological characteristics and makes it possible to identify the person or prove their identity.5 There are three categories:6

  • Physical or morphological biometrics analyzes morphological characteristics such as fingerprints, the venous system, the shape of a person's hand,7 iris and retina, and face.8
  • Behavioural biometrics analyzes behavioural characteristics such as signature patterns, voice, heartbeat, gait or posture.9
  • Biological biometrics analyzes a person's biological samples or traces, such as DNA, blood, saliva, urine, odours, etc.10

A biometric characteristic is unique to a person and makes it possible to establish their identity.

A biometric measurement involves the technological processing of a biometric characteristic: biometric measurements relate to all of a person's distinctive characteristics; they can be read by computer systems and used to identify a person.11

For example, the shape of the face corresponds to a morphological biometric characteristic, while what is produced by processing it to extract nodal points would be the biometric measurement or data that results from it.12

The various levels of biometric characteristics and measurements are13

  • unique: largely unique to each individual;14
  • distinctive: sufficiently different from one person to another that the individuals can be differentiated;15
  • permanent:16sufficiently immutable over a given time period;
  • universal: every person has or exhibits such characteristics;
  • perceptible: can be measured quantitatively.

If the biometric characteristics and measurements make it possible to effectively and precisely identify an individual, the use of those characteristics and measurements is particularly sensitive17 and strictly regulated by law.

Not all biometric data18 has the same degree of sensitivity, nor does it infringe individuals' fundamental rights equally. Generally speaking, fingerprinting is more invasive than recording points relating to the shape of the hand.19 Similarly, facial recognition systems typically collect more information that is more sensitive20 than do voice recognition systems.21

All biometric data is sensitive personal information subject to privacy laws, regardless of the context in which it is used.22

Biometric System

A biometric system consists of two phases:23

  • Enrolment consists of recording the digital representation of biometric characteristics or measurements in a database,24 or on any other medium, from which other biometric data is then individually compared.
  • During recognition, the database entered in the enrolment phase is compared with a second piece of data to establish a connection and thus identify or authenticate a person. The recognition phase is also automated using technology (e.g., artificial intelligence).25

A biometric system could be a fingerprint,26 voice27 or facial28recognition system, but could also be contained in or connected with a technological object with other features, such as an infrared camera,29 when that object is intended to be used to identify or authenticate a person.30

  • Identification (who is this person?) means a detailed comparative examination of the facts to establish a person's identity.31 When done in person, identification is generally performed by checking official photo identity documents (e.g., a health insurance card, driver's licence or passport), although these documents may only be used in limited contexts, in theory.32
  • Authentication (is this person who they claim to be?) means verification of a person's stated identity. It is therefore the next step after identification. For example, an authentication function with a user name and password in an online service enables an organization to be sure that it is communicating with the right individual or the right representative of an organization.

A plethora of technological processes can be used to identify or authenticate a person. For each process, the reliability, or "confidence level," in Québec,33 will vary. ALFIT governs both the physical and the technological identification and authentication processes that are permitted. As updated in September 2022, ALFIT34 requires, among other things, that a biometric system be disclosed to the Commission d'accès à l'information before it is implemented, whether or not the system is based on a centralized database.35

A system that does not include an enrolment and recognition phase, or that is not intended to identify or authenticate a person, would therefore not constitute a biometric system, and would not be subject to ALFIT requirements relating to biometric systems.36

However, if a system meets these criteria, ALFIT will apply in addition to privacy laws, regardless of whether it is supplied by a third party or created internally.

Footnotes

1. Act respecting the protection of personal information in the private sector, CQLR c. P-39.1 ("Private Sector Act"), Act respecting Access to documents held by public bodies and the Protection of personal information, CQLR c. A-2.1 ("Access Act"); see also Civil Code of Québec, ss. 35-41.

2. CQLR, c. C-1.1 ("ALFIT").

3. Other specific legal and administrative standards may also apply in areas such as health, for example.

4.Private Sector Act; Access Act, supra note 1.

