You know, consent can be very difficult, depending on the use case, particularly the scalability of facial recognition technology, but it should not be thrown out as a requirement just in and of itself. We need to include consent as a key requirement. We are talking about an immutable biometric data point on an individual. Having appropriate notice, with some ability for that individual to make decisions about how they share that information or how it's collected, is really critical. I don't want to suggest that consent should never be a consideration when you're talking about facial recognition technology. That's absolutely not true.
When we look at GDPR, we can certainly draw inspiration from the profiling requirements that I know Quebec has done in terms of looking at a right to recourse and a right to objection on automatic profiling solely by automatic means. That's one element that we should consider, but again, I very much encourage the committee to look at the EU's artificial intelligence act. It's not final, but there is some real inspiration that we can draw from there. The draft algorithmic accountability act out of the U.S. is worth looking at as well.