Language

All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions

 

Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: November 10, 2021

 

Introduction

From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.

 

What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.

 

PIPL on facial recognition

 

1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).

 

2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]

 

A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.

 

First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.

 

Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.

 

Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.

 

Conclusion

After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.



 



[1] See https://www.globaltimes.cn/content/1067645.shtml.

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018), https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf.

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See https://edpb.europa.eu/news/national-news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_sv.

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See https://gdpr-info.eu/art-4-gdpr/.

[10] See https://www.privacy-regulation.eu/en/recital-43-GDPR.htm.

[11] See https://xw.qq.com/cmsid/20201120A0EPDD00.

[12] See https://m.thepaper.cn/baijiahao_13819929.

[13] See http://en.pkulaw.cn/Display.aspx?Lib=law&Id=36687&keyword.


  • 相关资讯 More
  • 点击次数: 999999
    2024 - 09 - 13
    作者:金涟伊为确保药品在生产、销售和使用过程中的安全性,国家市场监督管理总局发布了药品生产监督管理办法、药品经营和使用质量监督管理办法等一系列法规、规章,设立了药品生产质量管理规范、药品溯源制度等配套制度,同时,对于违反相关法律法规部门规章的行为,国家依法予以处罚,确保落实药品安全。处罚手段中,“没收违法所得”是最常见的处罚方式。 实践中,药品案件的违法所得应当如何确定? 对于该问题,国家食品药品监督管理局曾于2007年2月8日作出《国家食品药品监督管理局关于“违法所得”问题的批复》(国食药监法[2007]74号),批复称,一般情况下,《药品管理法》、《药品管理法实施条例》中的“违法所得”,是指“实施违法行为的全部经营收入”。《药品管理法》第八十二条、第八十七条(对应2019年修订后的第一百二十二条、第一百三十八条)规定的“违法所得”是指“实施违法行为中收取的费用”。《药品管理法实施条例》第八十一条(对应2019年修订后的第七十五条)规定的“违法所得”是指“售出价格与购入价格的差价”。 如参考以上批复,对于药品案件的违法所得可以有两种计算方式。第一种即以全额计算。此种计算方式可称之为“全额说”,是将违法所得等同为涉案产品的销售收入,计算违法所得时不扣除合法成本或税收。此种计算方式带有惩罚性,当事人应当承担超过其获利的处罚责任,其投入成本越高,惩罚性越明显。 第二种是对于《药品管理法实施条例》第七十五条的情况,即“药品经营企业、医疗机构未违反《药品管理法》和本条例的有关规定,并有充分证据证明其不知道所销售或者使用的药品是假药、劣药的”,此种情况药品经营企业、医疗机构无主观违法恶意,适用惩罚性处罚手段显失公平,因此违法所得以售出价格与购入价格的差价进行计算。 此外,不论以何种方式计算违法所得,都应当排除应退赔的部分。行政处罚法第...
  • 点击次数: 1000010
    2024 - 08 - 30