5. Commission d'accès à l'information du Québec, "Biométrie : principes à respecter et obligations légales des organisations. Guide d'accompagnement pour les organismes publics et les entreprises," September 21, 2022, online (in French only): https://www.cai.gouv.qc.ca/documents/CAI_G_biometrie_principes-application.pdf(PDF). The Office québécois de la langue française defines biometrics as [translation] "the mathematical analysis of a person's unique characteristics to determine or prove identity,"9 Office québécois de la langue française, biométrie, 2020, online: http://gdt.oqlf.gouv.qc.ca/ficheOqlf.aspx?Id_Fiche=8370889.

6. In some documents, biological biometrics and morphological biometrics are regarded as belonging to a single group: physiological (or physical) biometrics. See Government of Canada, "Data at Your Fingertips Biometrics and the Challenges to Privacy," February 2011, online: https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/gd_bio_201102/; ISO 24745: 2011 "Information technology — Security techniques — Biometric information protection", "2.3. biometric characteristic", p. 8 ; Thales, "La biométrie au service de l'identification et l'authentification," April 14, 2021, online (in French only): https://www.thalesgroup.com/fr/europe/france/dis/gouvernement/inspiration/biometrie.

7. Syndicat des travailleurs de Mométal (C.S.N.) et Mométal inc. (T.A., 2001-07-27), SOQUIJ AZ-01141263, D.T.E. 2001T‑919, [2001] R.J.D.T. 1967.

8. Julie M. Gauthier, Cadre juridique de l'utilisation de la biométrie au Québec : sécurité et vie privée, Master's dissertation, Montréal, Faculty of Graduate Studies, Université de Montréal, 2014, pp. 19-24.

9. Ibid., pp. 26-28.

10. However, the physical nature of the captured characteristic means that it is less easy to use in a digital format, making it less technologically appealing than the other two. Commission d'accès à l'information du Québec, supra note 5, p. iv.

11. Annotated ALFIT, "Biométrie, mesures biométriques" (paper format).

12. See also the hand-punch system for extracting biometric measurements from the biometric characteristic of the shape of a hand, in Syndicat des travailleurs de Mométal (C.S.N.) et Mométal inc., SOQUIJ AZ-01141263, [2001] R.J.D.T. 1967; Commission d'accès à l'information, "Horodateurs et pointeuses biométriques – constats," March 27, 2023, online (in French only): https://www.cai.gouv.qc.ca/documents/CAI_A_horodateurs_biometriques_vf.pdf(PDF).

13. "Fingerprints, irises and DNA are among the most distinctive characteristics, while facial features may be more similar among different people. Certain physical characteristics, such as fingerprints and irises, also tend to be stable over time and difficult to alter. By contrast, other biometric characteristics, such as faces, change over time and can be further varied through cosmetics, disguises or surgery," in Office of the Privacy Commissioner of Canada, "Data at Your Fingertips Biometrics and the Challenges to Privacy," February 2011, online: https://www.priv.gc.ca/en/privacy-topics/health-genetic-and-other-body-information/gd_bio_201102/.

14. Joint investigation of the Cadillac Fairview Corporation Limited ("Fairview"), para. 79 (quoted in Investigation into Clearview AI Inc., 1023158-S (CAI), para. 41).

15. Julie M. Gauthier, supra note 8, p. 29, citing four criteria recognized in Anil K. Jain, Arun Ross and Salil Prabhakar, "An Introduction to Biometric Recognition," IEEE Transactions on Circuits and Systems for Video Technology, vol. 14, No. 1, January 2004, p. 4; Fairview supra note 14, para. 79.

16. The first three criteria are recognized in a decision of the CAI, Les 3 Piliers Inc., 1018507-S (CAI), para. 35, regarding fingerprints: [translation] "The unique, distinctive and permanent nature of this information may lead to identity theft or fraud and compromise the use of the information for the person concerned. Unlike a card or a shared secret, a fingerprint cannot be replaced"; also see Fairview supra note 14, para. 79.

17. Fairview, supra note 14, para. 79; also see the "Biométrie" section of the CAI's 2016 five-year report "Rétablir l'équilibre," 2016, p. 101 and seq., online (in French only): https://www.cai.gouv.qc.ca/documents/CAI_RQ_2016.pdf(PDF).

