Parliament should limit Canadian police use of facial recognition technology to closely defined circumstances such as serious crimes, the country’s federal, provincial, and territorial privacy commissioners said today.
Their statement was released as three commissioners testified this morning before Parliament’s privacy committee, which has been examining the use and impact of facial recognition.
The parliamentary hearings on facial recognition came after federal privacy commissioner Daniel Therrien and the privacy commissioners of British Columbia and Alberta found last year that the RCMP violated federal and provincial private-sector privacy laws by using the facial recognition solution from Clearview AI. Clearview’s use of scraped images of people from the internet without permission is unlawful under Canadian law, the commissioners found.
The RCMP disagrees with that report. Clearview AI has stopped offering its service in Canada. However, it is challenging the commissioners’ order that it stop the collection and use of Canadians’ data or delete images already collected.
The commissioners held a national consultation on the use of facial recognition last year after releasing the Clearview report. However, they said, there was no consensus among the public groups and police forces who participated.
As a result, the commissioners said today Parliament should either adopt a framework or pass a law based on four key elements:
- the law should clearly and explicitly define the purposes for which police would be authorized to use facial recognition technology, and prohibit other uses. Authorized purposes should be compelling and proportionate to the very high risks of the technology. Crime prevention isn’t a compelling reason;
- since it is not realistic for the law to anticipate all circumstances, it should also require police use of facial recognition to be both necessary and proportionate for any given deployment of the technology;
- use of facial recognition by local police forces should be subject to strong independent oversight. Oversight should include proactive engagement measures, program-level authorization or advanced notification before use, and powers to audit and make orders;
- appropriate privacy protections should be put in place to mitigate risks to individuals, including measures addressing accuracy, retention, and transparency in facial recognition initiatives.
Appropriate limits on authorized uses should also include restrictions on the creation and use of databases of facial images in facial recognition initiatives, the commissioners said. If police in Canada are authorized to use any such databases, they added, the authorization should be clearly defined and narrow in scope, and it should require that the personal information within the database was collected lawfully.
The commissioners also said guidelines for the police use of facial recognition such as proportionality, accountability, assuring the quality and accuracy of biometric data gathered and not keeping personal information for any longer than necessary should also apply to companies as well.
Currently the use of facial recognition is bounded by the Charter of Rights, provincial and federal privacy legislation, and the common law. A new law wouldn’t necessarily mean an addition to the Criminal Code. There is a federal Identification of Criminals Act, which regulates how police agencies can collect, use, disclose and destroy fingerprints, and mugshots. Limitations on the use of facial recognition could be added to it.
Facial recognition “can be acceptable for serious crimes, missing children, other compelling state purposes — for example in a border context to ensure people of concern can be identified at the border while not impeding the flow of travelers,” Therrien testified today. But, he added, “I’m not sure facial recognition should be used for common theft, for instance, given the risks of use of the technology for privacy and other democratic rights.”
Therrien added that federal law or guidance is a matter of urgency. While he doesn’t believe there should be a complete ban on police use of the technology until a new law is passed, he would like to see the RCMP’s use of facial recognition limited in the meantime.
Therrien also said he was “struck” by the testimony last week of an RCMP official who said the force believes the use of facial recognition software “must be targeted, time-limited and subject to verification by trained experts.”
In his opening statement to the privacy committee this morning Therrien said that if used responsibly, facial recognition technology can offer significant benefits to society. “However,” he added, “it can also be extremely intrusive, enable widespread surveillance, provide biased results and erode human rights, including the right to participate freely, without surveillance, in democratic life.
“It is different from other technologies in that it relies on biometrics, permanent characteristics that, contrary to a password, cannot be changed. It greatly reduces personal autonomy, including the control individuals should have over their personal information.
“Its use encompasses the public and the private sectors, sometimes for compelling purposes like the investigation of serious crimes or proving one’s identity, sometimes for convenience.”
