China: facial recognition and its legal challenges

Facial recognition technology has been widely implemented in contemporary China and has become an integral part of people's daily life. As well as being used for public interest (eg police surveillance systems and traffic controls) and for private purposes (eg mobile functions, payment solutions, and home security), many companies and organisations are also using facial recognition to improve their customer experience and increase business efficiencies. 

The rapid development and wide commercialisation of facial recognition technology has raised many concerns around personal data and privacy protection. Some recent cases, such as the controversial face changing app Zao, the Hangzhou wild animal zoo case, and the China Pharmaceutical University case, put this topic further under the spotlight. This has given rise to heated discussions on the need for a, currently lacking, unified legal framework for the protection of data and privacy, and to better address the challenges brought about by facial recognition technologies. 

Irrespective of all these controversial discussions, the PRC data protection regime has already been populated by many principles and requirements as set forth by various laws and regulations. Below we have provided a general outline of these laws and regulations and the exact implementation of which will require customised inputs from practitioners, as they relate to facial recognition technology.

Conceptual scoping

There is no specific definition of "personal facial information" under Chinese law, but it is covered by the broader concept of "personal information". Personal information was first defined as "information that can identify the individuals and that involves privacy of individuals" under the Decision of the Standing Committee of the National People's Congress on Strengthening Information Protection on Networks ("NPC Decision") effective as of 28 December 2012. This definition has been further developed and broadened under other laws including, in particular, the Cybersecurity Law 2016 ("CSL"), which came into effect on 1 June 2017. According to Article 76 of the CSL, "personal information" refers to various kinds of information recorded by electronic or other means which, whether independently or combined with other information, can be used to identify a natural person, including personal biochemical information, which then implicitly covers personal facial information.

On the other hand, various national standards for personal information protection explicitly address the topic of personal facial information. The updated Personal Information Security Specification ("the Personal Information Specification"), rolled out on 3 March 2020, introduces the concept of "sensitive personal information" meaning that such information, if leaked, illegally provided, or misused, may endanger personal and proprietary safety and will likely result in, damage to personal reputation, damage to physical and psychological health, and discriminatory treatment. 

Examples of sensitive personal information as outlined by such specifications include personal biochemical identification information, which further covers facial recognition features. The draft Requirements on Protection of Biochemical Feature Identification Information ("the Draft Requirements"), rolled out on 18 June 2019, mention the concept of a biometric feature recognition system, which refers to a system that automatically identifies a single data subject based on one or several biometric (eg human face) or behavioural characteristics. This concept will generally cover all facial recognition solutions. 
Although these national standards are not compulsory standards to be abided by, the fact that they have been widely promoted by various industrial associations and even been referred to in some law enforcement cases generally shows that they will be deemed as "industrial best practice" to be respected by all business operators.

Protection principles

Since human facial information has been qualified as personal information, the general legal principles on the same protection shall also apply. According to the principles outlined by the NPC Decision and the CSL, before the collection and use of personal data, the collecting entity collecting shall:

• disclose the purpose of the collection/use of the data, the methods how the data will be collected/used (eg how the data will be further stored, processed, and transferred), and the scope of the data involved
• obtain prior consent from the data subject - the collection and use of the personal data shall then be in line with what is disclosed and agreed by the individuals
• follow the principles of legitimacy, justification, and necessity
• take necessary measures to ensure information safety and keep strict confidentiality of the personal data collected, and
• obtain explicit consent from the data subjects if sending messages of commercial promotional information to the data subjects is intended.

Human facial information is, by its nature, more sensitive than other forms of personal information in that, for example, it will generally not change throughout one's life and permanent damage might then be caused if such data is compromised. The fact that it is classified as sensitive personal information means it will be subject to more stringent protection under Chinese law and recommendable industrial practices. Under the Personal Information Specification, controllers shall respect the below requirements when handling sensitive personal information:

• A separate disclosure and consenting process shall be conducted when the purpose, method, and scope of collection and use, including storage duration, is to be disclosed, with the explicit consent of the data subject also required, meaning in turn that general bundled consent like a cover-all privacy policy will no longer be acceptable.
• Taking security measures like encryption when transmitting and storing sensitive personal information (where the respective encryption solution shall also fulfil Chinese regulatory requirements).
• Separating the storage of personal biometric information and personal identification information and upholding the principle that no biometric personal information source such as samples and images shall be stored, meaning then that one shall only store respective summary or metadata, shall conduct identification and verification locally in the information collection terminal, and delete the biometric personal information source after completion or identification and verification.
• Where the sharing or transfer of personal biometric information is necessary for business reasons (otherwise such sharing or transfer will be disallowed in principle), a separate disclosure and explicit consenting process shall be conducted where the disclosure shall further address details of the concerned biometric information and the identity and security competence of the data recipient.
• No public disclosure of personal biometric information.
• A requirement to set up a data protection officer and a dedicated protection unit if the company is handling sensitive personal information involving more than 100,000 people.

The Draft Requirements further provide for more detailed guidance, such as a management system on biometric data life circle which will greatly facilitate the implementation of a best practice in the business world.

Where we stand

More specific rules can also be found in some sensitive sectors, eg the banking sector,  which are also now embracing facial recognition technologies. Rules such as the Facial Recognition Offline Payment Security Implementation Technological Specifications, the Personal Financial Information Protection Technological Specifications, and the Facial Recognition Offline Payment Industrial Self-discipline Convention (Trial), are clearly driven by the fast development of new payment solutions based on facial recognition technologies.

In general, legislative development in China relating to facial recognition technology has followed a very pragmatic 'learn from doing' approach. On the one hand, there does not exist a unified legal framework for data protection driven by a strong emphasis on personal privacy as in Europe. Instead, the Chinese approach could be understood as cultivating a more liberal business environment aiming at promoting the implementation of new technologies as well as better securing the whole economy's global competitiveness. On the other hand, the legislators and regulators have rolled out some general laws and rules such as the CSL providing for some general and basic data protection principle requirements, while at the same time leaving quite a bit of room for various business associations to formulate more specific and detailed guidance to help regulate business behaviours. 

This problem-solving driven approach naturally promoted the fast development of facial recognition solutions in China, while also allowing the relevant industries to quickly respond to issues as they arise as well as concerns from wider society.

From a business point of view, the booming Chinese market is providing significant opportunities for multinational companies. However, the differing regulatory environment creates some significant challenges at the same time. The laws, due to this pragmatic approach taken by legislators, may not always provide as much clarity as one might expect, while the projected tendencies of law enforcement shows that more cases are likely to accrue. To better navigate this environment, both legislative development as well as industrial practices should be closely monitored.