Canadian Privacy Commissioner Warns Against Police Use of Facial Recognition in New Guidance

In new guidance issued to law enforcement agencies across Canada, the Privacy Commissioner laid out a set of tests and procedures that agencies should implement before using facial recognition under Canadian law. The Commissioner specified that this guidance “should not be read as justifying, endorsing or approving the use of FR by police agencies” and opined that with no law directly addressing facial recognition, “the current legislative context for police use of FR [in Canada] is insufficient.” The Commissioner also warned law enforcement that “police agencies must be open to the possibility that, in a free and democratic society, a proposed FR system which has a substantial impact on privacy (such as via mass surveillance) may never be proportional to the benefits gained.”

The guidance recommends standards for privacy impact assessments, accuracy testing, data minimization, data security, transparency, and oversight to govern law enforcement use of facial recognition. However, the guidance fails to set technical limits for accuracy or clearly identify thresholds for what the Commissioner considers proper use of the technology. The document leaves police agencies, not communities, with the final decision in whether and how to deploy facial recognition.

EPIC provided comments on the Commissioner’s draft guidance. EPIC argued that the Commission should recommend a complete ban on law enforcement use of facial recognition, and that the draft guidance was not sufficiently detailed to prevent police misuse of facial recognition or allow for independent oversight. The finalized guidance implements several of EPIC’s recommendations, including a prescribed schedule for external compliance audits and a requirement that facial recognition companies be contractually prohibited from using probe images to build the company’s database or train its’ systems.