Leaving Big Brother off the hook

  • March 17, 2021
  • Horia Tabatabaei Soltani

Facial recognition (FR) is the process of identifying and verifying an individual’s face through computer vision and artificial intelligence (AI). FR is a type of biometrics that identifies an individual through their unique and distinctive features. FR can process photos, videos and real-time faces. Specific details of an individual’s face are selected, creating a face template that is used for distinguishing faces from each other.

Currently Canada has no distinct biometric legislation.1 Biometric data is partly governed under the Personal Information Protection and Electronic Documents Act (PIPEDA). On November 17, 2020, Bill C-11 Digital Charter Implementation Act, 2020 (DCIA) was introduced which seeks to amend PIPEDA and establish the Consumer Privacy Protection Act (CPPA) and the Data Protection Tribunal Act. The proposed privacy regime has not expanded nor introduced greater regulation on biometrics.

The proposal of CPPA was a golden opportunity for Canada to establish itself as a leading nation in FR regulation. The occurrences of the past year have broadened the discourse around the privacy implications of FR. There has been considerable reliance on FR technology for remote work and e-learning. The case of Clearview AI and its collection of photos from social media platforms like Facebook without consent highlighted the dangers of unregulated and unrestrictive biometric data collection and use. Canadian police including the RCMP used Clearview AI’s database without acknowledgement or taking adequate measures, such as performing a Privacy Impact Assessment or consulting the Privacy Commissioner for its use.2 On February 2, 2021, the Office of the Privacy Commissioner of Canada made public the conclusion of its joint investigation into Clearview AI. The report recommended that Clearview AI cease offering its FR tool to clients in Canada, cease its collection, use and disclosure of biometrics facial arrays collected from individuals in Canada, and to delete in its possession all biometric arrays collected of individuals in Canada.3 The case of Cadillac Fairview Corporation Limited use of FR technology also exemplified the concerns around the use of FR. The Federal Privacy Commissioner along with the Privacy Commissioners of Alberta and British Columbia, found that the corporation was collecting biometric information without obtaining meaningful consent.4

The new year will undoubtedly continue the trend of egregious collection and use of biometrics through FR technology.

The concern surrounding FR is not just based on the sensitive information that it collects but the manner in which it is deployed and its societal ramifications. Low accuracy rate and algorithm bias in the technology have shown to produce “false positive” errors, which leads to a face in the system being incorrectly matched to an image in the database.5 This false identification substantially undermines civil liberties, as an individual may be criminally charged for an act they did not commit, as a result of an error made by the technology. In addition to these concerns, FR technology has even led to the creation of deep-fakes, which are manipulated videos, audios and images of an individual.

The unease around FR technology and its dire consequences has led some US states to respond by establishing regulation for its use in their jurisdictions. Illinois is known as a leader in biometric regulation as in 2008 it established the Illinois Biometric Information Privacy Act (BIPA), which regulates the collection and storage of biometric information, such as retina scans, voice recognition, facial-geometry recognition and scent recognition. Under BIPA there is a private right of action where a mere violation of the Act gives an individual standing to sue under it. Notably, under the Act a breach or harm does not need to take place in order for an organization to be sued and pay a penalty. Failing to follow proper procedures, such as obtaining consent and retention of biometric information may allow for the business itself to become liable (The Illinois Supreme Court ruled in Rosenbach v. Six Flags Entertainment Corp. that individuals do not need to show harm in order to bring a suit under BIPA).6 Remarkably BIPA prohibits businesses profiting from biometric data. Other states, such as Texas and Washington have followed suit with their own biometric policies and various requirements, though not as comprehensive as Illinois.7San Francisco has even banned facial recognition use by the police.8

Due to the privacy risks and ethical concerns surrounding FR technology, it is necessary to establish protective laws along with an oversight regime to ensure its accountability. Within the CPPA a comprehensive regulatory structure for biometrics data collection and use should have been outlined. The proposed code of practices and certification programs should not be solely depended on to address biometric rules as their effectiveness remains unknown. They are better to serve as a supplement to the CPPA. With no industry benchmark or common practice established for the development and use of FR technology, the government has a reasonability to step in, provide leadership and guidance in ensuring the privacy rights of citizens are upheld.

The nature of FR technology makes it problematic to institute an “opt-in” consent mechanism. From the examples stated earlier, the individuals whose biometrics were compromised did not have a choice to “opt-in” to the data collection, nor did the platforms that Clearview AI used consented to their users’ information being collected. Clearview AI was even sent cease-and-desist letters from Facebook, Youtube and Google.9 However, that did not stop them from their data collection. There is inadequate technological safeguards and standards within the FR industry, hence legislation is required to ensure protection and hold tech companies accountable for their failings. The importance of a comprehensive biometric legislation is that it will help to address the question of when and how FR can and should be used. Legislative guidance will provide companies a thorough understanding of consent and collection requirements in implementing their FR technology and ensure their adherence to guidelines. When there is common standards and product transparency, abuse of FR technology will be abated.

It is important to keep in mind that majority of everyday citizens do not have an in-depth knowledge of how biometric identifiers work, when FR technology is being used and by who, and its ramifications. Therefore, the government has to establish measures to ensure that citizen’s privacy rights are not undermined and influence the FR sector to address the bias and shortcomings of the technology, and hold them accountable for their inadequacies.

Canada’s history of privacy regulation has always operated with the aim of balancing technological creativity and innovation along with privacy protection. Establishing a regulatory regime for biometric data collection will continue this, as the aspiration is not to prohibit its use but to balance its benefits and disadvantages.


Horia Tabatabaei Soltani is a lawyer at HTS Law and has her IAPP certificate in Canadian privacy law. She assists businesses with their privacy practices and compliance, and advises on data governance.

Endnotes

1 Though there is no federal framework for biometrics, Quebec’s Act to establish a legal framework for information technology addresses biometric recording. Section 44 states that express consent of the person is required for biometric characteristics or measurements to be recorded. Act to establish a legal framework for information technology, RSQ, C-1.1, s. 44.

2 Rachel Browne, “Ontario watchdog would be ‘very concerned’ about police using tools like Clearview AI,” Global News (January 24, 2020) online

3 Office of the Privacy Commissioner of Canada, Joint Investigation of Clearview AI, Inc. by the Office of the Privacy Commissioner of Canada, the Commission d’accès à l’information du Québec, the Information and Privacy Commissioner for British Columbia, and the Information Privacy Commissioner of Alberta, February 2, 2021, online

4 Office of the Privacy Officer of Canada, Joint Investigation of the Cadillac Fairview Corporation Limited by the Privacy Commissioner of Canada, the Information and Privacy Commissioner of Alberta, and the Information and Privacy Commissioner for British Columbia, October 28,2020, online

5 National Institute of Standards and Technology, “NIST Study Evaluates Effects of Race, Age, Sex on Face Recognition Software,” (December 2019) online

6 Rosenbach v. Six Flags Entertainment Corp, IL 123186 (2019).

7 The Texas Capture or Use of Biometric Identifier Act (CUBI) (Tex.Bus.& Com. Code Ann.§503.001). Washington Biometric Identifiers (RCW 19.375.010 to 19.375.900).

8 Shannon Van Sant & Richard Gonzales, “San Francisco Approves Ban On Government’s Use of Facial Recognition Technology,” NPR (May 14, 2019) online

9 Alfred Ng & Steve Musil, “Clearview AI hit with cease-and-desist from Google, Facebook over facial recognition collection,” CNET (February 5, 2020) online