Information & Ethics Committee on May 2nd, 2022

Good morning, Mr. Chair.

Thank you for inviting me here today and for undertaking this important work on facial recognition.

Like all technologies, FRT can, if used responsibly, offer significant benefits to society. However, it can also be extremely intrusive, enable widespread surveillance, provide biased results and erode human rights, including the right to participate freely, without surveillance, in democratic life. It is different from other technologies in that it relies on biometrics, permanent characteristics that, contrary to a password, cannot be changed. It greatly reduces personal autonomy, including the control individuals should have over their personal information. Its use encompasses the public and the private sectors, sometimes for compelling purposes like the investigation of serious crimes or proving one's identity, sometimes for convenience.

The scope of your study is vast. In the time I have available, I will focus on the use of FRT in a law enforcement context. When we last spoke, my office had completed its investigation into Clearview AI, a private sector platform that we and our colleagues in Quebec, B.C. and Alberta found was involved in mass surveillance.

Since then, my office has examined the RCMP's use of Clearview AI's technology. We found that the RCMP did not take measures to verify the legality of Clearview AI's collection of personal information, and lacked any system to ensure that new technologies were deployed lawfully. Ultimately, we determined the RCMP's use of Clearview AI to be unlawful, since it relied on the illegal collection and use of facial images by its business partner.

Building on these findings, we worked with fellow privacy commissioners across Canada to develop joint guidance for police use of facial recognition. This guidance is meant to assist police in ensuring that any use of the technology complies with the law, minimizes risks and respects privacy rights. We are releasing the final version of the guidance today.

As part of this work, we launched a national public consultation on police use of facial recognition technology. During this consultation, we heard consistently that the current laws regulating the use of facial recognition did not offer sufficient protection against the risks associated with the technology. While all stakeholders we consulted agreed that the law must be clarified, there was no consensus on the content of a new law. Legislators will therefore have to decide how to reconcile various interests.

Following this consultation, fellow provincial and territorial privacy commissioners and I believe that the preferred approach should be to adopt a legislative framework based on four key elements, which we have outlined in a joint statement we're issuing today.

First, we recommend that the law clearly and explicitly define the purposes for which police would be authorized to use facial recognition technology and that it prohibit other uses. Authorized purposes should be compelling and proportionate to the very high risks of the technology.

Second, since it is not realistic for the law to anticipate all circumstances, it is important, in addition to limitations on authorized purposes, that the law also require police use of facial recognition to be both necessary and proportionate for any given deployment of the technology.

Third, we recommend that police use of facial recognition should be subject to strong, independent oversight. Oversight should include proactive engagement measures such as privacy impact assessments, or PIAs; program level authorization or advance notification before use; and powers to audit and make orders.

Finally, we recommend that appropriate privacy protections be put in place to mitigate risks to individuals, including measures addressing accuracy, retention and transparency in facial recognition initiatives.

I encourage you to consider our recommendations as you complete your study of this important issue.

Thank you for the opportunity to appear before you today; I look forward to your questions.

I will be pleased to answer your questions following my colleagues' statements.

Good morning.

Thank you for inviting me to speak today.

Joining me is Vance Lockton, senior policy and technology analyst with my office.

I would like to build on the remarks you've just heard from Commissioner Therrien. While all of Canada's Privacy Commissioners recommend the adoption of a comprehensive statutory framework to address the use of facial recognition technology in the criminal law context, we also recognize that some police agencies are already using, or considering using, facial recognition technologies. As such, we have issued guidelines to help guide law enforcement agencies and mitigate against potential harms until a new statutory framework is put in place, as my colleague Mr. Therrien described it.

I would like to emphasize five key elements of the guidelines.

First, before using facial recognition for any purpose, police agencies must establish that they are lawfully authorized to do so. This is not a given, and cannot be assumed. Facial recognition relies on the use of sensitive biometric information. Police should seek legal advice to confirm they have lawful authority either at common law or under statutes specific to their jurisdiction. They must also ensure they are Charter-compliant and their purported use is necessary and proportionate in the circumstances of a given case.

