In the digital age, organizations are integrating biometric technology into their operations with increasing prevalence. While the use of these technologies offer significant benefits to society, they also bring forth major privacy risks. In Québec, there are two laws – the Act to establish a legal framework for information technology (the "Québec IT Act") and the Act respecting the protection of personal information in the private sector (the "Québec Privacy Act") – that govern the use of biometric information within the province.

The Québec Privacy Act applies to organizations using biometric information to the extent such information can, directly or indirectly, uniquely identify individuals. Organizations that use biometric systems (i.e., systems that use biometric characteristics or measurements to verify or confirm an individual's identity), or that create biometric databases, are also subject to the requirements found under the Québec IT Act.

The potentially simultaneous application of these two distinct laws, each with its own unique requirements, creates a particularly intricate legal framework for organizations to navigate. The Commission d'accès à l'information (the "CAI"), Québec's privacy commissioner, has published guidance (available in French only) to assist organizations in navigating the province's biometric legal framework.

To further assist you, we have developed a comparative flow chart outlining the requirements under the Québec Privacy Act and the Québec IT Act that may apply to organizations handling biometric information. This tool is designed to simplify the process of determining which legal requirements – including those concerning consent and notification – apply to your organization's biometric initiatives. It also outlines potential sanctions for non-compliance.

If you have additional questions regarding Québec's biometric legal framework, whether under the Québec IT Act or the Québec Privacy Act, please contact our Cyber Security and Data Protection Group.