M. Imtiaz Karamat is an IP Osgoode Alumnus and Associate Lawyer at Deeth Williams Wall LLP. This article was originally posted on E-TIPS™ For Deeth Williams Wall LLP on November 16, 2022.

On October 28, 2022, the Office of the Privacy Commissioner of Canada (the OPC) announced that data protection authorities around the world endorsed resolutions on facial recognition technology (FRT) and cybersecurity at the 44th Global Privacy Assembly (GPA) in Istanbul, Türkiye.

The GPA is an international forum where data protection and privacy authorities from more than 130 countries meet to discuss privacy matters of interest and coordinate efforts on an international scale.  The theme of the public portion of the event was, “A matter of balance – Privacy in the era of rapid technological advancement”.

During the conference, the GPA members adopted a resolution on the use of personal information in FRT, which outlined a series of principles and expectations that they would promote to external stakeholders, assess the real-world application therein, and report back on. These principles require an organization to do the following:

1. Lawful basis:  have a lawful basis for collecting and using biometrics;
2. Reasonableness, necessity and proportionality: demonstrate the reasonableness, necessity, and proportionality of their use of FRT;
3. Protection of human rights: assess and protect against unlawful interference with privacy and other human rights;
4. Transparency: ensure that the use of FRT is transparent to affected individuals and groups;
5. Accountability: include clear and effective accountability mechanisms for the use of FRT; and
6. Data protection principles: ensure that FRT is used in a way that respects all data protection principles.

The GPA also saw the adoption of a resolution for international cooperation in improving cybersecurity regulation and understanding the harms that results from cyber incidents. As part of this resolution, the endorsing GPA members would take steps to understand the responsibilities of data protection authorities regarding cybersecurity, and explore possibilities for international cooperation amongst members to avoid duplication in investigations and other regulatory activities.