Second, police agencies must establish strong accountability measures. This includes designing for privacy at every stage of a facial recognition initiative and conducting a privacy impact assessment, or PIA, to assess and mitigate risks in advance of implementation.

It also involves putting in place a robust privacy management program, with clearly documented policies and procedures for limiting the purposes of facial recognition, robust systems for logging all related uses and disclosures, and clearly designated roles and responsibilities for monitoring and overseeing compliance.

Such a program must be annually reviewed for its continued effectiveness. It must be supported by appropriate training and education, and ensure that any third party service providers also comply with all related privacy obligations.

Third, police agencies must ensure the quality and accuracy of personal information used as part of a facial recognition system to avoid false positives, reduce potential bias and prevent harms to individuals and groups. Ensuring accuracy involves conducting internal and external testing of the FR system for any potentially discriminatory impacts, as well as building in human review to mitigate risks associated with automated decisions that may have a significant impact on individuals.

Fourth, police agencies should not retain personal information for longer than necessary. This means destroying probe images that don't register a match and removing face prints from the database as soon as they no longer meet the proper criteria for inclusion.

Fifth, policy agencies must address transparency and public engagement. Direct notice about the use of facial recognition may not always be possible in the context of a specific police investigation. However, transparency at the program level is certainly possible, and could include publishing the agency's formal policies on the use of facial recognition, a plain language explanation of their program and a summary of their PIA,.

Any communication with the public should be two-way. Key stakeholders, particularly representatives of over-policed groups, should be consulted in the very design of the facial recognition program. Given the special importance of reconciliation in Canada, this must include input from local indigenous groups and communities.

These are a few of the measures set out in the guidance.

To reiterate, although we believe these guidelines represent important risk mitigation measures, ultimately we recommend the establishment of a comprehensive statutory regime governing the use of facial recognition by police in Canada. Clear guardrails with force of law are necessary to ensure that police agencies can confidently make appropriate use of this technology, grounded in a transparent framework, accountable to the people they serve and capable of earning the public's enduring trust.

Thank you.

Thank you, Mr. Chair.

Good morning and thank you for this invitation to discuss facial recognition.

Building on my colleagues' remarks, I would briefly like to address the problems raised by other uses of this technology and to outline what is provided under Quebec legislation. As several speakers have mentioned, the increasingly widespread use of facial recognition in various contexts raises significant problems, particularly with respect to privacy.

This technology, which combines biometrics with artificial intelligence, among other things, is particularly invasive, partly because it scans unique body characteristics and transforms them into data. Those characteristics, such as certain facial traits, are central to our identity. The fact that this technology can be used without our knowledge means we have less control over our information and are at greater risk of undue surveillance. Some proposed uses of facial recognition and derivative technologies infer from our face or facial expressions personal characteristics such as age, sex, ethnic origin, emotions, degree of attention, fatigue or stress, health information and certain personality traits. These characteristics may be used to categorize, detect or profile individuals for commercial purposes to conduct some form of surveillance or to make decisions concerning them.

The creation of biometric databases also raises significant privacy risks. It is difficult for a person whose biometric data have been compromised to challenge an inadvertent action or transaction or identity fraud given the high degree of reliability that unique and permanent information is assumed to have. Since it is virtually impossible to replace compromised biometrics, it can be just as complicated to re‑establish one's identity.

There is also considerable risk that biometric databases created for one specific purpose may be used for other purposes without our knowledge or an adequate assessment of the problems and risks associated with those other purposes. This is why the creation of these banks and the use of biometrics for identification purposes are governed in Quebec by the Act to establish a legal framework for information technology, as well as privacy statutes applicable to public and private organizations. The creation of every biometric database must thus be reported to the commission. Starting next September, reporting will also be required for every instance in which biometrics are used for identification purposes.

In Quebec, biometrics may not be used for identification purposes without the express consent of the person concerned. No biometric characteristic may be recorded without that person's knowledge. Only a minimum number of biometric characteristics may be recorded and used. Any other information that may be discovered based on those characteristics may not be used or preserved. Lastly, biometric information and any note concerning that information must be destroyed when the purpose of the verification or confirmation of identity has been achieved. The commission has broad authority and may make any order respecting biometric banks, including authority to suspend or prohibit their bringing into service or order their destruction. General privacy protection rules also apply in addition to these specific provisions. That means, for example, that the use of facial recognition must be necessary and proportionate to the objective pursued.

