Editor's note: The IAPP is policy neutral. We publish contributed opinion pieces to enable our members to hear a broad spectrum of views in our domains.
I think privacy, artificial intelligence, cybersecurity, data governance and innovation does, and should continue to, all work together. On this point, there's a relatively new(ish) technology that is becoming increasingly popular in the day-to-day for a myriad of reasons: using biometrics to identify someone. I probably used it a hundred times, just today, to unlock my phone.
Fraudsters pray on stealing the identity of, or sufficiently impersonating, innocent people. This criminal activity can be made more difficult if organizations use more robust methods of authentication. Same goes for security. Access to physical premises or digital repositories are constantly being gained by criminals who are able to pretend to be someone who is authorized.
One way to curb this is to use biometrics for identification, authentication and access purposes.
This is certainly not new, nor is it a revelation. Many years ago, in the Personal Information Protection and Electronic Documents Act's infancy, TELUS Communications started using voiceprints to authenticate people who had access to sensitive data. Every authority and regulator agreed this was proper use of personal information.
So, it is with some dismay that I'm highlighting this week what I worry could be a troubling trend coming out of Quebec — that the regulator in that province may consider biometrics to be a bad thing for privacy.
The latest case, actually from last fall, resulted in a decision where an employer, a printing company, was using biometrics to grant access to its physical premises and was told this violated Quebec's Law 25. Consent of employees wasn't enough — the company didn't effectively make the case for necessity or proportionality. I would like to know what would, in practical terms, meet the thresholds. This case, combined with previous ones and with guidance from the regulator, suggests that the use of biometrics for authentication purposes is next to impossible for organizations in Quebec.
This, to me, sounds like privacy getting in the way of a good thing, which I find upsetting because, at least on the surface, it's decisions like these that can give privacy a bad rap.
I know the physical characteristics of our physical body can sometimes be extremely sensitive information. And, if not properly safeguarded and used, can also be quite dangerous in the hands of bad actors. But, if used responsibility, using biometrics properly can bring so many benefits that I think it's worth establishing a reasonable way forward.
So this is a call to our lawmakers and regulators to acknowledge that this technology has social — and privacy — benefits, and manageable risks. While it's true guardrails are needed — so maybe we can't scrape online images of Canadians to train AI facial recognition technology — I think we need to return to the more balanced way of thinking that was used in the TELUS voiceprint case.
Kris Klein, CIPP/C, CIPM, FIP, is the managing director for Canada for the IAPP.
This article originally appeared in the Canada Dashboard Digest, a free weekly IAPP newsletter. Subscriptions to this and other IAPP newsletters can be found here.