On February 18, 2025, the Quebec privacy regulator, the Commission d'accès à l'information du Québec (the "CAI"), issued an important decision under the Act to Establish a Legal Framework for Information Technology (the "Quebec IT Act").
The case involved Metro Inc. (the "Company"), which intended to launch, as a pilot project, a database containing the biometric characteristics and measurements of individuals captured by surveillance cameras (the "Biometric Database"), in support of implementing facial recognition systems in certain retail locations. Broadly, the Company's objective was to use a facial recognition system linked to the Biometric Database to prevent and detect shoplifting and fraud in designated stores.
At the heart of the case was whether the Company's use of facial recognition systems constituted the verification or confirmation of an individual's identity under Section 44 of the Quebec IT Act, and whether processing individuals' biometric information required their express consent.
1. Factual Background
On September 6, 2024, pursuant to Section 45 of the Quebec IT Act, the Company notified the CAI of its intention to create a Biometric Database. In its notice, the Company indicated that the initiative was a pilot project designed to evaluate the deployment of a facial recognition system in certain retail stores as a measure to reduce or prevent shoplifting and fraud.
Specifically, the pilot project involved:
- Installing surveillance cameras at the entrances and exits of participating stores to capture images of individuals entering and exiting the premises.
- Testing two facial recognition systems. The first system would create a digital representation of an individual's facial features by analysing fifty-six (56) distinctive characteristics and measurements (e.g., the distance between the eyes, eye colour, shape of the nose, etc.). The second system would use an artificial intelligence algorithm to generate a mathematical signature of a person's facial features from the captured image.
- Converting raw surveillance footage into digital representations, which would then be compared to reference images stored in the Biometric Database. In other words, the systems did not compare actual images, but rather algorithmically derived digital representations.
- Developing the reference images in the Biometric Database using prior surveillance footage from confirmed incidents of shoplifting or fraud involving adults, where police intervention had been requested.
- Selecting reference images used to develop the digital representations in the Biometric Database would follow internal protocols and procedures established by the Company.
Ultimately, when a match was identified between a biometric representation of a person captured on surveillance and a reference image in the Biometric Database, the system would alert store personnel to assess the situation and respond appropriately.
2. Legal Issue
The key legal issue was whether the Company's facial recognition project was subject to Section 44 of the Quebec IT Act, and whether the proposed processing of biometric information required the express consent of individuals entering the stores.
Section 44 of the Quebec IT Act provides that an individual's identity may not be verified or confirmed through a process using biometric characteristics or measurements unless the process has been previously disclosed to the CAI and the express consent of the individuals concerned has been obtained.
The Company argued that Section 44 did not apply, asserting that the project was not intended to verify or confirm the identity of individuals within the meaning of the Quebec IT Act. Consequently, it believed there was no obligation to obtain the express consent of individuals whose biometric characteristics and measurements were analysed. The CAI disagreed.
3. Requirements Under Section 44 of the Quebec IT Act
To better understand the CAI's decision, it is helpful to review the requirements set out in Section 44 of the Quebec IT Act. Section 44 states:
"A person's identity may not be verified or confirmed by means of a process that allows biometric characteristics or measurements to then be used except where such verification or confirmation has been previously disclosed to the Commission d'accès à l'information and except with the express consent of the person concerned."
In its analysis, the CAI focused on two elements: (i) biometric characteristics or measurements; and (ii) the verification or confirmation of a person's identity.
a. Biometric Characteristics and Measurements
The CAI found that the Company intended to use biometric characteristics and measurements in a manner that fell within the scope of Section 44. The project involved collecting and converting raw video surveillance footage of past incidents into digital representations, which were then stored in the Biometric Database for future comparisons. This process enabled the Company to determine whether new biometric representations of a person captured on surveillance matched existing digital representations stored in the database. The CAI concluded that these biometric characteristics and measurements were subject to the requirements of Section 44.
b. Verifying or Confirming a Person's Identity
The next question was whether the project aimed to verify or confirm a person's identity. Under the Act respecting the protection of personal information in the private sector (the "Quebec Privacy Act"), biometric information is considered inherently sensitive and is subject to heightened protections. Section 44 of the Quebec IT Act provides additional protections by specifically regulating the use of biometric data for identity verification and confirmation purposes.
