New Québec biometric requirements: legal risk and mitigation
Biometric technologies are increasingly becoming part of our lives due to the widespread usage of smartphones, e-passports and digital ID cards. Generally used to enhance security, these technologies raise important privacy issues, particularly with respect to the inherent sensitivity of the biometric information.
In 2001, Québec was the first jurisdiction in Canada to introduce the Act to establish a legal framework for information technology (QC IT Act), which includes specific provisions regulating the use of biometric databases to ensure that they are managed with an adequate level of protection. For instance, organizations are required to report the use of any database containing biometric characteristics or measurements (or “biometric information”).
Once in force in September 2022, the Act to modernize legislative provisions as regards the protection of personal information (QC Bill 64), which amended the QC IT Act, will impose two new requirements pertaining to the reporting (that is, “declaration” or “disclosure”) of biometric systems used for identification or authentication purposes. In fact, in addition to the existing requirement to obtain the express consent from individuals for the collection of their biometric information, organizations will be required to disclose any process involving biometric information, regardless of whether biometric information is stored in a database. Otherwise, organizations will not be permitted to use biometric information for the purposes mentioned above.
This content has been updated on April 20, 2022 at 17 h 06 min.