We have observed that organizations unfortunately do not attach all the importance they should to this compliance evaluation or the problems associated with the use of facial recognition. The popularity of biometrics has led to a kind of trivialization of its impact on citizens, which is why the commission recommends that a preliminary analysis be conducted of privacy-related factors. That evaluation will in fact be mandatory as of September 2023. Biometric information will also be expressly designated as sensitive personal information. Although the current regulation of biometrics in Quebec has given the commission an idea of the extent of facial recognition use and grants it enforcement powers, we have requested that regulation be enhanced to reflect developments in the technology and the various contexts in which it is used.

Thank you for your attention. I will be pleased to discuss these matters with you over the next few minutes.

Sure.

When we issued our investigative report on the RCMP's use of Clearview last June in a special report to Parliament, we started at the same time a consultation with stakeholders who were interested in speaking to draft guidance that we had published at the same time. That led to about 30 groups or individuals writing to us, and we also had meetings with a number of stakeholders.

The stakeholders represented civil society, minority groups and the police itself. I met a number of times with the RCMP and with the Canadian Association of Chiefs of Police, and my colleagues also met with provincial equivalents. There was a broad range of people who were consulted. Views were varied, obviously, because the interests were different, but all agreed that the law is insufficient as it is. Depending on the interests of various stakeholders, they did not agree necessarily on the content of that law.

I would start first with where there was agreement beyond the need for the law to be changed.

Many people felt that the guidance was drafted or crafted at a level of generality such that the advice is helpful, but they would like it at the very least to be supplemented by advice on what was called “use cases”. Our reaction to that is that indeed there is a need for advice on particular uses in different contexts, because context matters a whole lot, but we still think it's important and relevant to have general guidance that can be be augmented as use cases are developed.

Some stakeholders from civil society or minority groups called for a moratorium on the use of facial recognition. The RCMP obviously did not agree with that. Our position as commissioners is that there should be clear laws prescribing when facial recognition can be used, because it can be used for legitimate, helpful purposes and social good in some circumstances—for instance, in serious crime situations or to find missing children—but these uses should be defined quite narrowly. The law should also prescribe prohibited uses, which would be, I guess, a partial ban or a partial moratorium on the use of facial recognition.

If I may, on the question of a moratorium, we as data protection authorities cannot impose a moratorium that has the force of law. For a moratorium to be binding on police agencies, it would have to take the form of legislation.

I was struck by the testimony that you heard last week from an RCMP representative, to the effect that “The RCMP believes that the use of facial recognition must be targeted, time-limited and subject to verification by trained experts.”

Sure.

I think the common factor that applies horizontally to all stakeholders who would like to use facial recognition is the principle of necessity and proportionality that my two colleagues mentioned. That applies to all stakeholders: police services, businesses and other departments and governments.

In police services, however, the use of facial recognition can have extremely serious consequences, resulting even in the loss of freedom. I would say that many common principles should be considered. All stakeholders, including legislators, had to consider the context and consequences of the use of this technology. For example, a total prohibition of its use by police services in certain circumstances might not necessarily apply to all stakeholders.

Thank you for your question.

As my colleague said, the principles should definitely apply, regardless of the sector concerned, obviously considering the context and range of risks at play. I would note that Ontario doesn't have a privacy act that applies to the private sector. However, my office very much agrees with the idea the government has proposed of one day passing one.

In privacy matters, most businesses are subject to federal legislation. However, that leaves a vacuum in many areas in Ontario. In many sectors, there is no legislation protecting the privacy of employees in the vast majority of businesses. So that's a major deficiency. I think it's important that the basic principles we advance in our guidelines apply and that we proceed with the necessary adjustments for other contexts. Our guidelines are specifically designed for the law enforcement sector and police services.

Thank you for your question.

