Biometrics and compliance: Navigating Québec's Legal Framework

3 minute read
23 January 2024

In the digital age, organizations are integrating biometric technology into their operations with increasing prevalence. While the use of these technologies offer significant benefits to society, they also bring forth major privacy risks. In Québec, there are two laws – the Act to establish a legal framework for information technology (the "Québec IT Act") and the Act respecting the protection of personal information in the private sector (the "Québec Privacy Act") – that govern the use of biometric information within the province.

The Québec Privacy Act applies to organizations using biometric information to the extent such information can, directly or indirectly, uniquely identify individuals. Organizations that use biometric systems (i.e., systems that use biometric characteristics or measurements to verify or confirm an individual's identity), or that create biometric databases, are also subject to the requirements found under the Québec IT Act.

The potentially simultaneous application of these two distinct laws, each with its own unique requirements, creates a particularly intricate legal framework for organizations to navigate. The Commission d'accès à l'information (the "CAI"), Québec's privacy commissioner, has published guidance (available in French only) to assist organizations in navigating the province's biometric legal framework.

To further assist you, we have developed a comparative flow chart outlining the requirements under the Québec Privacy Act and the Québec IT Act that may apply to organizations handling biometric information. This tool is designed to simplify the process of determining which legal requirements – including those concerning consent and notification – apply to your organization's biometric initiatives. It also outlines potential sanctions for non-compliance.

If you have additional questions regarding Québec's biometric legal framework, whether under the Québec IT Act or the Québec Privacy Act, please contact our Cyber Security and Data Protection Group.

Download flow chart

NOT LEGAL ADVICE. Information made available on this website in any form is for information purposes only. It is not, and should not be taken as, legal advice. You should not rely on, or take or fail to take any action based upon this information. Never disregard professional legal advice or delay in seeking legal advice because of something you have read on this website. Gowling WLG professionals will be pleased to discuss resolutions to specific legal concerns you may have.