M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on E-TIPS™ For Deeth Williams Wall LLP on May 18, 2022.
On May 2, 2022, Canada’s privacy regulatory authorities (the Regulators) issued a joint statement calling for a legal framework that clearly establishes the acceptable circumstances for police to use facial recognition technology (FR).
Police agencies greatly benefit from FR, because it is a useful resource for solving crimes, locating missing persons, and supporting national security objectives. However, the Regulators noted that FR involves the collection and processing of highly sensitive biometric information, which raises a series of privacy and human rights concerns when it is applied on a large scale. Widespread adoption of the technology would enable police agencies to covertly identify and surveil individuals and this may impair Canadians’ privacy right to participate in the world without being regularly identified, tracked, and monitored.
The Regulators called for Canadian legislators to implement a legal framework that outlines the boundaries associated with FR. Although Canada’s current principle-based privacy laws are adaptable to evolving technologies, the Regulators took the position that they are too high-level to address the specific risks associated with police use of FR. They argued that the current legal framework leaves much discretion to police agencies, which creates the possibility for serious harms to an individual’s privacy and other fundamental rights.
In the joint statement, the Regulators suggested that a new legal framework should be implemented by legislators that includes the following:
- Defined Purpose and Prohibited Uses: A clearly defined purpose for police agencies to use FR and a list of prohibited uses, i.e. “no-go zones”.
- Necessity and Proportionality: Overarching requirements for the use of FR to be necessary and proportionate for a given objective.
- Independent Oversight: Empowering an independent, external public body to oversee police use of FR, including requirements for police agencies to obtain authorization to launch an initiative.
- Mitigate Privacy Risks: Privacy control measures that mitigate individuals’ risks, including controls to ensure the accuracy of information and appropriately limit data retention for police databanks.
Together with their joint statement, the Regulators released the final version of their joint privacy guidance on FR use by police agencies that clarifies the agencies’ obligations under current laws. The guidance and joint statement are the product of a public consultation launched in June 2021, in which a large majority of stakeholders agreed that new legislation is required to govern police use of FR going forward.