The Quebec act is definitely a start, but we've previously submitted recommendations for improving it to Quebec parliamentarians. For example, the framework currently establishes obligations only where biometrics and facial recognition are used to verify identity. However, based on the reports we receive from biometric databases, the technology is also being used for other purposes. I mentioned that in my presentation. Consequently, the first recommendation would be to ensure—

When surveillance is carried out by police services or private companies, they collect information about people's activities or characteristics in order to make certain decisions about them.

The question is whether it's done with people's consent or in accordance with legislation that protects the rights of citizens who are exercising these rights. That, in my opinion, is the key. Consumers, vis‑à‑vis companies, and citizens vis‑à‑vis the state, should be able to exercise their right to use social media, communicate and take part in demonstrations, without being subjected to mass surveillance, except in extremely limited circumstances.

Yes.

On a number of occasions, you were told about a moratorium, whether desirable or otherwise, that was going to be applied until an enhanced act was adopted. It's clear to me that a moratorium applicable to police services should be provided for in a law. However, I found it interesting last week when the RCMP representative raised a number of principles governing the use of facial recognition by the RCMP. That's in the English version I'm looking at.

He said it should be “targeted, time-limited and subject to verification by trained experts. Further, [it] should not be used to confirm an identity, but rather only be considered as an investigational aid”.

The matter of verification by someone was raised.

You could ask the RCMP to commit to using facial recognition only in accordance with the principles stated by its representative last week. I feel that would be the best way of handling a moratorium while awaiting the enhanced act.

Yes.

Thank you for your question.

As you know, Quebec's access to information commission was involved in the joint investigation, with its counterparts from the federal government, Alberta and British Columbia. After that, we issued an order under our own provincial authority. Our decision was appealed, which is possible in Quebec, and it is currently before the courts.

We would be happy to send you our decision, which explains our position and is up on our website. Unfortunately, as the matter is before the courts, I will refrain from making any comments out of respect for the judicial process.

To summarize the decision as a whole, there is the commission's authority to issue the order, since it's an American firm, and also all our legal conclusions pertaining to compliance with Quebec's act.

I'm going to return to what I heard last week. The RCMP says that it is not doing mass surveillance. I have no reason to doubt this. The RCMP could demonstrate that it is using facial recognition for compelling reasons by committing to using it only for such purposes. I noted last week that the RCMP representative wasn't particularly clear as to whether or not the RCMP is using facial recognition.

At best, I would say that I have no reason to believe the RCMP is using facial recognition for mass surveillance. On the other hand, their definition of the circumstances under which they use it seems rather ambiguous. That, moreover, is why we are sending the guidance document and are recommending that police forces be subject to a clear act that authorizes facial recognition, but also prohibits its use in certain circumstances.

Thank you for that.

While the RCMP disagreed with our conclusion at law that the RCMP itself was breaching the public sector law by relying on Clearview, they did co-operate significantly with us in recognizing that they should have a better verification system when they use new technologies, be it facial recognition or other new technologies.

We have, I think, agreement with the RCMP that they ought to have these verification systems, and we have had good discussions with them since June of last year. I do not think they will be able to implement all of these recommendations within a year, but we're making good progress.

They have not yet, and they are unlikely to meet the 12-month deadline, but we are making good progress, and I see a genuine effort on their part.

It is a relatively complex issue, but we obviously would like to see this implemented as soon as possible.

This language refers back to the absence, at that time, of any system at the RCMP to ensure that when new technology is used by its officers, there is a verification and approval process within the RCMP to ensure that the technology respects the law, including privacy rights.

This was far from ideal, to say the least, but the RCMP has recognized the problem and is setting up such a system. It will take a bit more time than we had hoped, but I think it's going in the right direction.

The RCMP has set up a system. It's the implementation of the details of the system—for instance, the training to be given to officers—that is taking more time to define than we had hoped.

I would suggest that you ask the RCMP how long it's going to take. We have asked them ourselves, obviously. I can report on what the RCMP has told us. I can undertake to do that, so I will do that.

Yes.

None.

Clearview stopped offering its services in Canada in 2020, I believe, while we were still investigating, but it is in court challenging the decisions of my colleagues, I believe because they do not want to give an undertaking in perpetuity that they will not offer their services. At this point, they are not offering their services in Canada.

