All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions


Author: Yingying Zhu, Partner of Beijing MingDun Law Firm


Date: November 10, 2021



From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.



On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.


What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.


PIPL on facial recognition


1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).


2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]


A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.


First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.


Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.


Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.



After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.


[1] See

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018),

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See

[10] See

[11] See

[12] See

[13] See

  • 相关资讯 More
  • 点击次数: 4
    2023 - 02 - 03
    作者:刘文娟国家知识产权局于近日发布了《商标法修订草案(征求意见稿)》(以下简称“修订草案”),公开征求对商标法的修改意见。在上述修订草案中,我们可以欣喜地发现,立法机关已经开始在立法层面纠正目前商标注册“注而不用”、授权程序冗长繁复、恶意注册非法成本低的弊端。笔者仅就修订草案中涉及商标使用及打击恶意注册的部分进行分析,供大家参考。 第一, 修订草案增加了注册商标权利人主动提交商标使用说明的义务; 此条款借鉴了美国等国家关于商标注册人主动提交商标使用证据的相关规定,是对商标权利人最重要的修改条款。修订草案第六十一条规定,商标注册人应当自商标核准注册之日起每满五年之后的十二个月内,向国务院知识产权行政部门说明该商标在核定商品上的使用情况或者不使用的正当理由。 为了不过度增加权利人的举证义务且要达到督促注册商标使用、清理闲置商标的目的,对商标权利人主动提交商标使用说明的举证标准显然不能等同于撤销注册商标连续三年不使用申请中权利人的举证标准。然而为了不架空本条款,尚有待建立权利人承诺制度及诚信等级,督促商标权的实际使用。 第二,修订草案规定申请人不得重复申请、注册商标; 修订草案第十四条及第二十一条规定,申请注册的商标不得与申请人在同一种商品上在先申请、已经注册或者在申请日前一年内被公告注销、撤销、宣告无效的在先商标相同。 理想情况下,此条款本应是区分性知识产权的应有之意,商标权的可续展性决定了一件商标授权足以满足权利的正常使用。此条规定若能正确执行,将大量有效减少商标恶意注册行为。为规避商标法对商标使用的要求,不少恶意注册人采取“接力式注册商标”,不断重新申请已被撤销或无效宣告的商标,极大增加了权利人的维权成本。 然而,在实践中,因为权利人无法及时清理在先商标的阻碍,不得已需要“接力式申请”,以避免...
  • 点击次数: 6
    2023 - 01 - 13
  • 点击次数: 11
    2022 - 12 - 30
  • 点击次数: 7
    2022 - 12 - 23
    作者:金涟伊2021年10月28日发布的《“十四五”国家知识产权保护和运用规划》中指出,要“推动企业实施商标品牌战略,加强商标品牌资产管理,强化商标使用导向,支持开展海外商标布局,培育具有市场竞争力、国际影响力的知名商标品牌”。加强建设高质量的商标品牌,企业可以从做好商标管理做起,注册商标和未注册商标的管理重点略有区别。 一、注册商标的管理 注册商标是由企业向国家知识产权局提交申请,经国家知识产权局审核通过并公告注册的商标。商标注册后可获得商标注册证,列明该商标的注册号、商标标识、核定使用商品或服务类别及项目、注册人、注册人地址、注册日期及有效期等信息。商标注册证记载该商标的关键信息,是商标注册人拥有商标专用权的重要凭证,企业应当注意留存。并且商标专用权届满前,企业应根据需要及时续展。 实践中,为向公众宣告商标已获准注册,企业可在使用注册商标时在该商标右上角标注注册商标标志“®”,同时应在使用中注意以下几点: 1、 应注意保存使用证据 根据商标法第四十九条的规定,注册商标没有正当理由连续三年不使用的,任何单位或者个人可以向商标局申请撤销该注册商标。合法合规地使用注册商标并妥善留存商标使用证据是企业商标管理的重点内容。 商标使用证据的主要形式可分为书面材料及实物材料。书面材料包括交易文书、产品检验报告、加工销售合同发票、宣传海报、媒体广告材料、荣誉资质证书等;实物材料包括承载商标的产品容器、标签、说明手册、包装盒、服务场所装潢等。如需提交复印件或照片的,应委托公证机关办理公证。 2、 应注意维护商标专用权 商标获准注册后,商标注册人便在核定使用的商品服务上享有商标专用权,可对侵犯其商标专用权的情况主动进行商标行政、司法保护,以维护合法权益。积极维护商标权有助于企业建立...
× 扫一扫,关注微信公众号
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务