Company Ordered to Cease Using Facial Recognition Technology to Monitor Access to its Facilities: Overview of Quebec Privacy Regulator’s Decision

Company Ordered to Cease Using Facial Recognition Technology to Monitor Access to its Facilities: Overview of Quebec Privacy Regulator’s Decision

On September 4, 2024, the Commission d’accès à l’information du Québec (“CAI“) issued a decision reinforcing the strict requirements governing the collection and processing of biometric information in the private sector in Quebec.

In its decision, the CAI ordered Transcontinental Printing Inc. (the “Company“) to cease using facial recognition technology to monitor access to its facilities and to destroy all biometric information previously collected, as its collection and processing practices involving biometric information violated the requirements of the Act respecting the protection of personal information in the private sector (“Quebec Privacy Act“).

In this bulletin, we provide an overview of the CAI’s decision and rationale in ordering the Company to cease using its facial recognition technology.

I.  Background.

Initially, the Company implemented a facial recognition and temperature screening system during the COVID-19 pandemic to control access to its premises with the objective to ensure employee safety during the pandemic. The system had two main features: facial recognition and body temperature measurement.

On October 2, 2020, the Company notified the CAI of its intent to create a database containing biometric information.

While the temperature-screening function was discontinued in October 2022, the Company continued using the facial recognition feature to monitor access to its facilities.

On June 20, 2024, nearly four years after the Company informed the CAI of the database’s creation and use, the CAI launched an investigation into the Company’s biometric data collection and processing practices.

Ultimately, the CAI found that the Company’s data collection and processing practices violated the requirements of the Quebec Privacy Act.

II.  Company Procedures for Collecting Biometric Information.

During the investigation, the Company reported to the CAI that it followed a fairly rigorous process when using its facial recognition system, namely:

• it obtained each employee’s consent to collect their biometric information;
• the employees’ pictures were taken by a coordinator or trainer;
• the employees’ pictures were sent to Human Resources via secure servers;
• the employees’ pictures were deleted from the coordinator or trainer’s camera;
• the employees’ pictures were validated against the employees’ identification information already on file;
• the employees’ pictures were uploaded to the facial recognition system;
• the employees’ pictures on the Company servers were then deleted; and
• the employees’ pictures were converted into an irreversible code on which the recognition of the employee was based.

III.   The CAI Analysis.

a.  Burden of Proof.

In its decision, the CAI reiterates that organizations have the burden to prove that their collection and use of biometric information is necessary to achieve their objectives. Furthermore, under the Quebec Privacy Act, organizations demonstrate that their objectives are legitimate, real, and important, and the invasion of privacy caused to the individuals concerned is proportional to their objectives.

b.  Company Objectives?

Originally, the Company’s objective was to ensure the safety and security of its employees during the COVID-19 pandemic. In addition, the Company wanted to satisfy the requirements of the Customs Trade Partnership Against Terrorism (“CTPAT”), representing a U.S. program helping improve the security of supply chains. To obtain a CTPAT certification, organizations could choose to implement a biometric identification system to control the access of individuals to their facilities, although this measure was not mandatory.

At the time of the CAI’s investigation in 2024, the Company was no longer pursuing the objective of ensuring employee safety due to COVID-19 at its premises. As a result, its main objective was to secure the safety of its facilities allowing it to satisfy the CTPAT certification requirements.

c.  Necessity Test.

i.  Was the objective legitimate?

The CAI considered that the Company’s objective in wanting to secure the safety of its facilities by taking access control measures was a legitimate objective being pursued.

ii.  Was the Objective Real?

For the Company to demonstrate that the objective of securing its facilities was real, it must demonstrate that it was looking to resolve a specific or actual problem that justified the collection of personal information, particularly biometric information. This objective must not be future or hypothetical.

The CAI indicated that it could not accept the Company’s argument that the Company’s objective to satisfy the CTPAT certification requirements represented a problem it needed to address or solve. In addition, the certification requirements did not mandatorily require the collection of biometric information to secure the premises and included less privacy-invasive means to achieve the same objective.

Based on the above, the CAI considered that the Company was unable to prove that its objective was supported by any particular and actual problem justifying the collection of biometric information. The desire to obtain a CTPAT certification did not in of itself represent a problem for the Company to solve but a means for the Company to more easily collaborate with the U.S. Customs and Border Protection.

iii.   Was the Objective Important?

