Daniel Therrien says new law must be explicit on how police use facial recognition
Current laws regulating the use of facial recognition software do not offer sufficient protection against the risks the technology creates,” Canada’s Privacy Commissioner said while appearing before Parliament’s Standing Committee on Access to Information, Privacy and Ethics.
“While all stakeholders agreed the law must be clarified, there was no consensus on the content of a new law,” Daniel Therrien said during a hearing held last week. “Legislators will have to decide how to reconcile various interests.”
The commissioner told the standing committee that facial recognition technology can “offer significant benefits to society if used responsibly.” However, he said, “it can also be extremely intrusive, enable widespread surveillance, provide biased results and erode human rights, including the right to participate freely, without surveillance, in democratic life.”
Therrien added that facial recognition is different from other technologies “in that it relies on biometrics, permanent characteristics that, contrary to a password, cannot be changed.” It also “greatly reduces personal autonomy, including the control individuals should have over their personal information.”
Therrien then elaborated on recommendations coming out of a consultation process that also included provincial and territorial privacy commissioners across Canada. The goal, he said, was to develop joint guidance for police use of facial recognition, “to assist police in ensuring any use of the technology complies with the law, minimizes risks, and respects privacy rights.”
The recommendations for developing a legislative framework made by the privacy commissioners include:
- That the laws clearly and explicitly define the purposes for which police would be authorized to use facial recognition technology and prohibit other uses. Authorized purposes should be “compelling and proportionate” to the very high risks of the technology.
- Laws that require police use of facial recognition to be “both necessary and proportionate for any given deployment of the technology.”
- That police use of facial recognition should be subject to robust and independent oversight. “Oversight should include proactive engagement measures, program-level authorization or advanced notification before use, and powers to audit and make orders.”
- Appropriate privacy protections be put in place to mitigate risks to individuals, including measures that address accuracy, retention, and transparency.
The standing committee started studying facial recognition in 2021, as it became clear that agencies such as the RCMP, the Ontario Provincial Police and the Toronto Police Service had been using software from Clearview AI.
Therrien, along with several provincial commissioners, said they felt Clearview AI was breaking privacy laws, and the commissioners ordered the company to remove the images of Canadians from the database.
Clearview had created a database of more than three billion images without user consent and then allowed customers, including the RCMP, to match photos against the database. The company no longer offers its services in Canada.
At the hearing, Therrien said he has no reason to believe that the RCMP is still using facial recognition for mass surveillance. “But the definition of the circumstances of the use of facial recognition seems a little murky and ambiguous,” he told committee members.
“That’s why we are sending out the documents, and that is why we believe that law enforcement should have to comply with specific legislation that would prohibit the use of facial recognition in certain circumstances.”
At a separate ethics committee meeting last week, Paul Boudreau, the RCMP’s acting deputy commissioner of specialized policing services, acknowledged that facial-recognition technology needs some constraints: “There are gaps in these technologies that we must assess and make sure they’re used, they’re used properly, especially from my perspective, from a law-enforcement perspective.”
But the RCMP disagreed with the privacy commissioners’ findings. Asked whether the RCMP’s reasons for disagreeing had merit, Therrien said, “I’ll give a lawyerly answer.”
The provision at play is the provision of the Privacy Act that governs the collection of information by the RCMP, he explained. “What the RCMP is saying is that section four of the Privacy Act does not explicitly require a government institution such as the RCMP to ensure the legality of the practices of its commercial partner, before the public sector uses the information.”
Therrien said that while it is true that this section doesn’t explicitly require that a federal institution ensure the legality of the commercial partner’s practices, “we think that that requirement exists implicitly.”
He added if the RCMP’s position were correct, that would let police contract out to third parties what it could not do directly. “That is unacceptable. We think the law does not allow for that.”
He told the committee that to the extent that the law is ambiguous, “I would encourage you strongly to close that loophole,” he said,” not just for police but all government institutions.