On February 18, 2025, the Québec Commission d’accès à l’information (the CAI) issued a decision prohibiting Metro Inc. (Metro) from establishing a bank of biometric data for a pilot project aimed at preventing shoplifting and fraud.
Metro’s proposed bank of biometric data would be compiled from reference images of individuals captured on its stores’ video surveillance cameras during shoplifting or fraud incidents. As part of its pilot project, Metro would then compare, using a facial recognition algorithm, real-time images captured on video surveillance of customers entering and exiting its stores with the images already contained in its biometric database. If the algorithm found a positive match between an image of a current customer and an image of an individual who had previously been involved in a shoplifting or fraud incident, the manager of the store would be alerted.
Shortly after being notified by Metro of its intention to establish the above bank of biometric data, the CAI launched an investigation into whether Metro’s pilot project would comply with Québec law, particularly Québec’s Act to establish a legal framework for information technology (the Québec IT Act). Articles 44-45 of the Québec IT Act impose specific legal obligations on organizations processing biometric data, requiring them to obtain express consent from individuals before using their biometric data to verify or confirm their identity.
Metro argued that identifying an individual based on their biometric data, as it proposed to do in its pilot project, did not constitute “verification” or “confirmation” of the individual’s identity, and invited the CAI to adopt a strict interpretation of those terms under Article 44 of the Québec IT Act.
The CAI, however, rejected Metro’s interpretation, instead finding that Article 44 of the Québec IT Act should be given a broad and liberal interpretation to best achieve its primary objective of protecting personal information of a biometric nature. The CAI further found that Metro’s pilot project would involve “verification” of individuals’ identities, and that doing so without the express consent of the individuals involved both contravened the Québec IT Act and constituted an invasion of privacy.
As a result, the CAI’s order prohibits Metro from adopting the proposed bank of biometric data for the purpose of supporting its pilot project.
Summary By: Claire Bettio
E-TIPS® ISSUE
Disclaimer: This Newsletter is intended to provide readers with general information on legal developments in the areas of e-commerce, information technology and intellectual property. It is not intended to be a complete statement of the law, nor is it intended to provide legal advice. No person should act or rely upon the information contained in this newsletter without seeking legal advice.
E-TIPS is a registered trade-mark of Deeth Williams Wall LLP.
