Reprimand for Transcontinental Printing in Quebec highlights complexities of workplace biometrics as employers navigate compliance and employee rights
Biometric technologies are gaining traction in workplaces worldwide, with employers increasingly adopting tools like facial recognition, palm readers, fingerprint scanning, and eye tracking or iris scanners to enhance security, efficiency or safety.
However, these technologies also raise significant privacy concerns, particularly in jurisdictions with stringent regulations like Quebec.
A recent ruling by Quebec’s Commission d’accès à l’information (CAI) against Imprimeries Transcontinental serves as a critical case study for employers, underscoring the importance of balancing technological benefits with compliance and employee rights.
Growing adoption, rising questions
The number of businesses using biometrics for physical access control jumped from 30 percent two years ago to 39 percent, according to HID Global report in partnership with IFSEC Global based on a survey of over 1,200 security professionals worldwide.
“In emerging markets such as Africa, parts of Asia, and Latin America – where fingerprint recognition is already widespread — many companies are now moving towards facial recognition,” said Cristian Cotiga, vice president of product management of PACS.
Biometric technologies are becoming more prevalent across industries, says Carly Meredith, partner at DLA Piper in Montreal.
“There's all these cool, fashionable, new tools that are coming out on the market that could be very attractive to employers who say, ‘Hey, this is responding to needs we might have or efficiencies that we might want to achieve,' whether it be in terms of security or just making more processes efficient.”
It’s a trend that reflects the technology’s increasing availability, according to Antoine Guilmain, partner and co-leader of the National Cybersecurity and Data Protection Group at Gowling in Montreal.
“When we talk about biometrics, there’s always a sense that this is the future. But from what I’m seeing, it’s very much... happening at the moment.”
Reprimand for Transcontinental
The CAI ruling followed Transcontinental’s implementation of a biometric system that combined facial recognition with temperature checks during the COVID-19 pandemic in 2020. While temperature checks were discontinued in 2022, facial recognition continued to control access to company premises.
But in June 2024, the CAI concluded that the system violated privacy laws, emphasizing that biometric data collection must be both necessary and proportionate to its intended purpose.
The commission noted that less invasive measures, such as ID cards, could achieve the same goal without compromising privacy. As a result, Transcontinental was ordered to:
- cease biometric data collection
- deactivate the facial recognition system
- destroy existing biometric templates or codes generated from collected facial photographs.
What’s the purpose?
The decision reinforces the stipulation that employers need to be able to show why the particular nature of their business justifies the use of biometrics.
It’s about the notion of necessity or a reasonableness or appropriateness test, says Guilmain.
“If you want to deploy a biometric system, a process, you need to, essentially, demonstrate that the collection of data is necessary to meet a specific purpose,” he says. “This is where there's a lot of organizations that don't have sufficient documentation, [but] most of the time you will justify the necessity by precedence, potential stats or different, very concrete, tangible elements leading to justify the need to deploy a specific biometrics technology.”
Meredith emphasizes that employers must prove biometrics are necessary to address a “real and concrete problem… a live issue within the enterprise: “It can’t be something that’s just ‘Oh, this would be nice to have, or it would make it better.’”
Employers need to justify why they need biometrics, and what they hope to achieve, she says.
“Then you need to be considering: 'How come I need biometrics in order to achieve that purpose? How come I cannot achieve that same purpose through other means that perhaps present less of a privacy concern?'”
The Transcontinental decision also underscores the importance of continuously evaluating why you're using biometrics and whether it's still appropriate to be using the technology, says Meredith.
“As things develop, as things change within your business, you need to be consistently evaluating whether your collection practices regarding biometrics — but, really, all personal information — still reflects the realities of the business.”
Privacy intrusion and biometrics
Guilmain says that Quebec’s framework around biometrics is one of the most complex in the world, requiring employers to navigate overlapping laws and detailed requirements.
“There's not one law talking about biometrics in Quebec. You actually have two laws talking about biometric processing: one is the privacy act, and the other one is the IT act. So, it's not easy for an organization to essentially navigate these regimes, considering the complexity of this.”
Employers must also notify the privacy commissioner or CAI by filling out a form detailing their plans to use biometrics, he says: “This notification process is unique and unknown in the rest of Canada.”
A privacy impact assessment (PIA) is a vital tool for employers considering biometrics, says Guilmain.
“You essentially explain the data flows. Then you assess what are the risks in terms of consent, in terms of transparency, in terms of user expectations or employee expectations, and then you essentially outline some mitigations,” he says, adding this should be updated on an annual basis.
Guilmain adds that convenience or cost savings alone cannot justify biometric systems.
“You will need to demonstrate that you assessed other options that could be less intrusive, but they are not meeting the purpose you are essentially seeking,” he says.
“You need to have documentation demonstrating why biometric is the best, most proportional… solution.”
Meredith emphasizes that employers must explore less intrusive alternatives before adopting biometric solutions.
“Even though there might be some inconvenience doing it another way, [it’s about considering] does the privacy concern outweigh that minor inconvenience?” she says. “Can you achieve the same objective using another way that might cause you a little bit more of a headache in terms of administering but you've ensured that the personal information of those individuals is receiving greater protections than what it would if you instituted biometrics?”
Employee consent and biometrics
In Quebec, deploying biometric systems also requires employers to obtain explicit employee consent.
However, Meredith notes that this alone is insufficient: “Just because you’ve gotten consent, that’s not going to override your obligation as an enterprise to show that you had the right to collect that information in the first place.”
Given the power imbalance, employees might feel they have to consent or else face consequences from the employer, she says.
“That's also why there's that added protection of we always leave the burden on the employer to show why it was justified. “
Meredith emphasizes the importance of clear policies and communication when it comes to explaining the use of biometrics to your workforce.
“Transparency is very important. So, what are the purposes for which you’re collecting the data? What are you doing with it? What are employees’ rights with respect to that?”
Staying on top of biometric vendors
Most employers rely on third-party providers for biometric technologies. Meredith warns that employers must carefully review agreements with biometric vendors.
“If you haven't read that fine print, and you don't have a really thorough understanding of what's being done with the data, then you risk that you've engaged in an over collection of personal information or have — perhaps without the authorization of the individual — communicated information to third parties for other purposes. And so you want to be very careful about that.”
Employers should ensure contractual protections are in place to restrict data use. Guilmain stresses that outsourcing does not absolve employers of responsibility.
“As an employer, even though you are using a third party in providing the biometric tool, you will still remain responsible for ensuring that you have proper consent, and this is necessary for specific data processing activity.”
In addition, many service providers are evolving their technology, says Meredith, so you want to review their agreements from time to time “to make sure that they haven’t introduced these new functionalities that might be putting you offside of the legislation.”