I'll give a lawyerly answer, which I think will be clear.

The provision at play is the provision of the Privacy Act that governs the collection of information, in this case by the RCMP. What the RCMP is saying is that this section, section 4 of the Privacy Act, does not explicitly require a federal institution such as the RCMP to ensure the legality of the practices of its commercial partner before the public sector uses the information.

It is true that section 4 does not explicitly require that of a federal institution; we think that the requirement exists implicitly. Essentially, imagine that federal institutions would be able to contract out and be able, through contracting with the private sector, to engage in practices that it cannot engage in directly. That is unacceptable. We think the law does not allow for that.

That said, is it credible or is it reasonable? There is some credible basis for the RCMP's position. To the extent that there is ambiguity in the law, I would encourage you strongly to close that loophole and to require government institutions—not only the RCMP, but all government institutions—to ensure that what they're buying is lawful when they rely on the private sector.

The short answer is yes. We've recommended that many times. Yes.

No, I am not. We asked how many times they'd used it, and I believe it was in the tens of cases. As to the convictions, no, I do not know the number.

I think that's speculative. The RCMP says, which I have no reason to doubt, that when they use the technology, there's human review. That tells me that there's a police officer who then undertakes an investigation and presents evidence through a Crown attorney under the normal rules. That's my assumption, but I don't know that.

We're not aware of other FRT systems that the RCMP is using. There are, of course, many FRT systems other than Clearview, but they do not all have the same level of accuracy, which is a concern.

As far as the RCMP is concerned, we do not know that they are using a system other than Clearview. They are not currently using Clearview.

Unfortunately, I don't have insight into companies in Ontario, because that's not in our jurisdiction. I can't answer that question with any certainty.

Is that in general or in using facial recognition technology?

I'll give you a couple of examples.

Certainly police services are using images in mug shot databases pursuant to their powers under the Identification of Criminals Act. There is also obviously much video surveillance that is ongoing in terms of general, municipal and other collection of video surveillance. That too is fairly common and ongoing in terms of collection of video surveillance and therefore images of people.

That's a good question.

My starting point would be to say that we do have laws. Obviously, we have the charter and we have the common law, and there are some statutes like the RCMP Act that govern the situation. In the private sector, we have PIPEDA.

To your point about flexibility to ensure that the law does not become obsolete, one of the virtues of PIPEDA is that it is principles-based, so it does not seek to regulate particular situations but deals with principles. However, I think facial recognition is where we start to see the limits of the virtues of a principles-based approach, because if you regulate facial recognition by saying that the user ought to be accountable, or you apply principles of that nature or say that a necessary proportionality should apply, you leave a lot of discretion to the police to exercise these broad principles in a way that suits their interests.

I'm not saying there ought not to be principles-based legislation. As a general principle, it makes a lot of sense, but in the case of facial recognition, because of the extremely high risks to privacy and other rights, such as democratic rights of demonstrating or equality rights, we say that there ought to be specific provisions—for instance, in the case of the police—to prohibit uses except in certain circumstances.

A good grounding of principles-based legislation makes sense, but in the case of facial recognition it should include the addition of a few specific rules that ensure that the broad principles are not abused or not interpreted in an overly generous way.

As far as the police are concerned, I think those two examples would be the most important ones. As for “crime”, I would qualify that and say “serious crime”. I'm not sure that facial recognition should be used for common theft, for instance, given the risks of the use of facial recognition for privacy and other democratic rights, but it can certainly be acceptable for serious crimes, such as missing children, and for other compelling state purposes, such as in the border context to ensure that people of concern can be identified at the border while not impeding the flow of travellers to the country. To me, the necessity of identifying people of concern at the border in that context would be a compelling ground.

No.

In fact, I think that's one of the lessons we can learn from how the technology has been used in recent years. We have to put a stop to self-regulation by companies, and those in the surveillance field deserve particular attention. Generally speaking, elected representatives need to regulate the use of the technology. That's the main lesson to be drawn from the past few years.

It's clear that we are greatly concerned about Palantir's practices, but as we haven't investigated the company, I don't feel comfortable commenting about it.

No.

No.