The CAI found that the Company's project sought to identify individuals previously involved in incidents, whose biometric representations had been stored in the Biometric Database. By comparing the biometric characteristics and measurements of individuals walking into the Company's premises to the digital representations in the Biometric Database containing information relating to known individuals previously involved in incidents, the Company was engaging in "one-to-many" comparisons with the objective of determining the identity of an individual based on a match. This practice, according to the CAI, amounted to the "verification" of a person's identity within the meaning of Section 44.
The CAI further distinguished between identity verification and identity confirmation, citing the Office of the Privacy Commissioner of Canada's Draft Guidance for Processing Biometric Information:
- Identity verification involves comparing an individual's information against a database in a one-to-many comparison to determine who the person is.
- Identity confirmation (authentication) involves a one-to-one comparison to confirm that a person is who they claim to be.
c. Express Consent
Considering the above, the CAI concluded that both facial recognition systems contemplated by the Company allowed for a process using an individual's biometric characteristics and measurements to verify the individual's identity within the meaning of Section 44. Consequently, the express consent of the individuals concerned was required.
4. Broad and Liberal Interpretation
The CAI emphasized that Section 44 must be interpreted broadly and liberally, consistent with the quasi-constitutional nature of privacy rights in Quebec. Privacy statutes, including the relevant provisions of the Quebec IT Act, must be construed in a manner that furthers their protective purpose. A narrow or overly technical interpretation of Section 44, the CAI warned, would undermine the legislator's intent and expose individuals to serious privacy risks.
5. CAI's Decision
The CAI ultimately concluded that the Company's facial recognition project was subject to Section 44 of the Quebec IT Act, as it involved the use of biometric characteristics and measurements to verify identity. Accordingly, the express consent of the individuals concerned was required prior to any biometric identity verification.
Given the sensitivity of biometric information and the risks associated with its use, the CAI reaffirmed that such facial recognition systems require a strong regulatory framework, and organizations must strictly comply with the requirements set out in the Quebec IT Act. Therefore, the project, as proposed, violated the requirements set out in Section 44 of the Quebec IT Act.
6. Takeaways
The CAI's decision sends a clear message to organizations: the deployment of biometric systems, particularly facial recognition technologies, must be approached with caution. Quebec's privacy laws are designed to protect the public and to ensure the fundamental rights of individuals, including the right to privacy, which is enshrined in the Quebec Charter of Human Rights and Freedoms. As such, statutes that are designed to protect personal information have a quasi-constitutional status and must be interpreted accordingly.
For organizations considering the deployment of biometric technologies in Quebec, here are a few key lessons we can draw from the analysis of this case:
- Assess whether the technology involves process that allows biometric characteristics or measurements to be used to verify or confirm a person's identity.
- If so, disclose the project to the CAI prior to its implementation (this is a mandatory requirement under the Quebec IT Act).
- If a database containing biometric characteristics and measurements is created, disclose this to the CAI as soon as possible and no later than sixty days before it is brought into use (again, this is a mandatory disclosure requirement).
- Obtain express consent from individuals concerned. Consent cannot be implied through use or any other indirect means.
- Establish a clear governance framework. The CAI expects robust internal protocols for the collection, retention, use, and destruction of biometric information.
It is also important to note that any new project to acquire, develop, or overhaul an information system or electronic service delivery system involving the collection, use, communication, retention, or destruction of personal information requires a privacy impact assessment under the Quebec Privacy Act.
In short, if your organization is exploring the use of biometric technologies in Quebec, make sure you are well informed of your legal obligations. It is also advisable to consult privacy professionals early in the process to ensure your project is designed and implemented in compliance with the Quebec IT Act (and with all other applicable privacy laws).
Good luck.
The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.
© McMillan LLP 2025