Privacy and Cybersecurity Law

Québec's reform of privacy legislation sheds new light on the rules applicable to biometrics. Both public and private sector privacy legislation1 and the Act to Establish a Legal Framework for Information Technology ("ALFIT")2 provide a framework for using these tools. However, these laws do not have the same scope and must be interpreted together for organizational compliance purposes.3

ALFIT applies only to biometric systems, while privacy laws4 target biometric characteristics and measurements as personal (sensitive) information, regardless of whether they are used in a biometric system.

The next bulletin in this series will provide more details about the consequences of this categorization for the applicable obligations and sanctions.

What is Biometrics?

Biometrics is an identification and authentication technique that relies on the computerized processing of a person's physical, behavioural or biological characteristics and makes it possible to identify the person or prove their identity.5 There are three categories:6

Physical or morphological biometrics analyzes morphological characteristics such as fingerprints, the venous system, the shape of a person's hand, 7 iris and retina, and face. 8

analyzes morphological characteristics such as fingerprints, the venous system, the shape of a person's hand, iris and retina, and face. Behavioural biometrics analyzes behavioural characteristics such as signature patterns, voice, heartbeat, gait or posture. 9

analyzes behavioural characteristics such as signature patterns, voice, heartbeat, gait or posture. Biological biometrics analyzes a person's biological samples or traces, such as DNA, blood, saliva, urine, odours, etc.10

A biometric characteristic is unique to a person and makes it possible to establish their identity.

A biometric measurement involves the technological processing of a biometric characteristic: biometric measurements relate to all of a person's distinctive characteristics; they can be read by computer systems and used to identify a person.11

For example, the shape of the face corresponds to a morphological biometric characteristic, while what is produced by processing it to extract nodal points would be the biometric measurement or data that results from it.12

The various levels of biometric characteristics and measurements are13

unique : largely unique to each individual; 14

: largely unique to each individual; distinctive : sufficiently different from one person to another that the individuals can be differentiated; 15

: sufficiently different from one person to another that the individuals can be differentiated; permanent : 16 sufficiently immutable over a given time period;

: sufficiently immutable over a given time period; universal : every person has or exhibits such characteristics;

: every person has or exhibits such characteristics; perceptible: can be measured quantitatively.

If the biometric characteristics and measurements make it possible to effectively and precisely identify an individual, the use of those characteristics and measurements is particularly sensitive17 and strictly regulated by law.

Not all biometric data18 has the same degree of sensitivity, nor does it infringe individuals' fundamental rights equally. Generally speaking, fingerprinting is more invasive than recording points relating to the shape of the hand.19 Similarly, facial recognition systems typically collect more information that is more sensitive20 than do voice recognition systems.21

All biometric data is sensitive personal information subject to privacy laws, regardless of the context in which it is used.22

Biometric System

A biometric system consists of two phases:23

Enrolment consists of recording the digital representation of biometric characteristics or measurements in a database, 24 or on any other medium, from which other biometric data is then individually compared.

consists of recording the digital representation of biometric characteristics or measurements in a database, or on any other medium, from which other biometric data is then individually compared. During recognition, the database entered in the enrolment phase is compared with a second piece of data to establish a connection and thus identify or authenticate a person. The recognition phase is also automated using technology (e.g., artificial intelligence).25

A biometric system could be a fingerprint,26 voice27 or facial28recognition system, but could also be contained in or connected with a technological object with other features, such as an infrared camera,29 when that object is intended to be used to identify or authenticate a person.30

Identification (who is this person?) means a detailed comparative examination of the facts to establish a person's identity. 31 When done in person, identification is generally performed by checking official photo identity documents (e.g., a health insurance card, driver's licence or passport), although these documents may only be used in limited contexts, in theory. 32

(who is this person?) means a detailed comparative examination of the facts to establish a person's identity. When done in person, identification is generally performed by checking official photo identity documents (e.g., a health insurance card, driver's licence or passport), although these documents may only be used in limited contexts, in theory. Authentication (is this person who they claim to be?) means verification of a person's stated identity. It is therefore the next step after identification. For example, an authentication function with a user name and password in an online service enables an organization to be sure that it is communicating with the right individual or the right representative of an organization.

A plethora of technological processes can be used to identify or authenticate a person. For each process, the reliability, or "confidence level," in Québec,33 will vary. ALFIT governs both the physical and the technological identification and authentication processes that are permitted. As updated in September 2022, ALFIT34 requires, among other things, that a biometric system be disclosed to the Commission d'accès à l'information before it is implemented, whether or not the system is based on a centralized database.35

A system that does not include an enrolment and recognition phase, or that is not intended to identify or authenticate a person, would therefore not constitute a biometric system, and would not be subject to ALFIT requirements relating to biometric systems.36

However, if a system meets these criteria, ALFIT will apply in addition to privacy laws, regardless of whether it is supplied by a third party or created internally.

