Parliament should limit Canadian police use of facial recognition technology to closely defined circumstances such as serious crimes, the country’s federal, provincial, and territorial privacy commissioners said today.
Their statement was released as three commissioners testified this morning before Parliament’s privacy committee, which has been examining the use and impact of facial recognition.
The parliamentary hearings on facial recognition came after federal privacy commissioner Daniel Therrien and the privacy commissioners of British Columbia and Alberta found last year that the RCMP violated federal and provincial private-sector privacy laws by using the facial recognition solution from Clearview AI. Clearview’s use of scraped images of people from the internet without permission is unlawful under Canadian law, the commissioners found.
The RCMP disagrees with that report. Clearview AI has stopped offering its service in Canada. However, it is challenging the commissioners’ order that it stop the collection and use of Canadians’ data or delete images already collected.
The commissioners held a national consultation on the use of facial recognition last year after releasing the Clearview report. However, they said, there was no consensus among the public groups and police forces who participated.
As a result, the commissioners said today Parliament should either adopt a framework or pass a law based on four key elements:
- the law should clearly and explicitly define the purposes for which police would be authorized to use facial recognition technology, and prohibit other uses. Authorized purposes should be compelling and proportionate to the very high risks of the technology. Crime prevention isn’t a compelling reason;
- since it is not realistic for the law to anticipate all circumstances, it should also require police use of facial recognition to be both necessary and proportionate for any given deployment of the technology;
- use of facial recognition by local police forces should be subject to strong independent oversight. Oversight should include proactive engagement measures, program-level authorization or advanced notification before use, and powers to audit and make orders;
- appropriate privacy protections should be put in place to mitigate risks to individuals, including measures addressing accuracy, retention, and transparency in facial recognition initiatives.