AI Regulation Tracker / Enforcement and orders
BC Privacy Commissioner Orders Richmond to Remove an AI-Capable Public-Safety Camera System
On January 14, 2026, British Columbia's Information and Privacy Commissioner (OIPC) issued Order F26-01, requiring the City of Richmond to remove and delete an AI-capable public-safety camera system (ALPR plus facial-recognition-capable, though the City says facial recognition was not run in the field test). The OIPC found the City lacked FIPPA collection authority and ordered removal and deletion. The order is binding. The City complied but has petitioned the BC Supreme Court to quash it, filing on February 11, 2026.
Here is what happened, in order. In July 2024 the City of Richmond submitted a Privacy Impact Assessment to the OIPC for a field test of its Public Safety Camera System. The system uses multiple ultra-high-definition cameras to collect video of individuals, licence plates, and vehicle features, with the footage intended for the RCMP to help identify criminal suspects. The cameras were capable of licence plate recognition, person and vehicle detection, and facial recognition, though the City said it did not run facial recognition or built-in audio during the field test.
The OIPC told the City up front that it did not believe FIPPA would authorize this collection. The City disagreed and switched the system on at the intersection of Minoru Boulevard and Granville Avenue in February 2025. The OIPC then opened an investigation, and in January 2026 it published its report and issued Order F26-01.
The finding is about authority, not technology
This is the part that matters most, and it is the part most people skip past because the cameras are the eye-catching detail. The Commissioner did not rule that the technology was too advanced or too accurate or too creepy in the abstract. He ruled that Richmond had no legal authority to collect the personal information at all.
Under FIPPA, a public body in BC can only collect personal information in specific circumstances the statute lays out. The City argued its collection fit within law enforcement and within its own programs and activities. The Commissioner rejected both. On law enforcement, he found it is not enough for a public body to be interested in fighting crime. The body needs an actual statutory mandate to enforce criminal law, and in Richmond that mandate sits with the RCMP, which provides policing independently. The City is not a police force, so it cannot collect this information for policing purposes.
In the Commissioner's words: "The assessment of whether these conditions are met has to start with whether the organization actually has the legal authority to collect the personal information. My conclusion is that the City of Richmond does not have that authority." That is the whole case in two sentences. Necessity and proportionality only come into play once authority exists, and here it did not.
Where the AI capability enters the analysis
The automated and biometric features are not a side detail. They are why a regulator treated a set of traffic-adjacent cameras as a serious privacy intrusion rather than routine street monitoring. Plate recognition, person and vehicle detection, and facial-recognition capability turn passive video into a system that can identify and track. The Commissioner flagged the risk directly.
He wrote that "advanced features, such as facial recognition technology, go over and above what is considered reasonable in the context and raise the potential for scope creep, where technology installed for one purpose is later used for other purposes." That is the classic problem with capable hardware. Even if the City did not switch on facial recognition during the field test, the capability sits there, and a future administration can enable it without buying anything new. The report went a step further and recommended that the BC government amend its laws to regulate technologies that capture biometric information, which tells you the Commissioner sees the current statutory gaps as a live policy problem, not just a Richmond problem.
What the order actually requires
The investigation report made three recommendations to the City: stop collecting personal information through the system, delete all recordings to date, and disband the equipment used to collect that information. When the City said it did not intend to follow those recommendations, the Commissioner converted them into a binding instrument, Order F26-01, ordering immediate compliance.
The City did remove the cameras and discontinue the pilot. It also went to court. On February 11, 2026, Richmond filed a petition in the BC Supreme Court asking that the order be quashed and that the court declare its collection is in fact authorized under FIPPA. So the order is in force and was followed, but the underlying legal question is now in front of a judge. If you are watching this as a governance benchmark, watch the judicial review, because that is where the authority test for public-sector AI surveillance in BC will get tested on appeal.
Why this reaches US practice
The FRC in the UK and the OIPC in BC are not US regulators, and Order F26-01 does not bind anyone in the United States. The reason it belongs on your radar is structural, and it runs two ways.
First, if you are a US company selling AI-enabled or biometric-capable surveillance, plate recognition, or video analytics, and your buyers include Canadian municipalities, provinces, or other public bodies, this order is a map of how those deals can unravel. A polished Privacy Impact Assessment did not save Richmond. The regulator started with the threshold question of whether the public body had statutory authority to collect at all, and the answer sank the project regardless of how the technology performed. Build that authority question into your sales and deployment process, because your public-body customer carries the legal exposure and will pull the plug, delete the data, and, as here, may end up in court.
Second, US public agencies contracting for the same class of system face the same first question under their own law. The specific statute differs, but the discipline is identical. Does the agency have legal authority to collect this personal information for this purpose? Is the collection necessary and proportional to a real problem the project actually solves? Can the agency show its work? Richmond is a clean, well-documented example of a serious regulator answering the authority question first and everything else second, which makes it a useful comparative benchmark for US counsel, procurement leaders, and public-sector executives evaluating surveillance and analytics buys.
What to do now
If you sell to or sit inside a public body, put the authority question ahead of the technology question. Confirm the specific statutory basis for collecting the personal information before you scope the system, not after you have installed it. Treat capability as risk: hardware that can run facial recognition or biometric matching invites scope creep and regulator attention even when you leave those features off, so document why the capability exists and how it is disabled and governed. Keep necessity and proportionality on paper, tied to a real, specific problem. And if you are a vendor, do not let a client's enthusiasm carry you past the threshold question, because when a regulator orders removal and deletion, the project and the data are gone, not paused.
Questions professionals are asking
Is Order F26-01 binding, or just guidance?
It is binding. The OIPC investigation report first made recommendations to the City. When the City said it would not follow them, Commissioner Harvey issued Order F26-01 ordering the City to comply immediately. The City removed the cameras but has filed a BC Supreme Court petition to quash the order, so the legal question is under judicial review even though the order remains in force.
Was the camera system stopped because of facial recognition?
No. The system was facial-recognition capable, and the Commissioner flagged that capability as a scope-creep risk, but the City said it did not run facial recognition during the field test. The order rests on a more basic finding: under FIPPA, the City had no legal authority to collect the personal information for law enforcement, because it has no statutory mandate to enforce criminal law. That is the RCMP's role.
Does this order affect anyone in the United States?
Not as law. FIPPA and Order F26-01 govern a BC public body only. For US readers it is a comparative benchmark. US public agencies deploying AI-enabled or biometric surveillance face the same threshold question under their own statutes, and US vendors selling to Canadian public bodies should treat the buyer's collection authority as a deal risk.
What exactly was the City ordered to do?
Stop collecting personal information through the Public Safety Camera System, delete all recordings collected to date, and disband the equipment used to collect that information. The report also recommended that the BC government amend its laws to regulate technologies that capture biometric information.
What is the practical lesson for public-sector AI procurement?
Confirm statutory authority to collect the personal information before scoping or installing the system, then address necessity and proportionality. A detailed Privacy Impact Assessment did not save Richmond, because the regulator started with authority and found none. Capable hardware, such as anything facial-recognition ready, draws regulator attention even when those features are off.
RELATED BRIEFINGS
Browse the full AI Regulation News tracker
Informational analysis for working professionals, not legal advice. Confirm how any order, statute, or requirement applies to your situation with qualified professionals in the relevant jurisdiction.