    作者:陈巴特朋友张先生今年年初入职一家科技公司,担任技术主管一职,因工作需要,常常受公司安排出差,而且通常在周末夜间乘坐夕发朝至的火车卧铺,出差时间也通常连续长达十天半月,期间必然经过双休日,有时甚至经过法定节假日。但是,公司从未向其支付加班工资。张先生百思不得其解,其始终认为,被安排到外地出差的在途时间,以及双休日仍出差在外,属于自己的时间却不能由自己支配,因此应视为加班。近日,张先生约我“喝茶”,我义务为其解答后,张先生释然,果断放弃了申请仲裁的计划。张先生的疑虑,或许正是很多劳动者困扰的问题。那么,当出差遇到休息日,究竟算不算加班呢?一、加班是什么?根据《中华人民共和国劳动法》第四十四条,加班是指劳动者在正常工作时间之外,按照用人单位的安排进行的工作。包括正常工作日延长工作时间,或者双休日或国家法定假期期间工作。认定加班需要有特定的工作内容为支撑。对加班的劳动者,用人单位应当依法支付高于正常工作时间工资的工资报酬。在竞争激烈的当今社会,加班司空见惯,已然形成“加班文化”。适当的加班,对用人单位的经营发展及劳动者收入的提高,有一定积极意义。但超时加班与体面劳动、舒心工作、全面发展不相符,与国家提倡的提升人民生活品质也脱节。如果劳动者加班后不能获得相应的报酬,则其合法权益将会受到侵害,用人单位也违反了法律规定。 二、休息日出差在途,算不算加班?加班的本质是在正常工作时间之外进行额外的工作,需要以特定的工作作为内容支撑,并非单纯的时间经过。出差在路上的时间,主要是乘坐交通工具,如同正常上下班在路上的耗时,都是为下一步工作而进行准备的时间。期间劳动者如未实际进行工作任务的执行,也没有产生具体的工作成果,仅有时间的消逝,则并不满足加班的这一认定条件。况且,出差在途期间,劳动者虽然不能自由支配时间,但仍可以照常休息,如乘坐高铁、飞机等交通工具时,可以休息或从事个人活动,...
  • 点击次数: 1000006
    2024 - 08 - 23
    作者:常春引言实用新型专利作为专利权的一种重要类型,主要保护具有新颖性和创造性的产品的形状、构造或其结合,而不涉及工艺或方法。然而,在实际的专利申请和审查实践中,部分实用新型专利的权利要求中引入了方法特征。这种现象引发了学术界和实务界对其合法性和合理性的讨论。本文通过分析相关案例和法律规定,探讨实用新型专利申请中是否可以引入方法特征,并对这种引入是否符合专利法的保护范围和实用新型专利的立法初衷进行详细探讨。一、实用新型专利的保护客体及方法特征的引入现象根据《中华人民共和国专利法》第二条规定,“实用新型专利的保护客体是对产品的形状、构造或者其结合提出的新的技术方案。”不同于发明专利,实用新型专利不保护制造方法、使用方法等工艺过程。这一限定决定了实用新型专利在权利要求撰写时,通常不会涉及方法特征。然而,在实际申请中,一些申请人为了强调产品的创新性,往往在权利要求中加入方法特征,试图通过这些特征对产品形状或构造的创新性进行补充说明。这种情况尤其在涉及产品制造工艺与产品构造密切相关的领域较为常见。二、引入方法特征的实用新型专利权利要求分析尽管方法特征不属于实用新型专利的保护客体,但在权利要求中引入方法特征并非完全无效。关键在于方法特征是否会对产品的形状、构造产生影响。如果该方法特征能够使产品具有特定的形状、构造,则在新颖性、创造性判断中,这些特征仍然可以对权利保护范围起到限定作用。例如,(2019)最高法知行终133号案。该案件涉及一种建筑构件的实用新型专利,权利要求中包含了生产该建筑构件的方法特征。最高人民法院在审理时指出,虽然实用新型专利可以包含方法特征,但这些特征必须对产品的最终形状、构造产生直接影响,才能在专利保护范围内予以考虑。如果方法特征只是工艺流程的一部分,而未对产品本身的形状、构造产生实质性影响,则这些特征应当被排除在新颖性和创造性判断之外。再例如,(2017)最高...
  • 点击次数: 1000003
    2024 - 08 - 16
    作者:王辉近年来,随着竞业限制案件数量逐年递增,竞业限制越来越受到广泛关注,而实务中又颇多争议。下文就对竞业限制领域常见问题以“一问一答”形式进行归纳、提炼,望能对无论是企业还是打工人有所助益。一、什么是竞业限制?  有关法律法规并未对竞业限制有明确定义。但具体来说,基本可以归纳为:竞业限制是指用人单位和知悉本单位商业秘密或其他对本单位经营有重大影响的劳动者约定在与该劳动者解除或终止劳动关系后,一定期限内不得在生产或经营同类产品、从事同类业务的有竞争关系的其他用人单位任职,或自行生产或经营同类产品、从事同类业务。法律依据主要是《中华人民共和国劳动合同法》(以下简称《劳动合同法》)第二十三条及第二十四条。二、用人单位可以与哪些人签订竞业限制协议?根据《劳动合同法》第二十四条之规定,竞业限制的人员限于用人单位的高级管理人员、高级技术人员和其他负有保密义务的人员。实践中,用人单位应根据自身经营情况及劳动者任职情况与那些确实或有条件知悉用人单位商业秘密的人员签署竞业限制协议,而不应盲目与所有员工签订竞业限制协议,徒增用工成本。三、竞业限制的期限可以随意约定吗?根据《劳动合同法》第二十四条之规定,竞业限制的范围、地域、期限由用人单位与劳动者协商约定,不违反法律、法规规定即可。其中,竞业限制的期限不得超过两年,超出两年的期限部分无效。四、竞业限制的经济补偿标准是多少?有约定从约定。如用人单位与劳动者在劳动合同或者保密协议中或者单独签订竞业限制协议约定了竞业限制,但未约定补偿金标准的,劳动者履行了竞业限制义务,可以要求用人单位按照劳动者在劳动合同解除或者终止前十二个月平均工资的30%按月支付经济补偿。若月平均工资的30%低于劳动合同履行地最低工资标准的,按照劳动合同履行地最低工资标准支付。具体法律依据详见《最高人民法院关于审理劳动争议案件适用法律问题的解释(一)》(以...
× 扫一扫,关注微信公众号
北京市铭盾律师事务所 www.mdlaw.cn
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开