18. Biometric data comprises all biometric information in a computerized format whether encrypted or not.

19. Julie M. Gauthier, supra note 8, p. 41; Syndicat des travailleurs de Mométal (C.S.N.) et Mométal inc., SOQUIJ AZ-01141263, [2001] R.J.D.T. 1967: [translation] "As we have seen, the instrument does not record the employee's fingerprints. It merely memorizes, as a binary formula, certain characteristics of the hand (width, thickness, length). In my opinion, this requirement by the employer does not violate the right to personal security (s. 1) and proper regard for their physical well-being (s. 46) provided for in the Québec Charter. I believe there is an important distinction between being required to provide a hair or a sample of saliva or blood, or even fingerprints, and having to place a hand on a plate for a very short period of time" (emphasis added).

20. Investigation of Clearview AI Inc., 1023158-S (CAI), para. 41: [translation] "That being said, within the category of biometric information, there are degrees of sensitivity. It is our view that facial biometric information is particularly sensitive. Possession of a facial recognition template can allow for identification of an individual through comparison against a vast array of images readily available on the Internet, as demonstrated in the matter at hand, or via surreptitious surveillance."

21. Office of the Privacy Commissioner of Canada, "Organization uses biometrics for authentication purposes," PIPEDA Case Summary #2004-281, 2004 CanLII 52853.

22. Private Sector Act, supra note 1, s. 12 subs. 3 para. 2.

23. Commission d'accès à l'information, supra note 5, p. 6.

24. ALFIT, supra note 2, s. 3 para. 4, for the definition of a database within the meaning of ALFIT.

25. ISO x defines a biometric system as automated recognition of individuals, p. 9 ("biometric system"); The proposed European regulation on artificial intelligence makes numerous connections between biometrics and AI systems. European Commission, "Proposal for a Regulation of the European Parliament and of the Council Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts," April 21, 2021, COM(2021) 206 final, online: https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:52021PC0206.

26. Les 3 Piliers supra note 16, para. 32.

27. Office of the Privacy Commissioner of Canada, Organization uses biometrics for authentication purposes, 2004 CanLII 52853.

28. Investigation of Clearview AI Inc., 1023158-S (CAI).

29. Enquête à l'égard de Héritage Ébénisterie Architecturale inc., 1023688-S (CAI).

30. A biometric system could have purposes other than identification or authentication. Under ALFIT, however, the terms "verification" and "confirmation" of identity appear to be used to mean identification and authentication (or verification) as used elsewhere in Québec, Canada and the rest of the world. See e.g. : Commission nationale de l'informatique et des libertés (CNIL), "Reconnaissance faciale," online (in French only): https ://www.cnil.fr/fr/definition/reconnaissance-faciale (France).

31. Annotated ALFIT, s. 40, online (in French only): https://www.tresor.gouv.qc.ca/ressources-informationnelles/cadre-normatif-de-gestion-des-ressources-informationnelles/loi-concernant-le-cadre-juridique-des-technologies-de-linformation/loi-annotee-par-article/loi-annotee-par-article-article-40/.

32. Commission d'accès à l'information, "Deux nouvelles fiches d'information sur les pièces d'identité," online (in French only): https://www.cai.gouv.qc.ca/deux-nouvelles-fiches-dinformation-pieces-didentite. ALFIT, s. 42, identity documents could also be used on a technological medium.

33. Secrétariat du Conseil du trésor, Gouvernement en ligne, "Authentification des citoyens et des entreprises dans le cadre du gouvernement électronique," August 2004, p. 6, online (in French only): https://www.tresor.gouv.qc.ca/fileadmin/PDF/ressources_informationnelles/directives/strategie_authentification.pdf(PDF).

34. Ibid.; ALFIT, supra note 2, ss. 40–45.

35. Ibid., ss. 44–45. The data could instead be stored on a physical medium under the control of the person concerned, during the enrolment phase. For example, the iPhone is based on this mechanism, rather than on a centralized database.

36. In C.R. c. Loto-Québec, 2012 QCCAI 300, para. 111, the CAI had to determine whether ss. 44 and 45 of ALFIT, dealing with biometric systems, were relevant in analyzing a request for access to two audio recordings of a telephone conversation. The CAI found that they were not, because, although the recordings might contain biometric information, they were not used to establish a person's identity.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.