As the authorities on protecting information, we believe that we will have a role to play in protecting personal data. However, facial recognition brings other rights into play, such as the right to equality in cases of discrimination against certain groups, and also democratic rights.

So we are not asking for a monopoly on facial recognition regulation, but I think that, as in other areas, it would be both possible and useful to have a number of regulatory organizations. In cases of discrimination, for example, it would be the Canadian Human Rights Commission or its provincial counterparts.

So we think we have a role to play in data protection, but other regulatory agencies should also have responsibilities.

The RCMP is saying that the Privacy Act does not explicitly require it to verify the legality of the practices of its private sector contractors. It is true that the Privacy Act does not explicitly say that. We are of the view that a correct interpretation of that law is that they do have that responsibility, and if there is any ambiguity in the law, I would strongly urge parliamentarians to close that loophole and make it clear, as I suggested a few minutes ago.

Exactly.

Clearview has stated to us that they have left the Canadian market. They are not offering their services at this point to anyone in Canada.

Today I, along with provincial and territorial commissioners, have made a number of recommendations to amend the law. I think it should be done urgently, because the risks are very important.

It starts with better laws. Until such time as laws are amended, we have issued guidance on how to use the current law, and we hope this guidance will mitigate risk.

No, but we should look at this as an institutional issue. I would tend to look at it through the eyes of the institution, rather than in terms of individuals.

We've made recommendations for the RCMP to improve its processes, but I'm not aware of any sanctions.

Personally, I am not. Perhaps some of my colleagues at the OPC are aware of it. We can provide information if we have any.

If we have information, we'll provide it.

Possibly. I haven't thought about the exact pieces of legislation that need to be amended.

As I responded in answering an earlier question from Ms. Hepfner, I think we need to start from a principles base, augmented with a few provisions to ensure that general principles cannot lead to overly generous interpretation. It means definitely PIPEDA and the Privacy Act, and potentially the Criminal Code.

There is a lot of authority in the common law for the use of various technologies. Potentially, the Criminal Code could be examined from the perspective of restricting some of these common law powers, but I haven't thought this through seriously.

It is conceivable that warrants may be required in some cases. When we recommend that legislation define “allowable” and “prohibited” uses, we have in mind categories of circumstances, such as serious crime, however parliamentarians may want to define it. It's that kind of thing. It's not a case-by-case authorization.

We come closer in our recommendations when we say that there should be “program-level authorization or advanced notification before use”. That's closer to Quebec legislation, whereby a police body would come to an independent regulator and say they want to use FRT in the following use case—not an individual circumstance, but a group of cases—which would then be discussed with the data protection authority and approved at the program level. That's closer to individual authorization.

It's not inconceivable that, in some cases, individual warrants would be issued by a judge for an individual case, but that's not our starting point.

Our starting point as commissioners—me and my provincial and territorial colleagues—is that the law should ultimately define “allowable” and “prohibited” circumstances for the use of FRT, facial recognition. That's because we are of the view that there are compelling circumstances in which that technology should be usable by police forces. I would not be in favour of a complete ban of the technology, because it does allow use in compelling circumstances.

In my reference to the RCMP, I was suggesting that short of the legislation we truly hope will be adopted in the not too distant future, if the RCMP were to undertake to use that technology only according to a policy—and the RCMP representative last week identified certain characteristics of that policy as being “targeted, time-limited”, etc.—that would be a voluntary partial moratorium, if I may use that expression.

With regard to a complete ban on facial recognition until a new law is adopted, I would not be in favour of such a ban.

Yes, the recommendations that we are making would apply to public spaces as well.

We're back to the question that I answered a few minutes ago.

Principles-based, technology-neutral legislation for the private sector makes sense as a starting point. The reason we're recommending that there be specific legislation for police forces has to do with the harms of that particular technology of facial recognition. It may well be that certain uses of the technology by private companies raise extremely high risks, not only to privacy but to other rights. Clearview is a good example. We call that mass surveillance.

Mr. Fergus referred to other circumstances. I agree that to denote emotions in order to sell a product, or for whatever other purpose, should not be allowed.

