Notes from the IAPP Canada: Navigating the gray area of biometrics

At this point in most of our lives, we use our biometric information for a multitude of purposes. Often, we don't think twice about it. I think I unlock my phone with my face or my fingerprint probably 100 times per day.

The technology, which when I was teenager seemed to be the thing of sci-fi stories, has become very ubiquitous. We use it all the time and dozens, if not hundreds, of the organizations we interact with use our biometric all the time. Mind you, I'm still not able to access our apartment building via my eyeball or thumbprint, but I'd sure like to.

I was thinking about the ubiquitous nature of this data's use and the corresponding technology as I was reading the Office of the Privacy Commissioner of Canada's updated guidance on biometrics. It made me think of some of the lessons I was taught by my late friend and brilliant colleague at the University of Ottawa, Ian Kerr.

As technology advances and the various uses of our personal information become more and more commonplace, it's easy to slip into the mind frame that we don't have an expectation of privacy over these pieces of data. After all, we use them all the time and we trust hundreds of organizations to take care of it. But the OPC guidance reminded me that just because something is commonplace does not take away from the fact that it is sensitive, that we do have a strong privacy interest in it and that we want our laws to make sure that this information is used and protected properly.

Now, when it comes to being used properly, the OPC guidance relies on the four-part reasonableness test. Which, I suppose is only natural and one of the better parts of what Canadian privacy law insists on.

That being said, after reading the fresh new guidance I'm still left with some unanswered questions. For example, you're meant to ask yourself if there a less privacy-invasive way of accomplishing your purpose. Well, yes, my phone can revert to using a username and password to login. But, all things considered, as a user, I'm glad I can unlock my phone more easily with my face or fingerprint — not only is it more convenient, but I believe it to be more secure as well.

I'm reminded of some case law out of Quebec where the regulator told employers that they cannot force employees to use biometrics to enter certain parts of their facility. Why? Because issuing a key card worked perfectly fine before and it should work just fine today, too. In other words, there is always a way to use less personal information to achieve a purpose. But, in my mind, using these old ways that rely on less personal information are also more susceptible to abuse and security failures.

I'm glad my phone is unlocked by my fingerprint as opposed to a password, particularly with all the breaches out there that seem to involve usernames and passwords.

The whole proportionality aspect of the four-part test is intriguing and what I'm hoping for are some clear examples of what is and what is not considered appropriate in real and practical terms. We are all living in the gray areas, and if our lawmakers and regulators don't provide more certainty, then I think this lack of clarity can become a barrier to innovation that only the biggest risk-takers are willing to take on.

The OPC guidance actually includes a set for the private sector and another one for the public sector. Once you read it, let me know what you think, how you might apply it in practice, and if you think it's going to help you more easily navigate some of those gray zones.

Kris Klein, CIPP/C, CIPM, FIP, is the country leader, Canada, for the IAPP.