In a move to adapt to the evolving landscape of biometric technology and its implications on privacy, the Office of the Privacy Commissioner of Canada (OPC) is calling for feedback on its recently released draft guidelines for handling biometric information. These guidelines are designed to ensure that organizations in Canada responsibly manage and process biometric data, aligning them with contemporary cybersecurity, fraud prevention, and digital identity concerns. The OPC is inviting stakeholders in the biometrics sector and the public to provide their insights on these draft documents.
Commissioner Philippe Dufresne has emphasized the necessity of updating the existing guidelines, which were last published in 2011. He underscores the increased prevalence of biometric technologies in various sectors, such as law enforcement’s use of facial recognition technology and cases where companies, like Rogers Inc., failed to obtain consent for their voiceprint authentication programs. These examples illustrate the growing relevance of biometric data, which has outpaced the scope of the old guidelines.
Dufresne further elaborates on the changing biometric landscape, mentioning facial recognition, voice recognition, and other biometric systems as technologies that have evolved significantly since the guidelines were first introduced. The rapid development in this field calls for updated guidance to ensure organizations utilize these technologies in a manner that safeguards individuals’ privacy rights.
Draft guidelines seek stakeholder feedback
To facilitate the process of revising their guidelines, the OPC has released two draft documents. One focuses on private-sector privacy risks under the Personal Information Protection and Electronic Documents Act (PIPEDA), while the other addresses the Privacy Act, governing federal institutions. Both documents are accessible for download on the OPC’s official website. Stakeholders and interested parties are encouraged to review these drafts and provide their feedback by January 2024.
Broadly, the draft guidelines cover a range of issues related to biometric data usage, including ensuring biometrics are used for appropriate purposes, obtaining the necessary consents, and avoiding profiling or categorization practices that may lead to unfair, unethical, or discriminatory treatment, thus contravening human rights law.
The guidelines offer a clear framework, delineating “Musts” and “Shoulds” that organizations are expected to follow. Among the “Musts” are requirements like using authentication before identification and promptly deleting biometric information upon request. These are crucial to maintaining a high level of privacy and security when handling sensitive biometric data. Additionally, the guidelines advise organizations to take proactive measures to keep biometric templates under the control of the individuals they pertain to and to prioritize active biometric recognition over passive methods.
Concerns over facial recognition usage
The draft guidance for federal institutions also highlights specific cases that have triggered concerns regarding the use of biometric technology, including the Royal Canadian Mounted Police (RCMP) employing a system provided by Clearview AI for facial recognition. The OPC has determined that this utilization constitutes a breach of the Privacy Act.
The OPC’s investigation into the matter revealed that Clearview AI had engaged in online scraping of images and the creation of biometric facial recognition arrays without proper consent, resulting in mass identification and surveillance of individuals. Such practices raise significant privacy and ethical concerns, making it imperative for the OPC to underscore the importance of adhering to privacy principles when using biometric technology.