We will provide a few examples of good pieces of legislation. There's draft legislation in the European Union, not yet adopted, which is a good model. Obviously, it would have to be adapted. It says, among other things, that facial recognition should not be used to violate human rights That applies horizontally, whether to the state or to private companies. That is something that I think Canadian parliamentarians should seriously consider.

It is through principles-based legislation, augmented—when need be, given the context—by more specific legislation.

I will add this. I heard you ask certain witnesses at this committee if it's too late. It's never too late. Actually, the fact that certain practices are currently occurring should be no reason for you to prevent yourself from doing the right thing and regulating the technology in a way that respects the rights of Canadians.

We are living, not completely but in part, in a world of self-regulation that has led to certain unacceptable practices. It's not because they are routine or banal, as my colleague Diane Poitras would say, that they should continue to be authorized.

There's nothing unreal about it, and the legislation put forward in Europe, which I just mentioned, is designed to prohibit such practices, because they constitute a genuine risk already.

Can you give us a little more detail about terrorism? Are you talking about people who might want to enter the country by falsifying data?

It's not impossible. That gets us back to the idea of protections on the use of facial recognition. Extremely tight security is needed to prevent such risks.

That's a good question, because obtaining consent from people in the context of facial recognition is not always appropriate.

First of all, there is a power asymmetry, whether between the citizen and the state or the citizen and a major corporation, like the web giants.

Secondly, it's difficult to give informed consent, which is one of the essentials of consent. It's an extremely complex technology, and a citizen's ability to give informed consent is, in my view, very limited. The way to mitigate the consent issue consents is to legally authorize some uses, such as some of the recommendations made today. One could also prohibit certain forms of utilization, where it is believed that even with consent or authorization, its use would not be appropriate in a democratic society. I believe that if acceptable and unacceptable ways of using the data were to be set out in the legislation, it would be a step in the right direction.

Certainly all of our consultations with the Toronto Police Service, including the oversight board, tend to be highly constructive. I point specifically to our consultation, for instance, on body-worn cameras, which resulted in an overarching framework that has since been published.

With respect to the artificial intelligence framework they developed recently, and their policy, we were consulted. We made a number of recommendations, not all of which were adopted, and we continue to consult with them in the development of the procedures.

If I may, Mr. Chair, I would like to ask Vance Lockton. He did the analysis and compared our recommendations with the ultimate policy.

Thank you.

I wouldn't say there's anything important that wasn't adopted within the policy that can't be adopted within the procedures.

There was a lot of discussion about getting better definitions of risk levels or a better understanding of how some of the oversight was actually going to happen. We have accepted that it's understandable that this high-level policy may not have it, but it's going to be important to see in the procedures that implement that policy.

That's the issue we looked at in Clearview. If you're within a category or circumstance in which the police should be able to use facial recognition and rely on the technology of a private sector partner, we think the police should ensure the private sector partner has acted lawfully. To scrape social media data from the Internet regardless of the privacy settings of a consumer, for instance, would not be lawful. Even for a serious crime, that should not be possible.

I agree.

I would simply add that mass surveillance is the area that caused us the greatest concern on behalf of all federal, provincial and territorial commissioners. Whether it would be done by a third party private sector company on behalf of the police service or the police service itself, this is an area we've highlighted in particular as worrisome.

I don't have anything to add to what my two colleagues have said. Mass surveillance can indeed be carried out by police forces and private companies, in all sorts of ways, including digital surveillance, but that ought not to be the case.

I'm not aware of such a case, no.

I'm not aware of any either.

It will be a long time before we get to the point where there is jurisprudence under the charter. This was the concern we had, and it was the reason we were motivated to recommend the adoption of a legislative framework and, in the interim, the development of guidelines to help mitigate risks.

Regarding charter jurisprudence, it may take several years before we see the results.

I don't have any examples to give you.

I'll go back to one of your earlier questions.

If, in certain circumstances, warrants would be required to be issued by a court, then we're probably in a world where these amendments would be made through the Criminal Code. I haven't given a whole lot of thought to the overall instrument. It's important for the law to be adaptable, and therefore principles-based, and to determine allowable and prohibited uses. If you want to get into mechanics such as warrants, then perhaps the Criminal Code would be warranted.