To show that an objective is important, organizations must demonstrate that the objective pursued by the collection of biometric information is not merely to address a usual, common, or intrinsic objective for the management of a business.

According to the CAI, the desire to control access to an organization’s premises represents a usual, common, or intrinsic business objective faced by all organizations. While it is possible that certain organizations may engage in business activities that warrant a higher level of security justifying the collection and processing of biometric information, the Company did not present any evidence showing a special need to collect and process biometric information to better secure its premises.

d.  Proportionality Test.

i.  Was the Collection of Biometric Information Proportional?

According to the Quebec Privacy Act, the collection of personal information must be proportional to the objectives pursued. Overall, the benefits derived from the collection and processing of personal information must outweigh the invasion of privacy caused to the individuals concerned. The Company had the burden to prove that the collection of personal information was rationally connected to its objective, the privacy invasion on individuals was minimized, and the collection of personal information was far more useful to the Company than detrimental to the individuals concerned.

ii.  Was the Collection of Personal Information Rationally Connected to the Objective?

The Company’s position was to the effect that the collection of biometric information was necessary for the operation of a facial recognition system intended to control access to its premises. The CAI agreed with this position and concluded that the collection of biometric information relating to the operation of a facial recognition system was rationally connected to the objective of controlling access to the Company’s premises.

iii.  Did the Company Minimize the Privacy Impact on Individuals?

Before collecting any personal information, organizations must ensure that any potential privacy impact on the individuals concerned when the collection and processing of personal information is minimized. To this end, organizations must consider the possibility of using other less privacy-intrusive means of achieving their objectives.

The CAI determined that the Company had the option to implement a less privacy-intrusive measure to satisfy the CTPAT certification requirements. More specifically, the Company could have implemented access controls through the issuance of identification badges, temporary visitor and supplier badges, access keys or codes as alternative means. In addition, the Company was unable to establish why other less privacy-intrusive measures could not have been effective in helping it achieve its objective and why the use of facial recognition system was the preferred approach.

iv.  Was the Collection of Personal Information Significantly More Useful to the Company Than Detrimental to the Individuals Concerned?

Individuals inherently have a very high expectation of privacy when their biometric information is collected and processed. Fundamentally, biometric information is permanent and distinctive in nature, making it a unique identifier. Biometric information is immutable and permanent where any confidentiality incident or misuse can have serious consequences on the individuals concerned. Unlike an access card or access code that could be replaced, an individual’s biometric information cannot be replaced or changed.

According to the CAI, even if the Company encrypted the employee pictures, this process does not mitigate the individual’s exposure to risk. In addition, the irreversible code generated during an employee’s onboarding process remains personal information and the Company did not present any evidence showing that this code was also encrypted.

With respect to the encryption of the biometric database, the CAI considered that it represented an appropriate security measure designed to protect the personal information contained in the database. However, such security measures do not have any bearing on the level of privacy invasion suffered by individuals when their biometric information was initially collected.

Overall, the CAI did not find that the benefits to the Company justified exposing the individuals concerned to such high level of risk.

IV.  CAI Findings.

Ultimately, the CAI found that the Company did not satisfy the requirements of the Quebec Privacy Act and was not justified in collecting and processing biometric information. The CAI ordered the Company to stop using the facial recognition technology for access control and destroy all biometric information and codes within ninety (90) days.

V.  Takeaways.

The CAI’s decision serves as an important reminder that the collection and use of biometric information in Quebec is subject to strict requirements. Organizations must carefully consider other less privacy-intrusive alternatives before engaging in any activities requiring the collection and use of biometric information.

This decision reiterates that organizations must first consider that the objectives pursued requiring biometric information are legitimate, real and important, and where the information collected is rationally connected to their objectives, the privacy impact on the individuals is minimized, and the benefits to the organization largely outweigh the potential exposure of the individuals concerned to harm. In the end, organizations have a duty to balance the achievement of their business objectives with the adequate protection of individual privacy rights.

by Amir Kashdaran

A Cautionary Note

The foregoing provides only an overview and does not constitute legal advice. Readers are cautioned against making any decisions based on this material alone. Rather, specific legal advice should be obtained.

© McMillan LLP 2025