acial recognition, biometric, privacy, sensitive personal information, PIPEDA
Facial recognition technology is one of the most intrusive and privacy threatening technologies available today. The literature around this technology mainly focuses on its use by the public sector as a mass surveillance tool; however, the private sector uses of facial recognition technologies also raise significant privacy concerns. This paper aims to identify and examine the privacy implications of the private sector uses of facial recognition technologies and the adequacy of Canada’s federal private sector privacy legislation, the Personal Information Protection and Electronic Documents Act (PIPEDA), in addressing these privacy concerns. Facial templates produced and recorded by these technologies are types of biometric information. While all biometric information are highly sensitive in nature and require stricter regulatory protections, this paper argues that facial recognition data poses a more significant risk to individuals’ privacy and autonomy than other forms of biometric data. First, facial recognition technology can be used on a person from large distances and completely surreptitiously. Second, hiding one’s face or avoiding the technology in daily life is hard to accomplish, if not impossible. Third, there is already a vast database of personally identified facial images available in the hands of private organizations, such as social media companies, containing the sensitive data of millions of people ready to be identified. This paper takes the position that PIPEDA does not provide adequate protection of individuals’ privacy against facial recognition technologies and significant amendments to the Act are urgently required. Sensitive personal information, which includes facial recognition data, should be defined as a special category of personal information along with stricter protections on their collection, use, retention and disclosure. The role of consent should be re-defined concerning highly sensitive facial recognition data, clear enforcement powers should be given to the Privacy Commissioner of Canada in enforcing the Act and mechanisms to ensure compliance should be regulated in the forms of substantial fines for violations and a private right of action for citizens. However, the paper argues that due to PIPEDA’s limited scope of application and constitutional challenges, amending the Act would not be enough to protect all Canadians from the risks this technology poses. Accordingly, the paper concludes that along with the proposed amendments to PIPEDA, provincial legislations should also be enacted and enforced to ensure the protection of Canadians’ privacy and autonomy against the threats posed by facial recognition technology.
Tunca Bolca, "Can PIPEDA ‘Face’ the Challenge? An Analysis of the Adequacy of Canada’s Private Sector Privacy Legislation against Facial Recognition Technology" (2020) 18:1 CJLT 51.