6 May 2020
Facial recognition technology has been widely implemented in contemporary China and has become an integral part of people's daily life. As well as being used for public interest (eg police surveillance systems and traffic controls) and for private purposes (eg mobile functions, payment solutions, and home security), many companies and organisations are also using facial recognition to improve their customer experience and increase business efficiencies.
The rapid development and wide commercialisation of facial recognition technology has raised many concerns around personal data and privacy protection. Some recent cases, such as the controversial face changing app Zao, the Hangzhou wild animal zoo case, and the China Pharmaceutical University case, put this topic further under the spotlight. This has given rise to heated discussions on the need for a, currently lacking, unified legal framework for the protection of data and privacy, and to better address the challenges brought about by facial recognition technologies.
Irrespective of all these controversial discussions, the PRC data protection regime has already been populated by many principles and requirements as set forth by various laws and regulations. Below we have provided a general outline of these laws and regulations and the exact implementation of which will require customised inputs from practitioners, as they relate to facial recognition technology.
There is no specific definition of "personal facial information" under Chinese law, but it is covered by the broader concept of "personal information". Personal information was first defined as "information that can identify the individuals and that involves privacy of individuals" under the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks ("NPC Decision") effective as of 28 December 2012. This definition has been further developed and broadened under other laws including, in particular, the Cybersecurity Law 2016 ("CSL"), which came into effect on 1 June 2017. According to Article 76 of the CSL, "personal information" refers to various kinds of information recorded by electronic or other means which, whether independently or combined with other information, can be used to identify a natural person, including personal biochemical information, which then implicitly covers personal facial information.
On the other hand, various national standards for personal information protection explicitly address the topic of personal facial information. The updated Personal Information Security Specification ("the Personal Information Specification"), rolled out on 3 March 2020, introduces the concept of "sensitive personal information" meaning that such information, if leaked, illegally provided, or misused, may endanger personal and proprietary safety and will likely result in, damage to personal reputation, damage to physical and psychological health, and discriminatory treatment.
Examples of sensitive personal information as outlined by such specifications include personal biochemical identification information, which further covers facial recognition features. The draft Requirements on Protection of Biochemical Feature Identification Information ("the Draft Requirements"), rolled out on 18 June 2019, mention the concept of a biometric feature recognition system, which refers to a system that automatically identifies a single data subject based on one or several biometric (eg human face) or behavioural characteristics. This concept will generally cover all facial recognition solutions.
Although these national standards are not compulsory standards to be abided by, the fact that they have been widely promoted by various industrial associations and even been referred to in some law enforcement cases generally shows that they will be deemed as "industrial best practice" to be respected by all business operators.
Since human facial information has been qualified as personal information, the general legal principles on the same protection shall also apply. According to the principles outlined by the NPC Decision and the CSL, before the collection and use of personal data, the collecting entity collecting shall:
Human facial information is, by its nature, more sensitive than other forms of personal information in that, for example, it will generally not change throughout one's life and permanent damage might then be caused if such data is compromised. The fact that it is classified as sensitive personal information means it will be subject to more stringent protection under Chinese law and recommendable industrial practices. Under the Personal Information Specification, controllers shall respect the below requirements when handling sensitive personal information:
The Draft Requirements further provide for more detailed guidance, such as a management system on biometric data life circle which will greatly facilitate the implementation of a best practice in the business world.
More specific rules can also be found in some sensitive sectors, eg the banking sector, which are also now embracing facial recognition technologies. Rules such as the Facial Recognition Offline Payment Security Implementation Technological Specifications, the Personal Financial Information Protection Technological Specifications, and the Facial Recognition Offline Payment Industrial Self-discipline Convention (Trial), are clearly driven by the fast development of new payment solutions based on facial recognition technologies.
In general, legislative development in China relating to facial recognition technology has followed a very pragmatic 'learn from doing' approach. On the one hand, there does not exist a unified legal framework for data protection driven by a strong emphasis on personal privacy as in Europe. Instead, the Chinese approach could be understood as cultivating a more liberal business environment aiming at promoting the implementation of new technologies as well as better securing the whole economy's global competitiveness. On the other hand, the legislators and regulators have rolled out some general laws and rules such as the CSL providing for some general and basic data protection principle requirements, while at the same time leaving quite a bit of room for various business associations to formulate more specific and detailed guidance to help regulate business behaviours.
This problem-solving driven approach naturally promoted the fast development of facial recognition solutions in China, while also allowing the relevant industries to quickly respond to issues as they arise as well as concerns from wider society.
From a business point of view, the booming Chinese market is providing significant opportunities for multinational companies. However, the differing regulatory environment creates some significant challenges at the same time. The laws, due to this pragmatic approach taken by legislators, may not always provide as much clarity as one might expect, while the projected tendencies of law enforcement shows that more cases are likely to accrue. To better navigate this environment, both legislative development as well as industrial practices should be closely monitored.