To add to what my colleague Commissioner Kosseim was saying about the evolution of the law, which takes time, we currently have a patchwork of laws that govern facial recognition. We have the charter at the highest end. We have the common law. We have certain statutes, including privacy legislation, but we also have other laws. It's a complex web of laws.

We have not seen many examples of the use of the technology, but through the use of Clearview by the RCMP, we have seen that the use of the technology by police forces is sometimes questionable.

My point is that you have to act fairly quickly, because in the meantime, this patchwork of laws can be used in many ways.

We're back to the complexity of how to craft the law.

Let's say we're within the realm of a serious crime, which, according to our recommendations, would lead to the police being able to use facial recognition. The law cannot know of all individual cases, so there will have to be, as you say, a risk management assessment made by a police force.

What is the conversation with the oversight body, including privacy commissioners? I think it starts with a conversation before the program is put into place—a privacy impact assessment. How are you going to assess risk in a category of circumstances?

Then, if the police want to develop a program, we say that there should be program-level authorization. The police describe the program, which is, say, the protection of very important people in public spaces. That's the program. There's a discussion between the police and the Privacy Commissioner on that program. That's before the use of the technology. Once the technology is adopted and actually used, oversight should include the authority to investigate complaints and make orders as to the lawfulness of the use of the technology in a given case.

Thank you for the question.

Directly to your latter question, we do believe that a certain level of transparency is absolutely critical. We understand that transparency is not going to be possible with every specific use, but certainly it should exist at the programmatic level, including in privacy impact assessments—if not in their entirety, then at least as a summary of the privacy impact assessments.

To your earlier question about oversight, I think there are multiple ways of achieving that oversight short of a comprehensive legislative review. That includes the role of the boards that play an important oversight role, the data protection authority of that jurisdiction, including my office and my colleagues, and also the public. The Ontario Human Rights Commission, for instance, in my jurisdiction, played an important role in consultation with us and others in the development of a body-worn camera program that was adopted.

I think there's a multilateral consultation process that needs to take place in determining the spectrum of risks. I want to make a point that I think we've made several times, which is that there is a great spectrum of use cases, including administrative uses of facial recognition that may be on the acceptable side of the spectrum and may be adopted.

Thank you, Mr. Chair.

Once again, I think that the mechanisms can be tailored to the circumstances. There are different forms of facial recognition. There is facial recognition proper, whose purpose is to identify individuals. However, the term “facial recognition” is sometimes used to designate derivatives of the technology that can be used for corporate purposes, in shopping centres for example, where the goal is not to identify individuals, but rather their characteristics, like age, sex, time spent window shopping…

[Inaudible—Editor] and adapted to the context.

We don't have any intelligence on that.

I don't have any information on that.

The purpose of the legislation is to protect constitutional rights and human rights. So from that standpoint, the answer is yes, definitely. As to whether it's the best model, I'm not sure whether my colleagues would all agree with me, but I would say that it's a very good model.

Excuse me, but I didn't understand which model you were talking about.

Absolutely. It's a good model and we can certainly learn from it.

It's unanimous. We can certainly learn a lot from it and adapt it as required.

Facial recognition is a technology which, when used improperly, can very seriously violate basic rights. I've heard questions about the desirability of a flexible principles-based act. It's generally true, but in view of the consequences of facial recognition, I would strongly encourage you to go beyond principles and to provide specific provisions.

Nefarious by...?

I would go back to my general point. Yes, we have investigated the link between Facebook and Cambridge Analytica. We have studied the use by Cambridge Analytica of data, in some cases to try to influence political processes. There can be also other nefarious uses.

I think it's high time to stop looking at privacy as a technological issue for the very few and to look at the use of technology particularly when it collects personal information for the link of these technologies with fundamental rights, and to legislate accordingly.

The rules are too vague to give the necessary level of trust that citizens should have in the collection of information by many parties, including the public sector and the private sector. I think the government recognizes that there's a need to enhance trust.

At this point, people use technology because it's convenient. Frankly, there's no other way to live in modern times than to use technology, but people do it with not much trust, and it is high time for elected officials to regulate these various areas.