New laws may result from Canadian police’s wrongful use of facial recognition technology

The country’s privacy commissioners are seeking the views of interested parties after issuing draft guidelines following a national Office of the Privacy Commissioner (OPC) investigation concluding the police’s use of FRT breached the Privacy Act.

“In an effort to provide some clarity to police agencies that are increasingly looking to FRT to solve crime or find missing persons, the OPC, along with its provincial and territorial privacy counterparts, have also issued draft guidance to assist police in ensuring any use of FRT complies with the law, minimises privacy risks and respects privacy rights,” the OPC said.

The draft guidelines emphasise agencies must have lawful authority for the technology’s proposed use and the importance of applying privacy protective standards proportionate to the potential harms involved.

“FRT is a powerful tool that has the potential to offer great benefits to society but it can also be a highly invasive surveillance technology fraught with many risks,” privacy commissioner Daniel Therrien said.

“It can provide racially biased results, erode privacy and undermine other rights such as freedom of peaceful assembly. FRT must be used responsibly and very carefully.”

The public consultation is taking place against a background of appropriate limits on FRT having to be established.

“Unlike other forms of biometrics collected by law enforcement, facial recognition is not subject to a clear and comprehensive set of rules,” the OPC said.

“Its use is regulated through a patchwork of statutes and case law that, for the most part, do not specifically address the risks posed by the technology. This creates room for uncertainty concerning what uses of facial recognition may be acceptable, and under what circumstances.

Therrien added: “The question of where acceptable FRT use begins and ends is in part a question of the expectations we set now for the future protection of privacy in the face of ever-increasing technological capabilities to intrude on Canadians’ reasonable expectations of privacy.”

On how the police – known as the RCMP in Canada – utilise the technology, he said: “The use of FRT by the RCMP to search through massive repositories of Canadians who are innocent of any suspicion of crime presents a serious violation of privacy. A government institution cannot collect personal information from a third-party agent if that third-party agent collected the information unlawfully.”

That is reference to US facial recognition technology company Clearview AI which the OPC determined in February had violated Canadians’ privacy rights by scraping billions of images of people from the internet.

The RCMP no longer uses Clearview AI as the company stopped offering its services in Canada last year during the commission’s then ongoing investigation.

However, the OPC remains concerned the RCMP did not agree with its conclusion that the police’s use of FRT contravened the Privacy Act.

The RCMP argued that ensuring the database it was using compiled legally would create an unreasonable obligation and the law does not expressly impose a duty to confirm the legal basis for the collection of personal information by private sector partners.

Therrien termed that as an example of how public-private partnerships and contracting relationships involving digital technologies create new complexities and risks for privacy.

“Activities of federal institutions must be limited to those that fall within their legal authority and respect the general rule of law. We encourage Parliament to amend the Privacy Act to clarify that federal institutions have an obligation to ensure that third party agents it collects personal information from have acted lawfully,” he added.

The RCMP has agreed to implement the OPC’s recommendations to improve its policies, systems and training, including full privacy assessments of third-party data collection practices to ensure any personal information is collected and used in accordance with Canadian privacy legislation.