All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions


Author: Yingying Zhu, Partner of Beijing MingDun Law Firm


Date: November 10, 2021



From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.



On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.


What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.


PIPL on facial recognition


1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).


2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]


A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.


First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.


Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.


Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.



After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.


[1] See

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018),

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See

[10] See

[11] See

[12] See

[13] See

  • 相关资讯 More
  • 点击次数: 1000004
    2024 - 04 - 26
    作者:曲淼在电子商务蓬勃发展的时代背景下,电子商务为消费者提供了更广泛的选择,催生出了一系列新型的消费模式,也加速了企业的市场竞争。大量的第三方“测评”博主、“种草”机构应运而生,内容涵盖美妆、数码、美食、服饰等各大领域。第三方测评似乎更能贴近普通人的生活,更具有代入感,“买前看测评”已成为不少年轻群体的消费习惯。然而在行业参与主体的良莠不齐、标准的缺失及监管的缺位的前提下,“测评”、“种草”视频或文章的制作与发布者为追求更多的“流量”、更高的收益,往往将测评当作营销工具,看似公平的第三方测评实质上却与产品厂家进行了利益绑定,更有甚者在未实际购买、使用过的情况下发布虚假的测评结果和有失公平的言论。这不仅为测评发布者和制作者带来了一定的法律风险,更会损害消费者的合法权益。本文结合杭州老爸评测科技有限公司(“老爸评测”)诉广州市优测终享科技有限公司(“小红花测评”)一案,从法律的观点出发浅析真实测评与商业诋毁的界限。 案情简介:原告“老爸评测”、被告“小红花测评”均系民间评测机构,在微博、抖音、知乎、小红花、哔哩哔哩等网络媒体均拥有大量粉丝群体。“小红花测评”、陶某从2021年4月开始发布关于“315打假老爸评测”的系列文章以及短视频、直播,指出“老爸评测”“虚假评测、制造恐慌、误导粉丝、以次充好,并推荐、销售违规有害产品”等问题,涉及内容包括魔术擦、乳胶床垫、儿童湿巾、免洗洗手液、戴可思系列产品以及对“老爸抽检”流程的评测等。老爸评测”及其创始人魏文锋遂向杭州铁路运输法院提起商业诋毁的诉讼。“老爸评测”认为,上述视频、文章和直播在内容上严重违背了事实,系虚假的、误导性言论,极易导致消费者对其及其销售的产品产生质疑,对“老爸评测”的测评能力产生否定评价,故要求两被告立即停止一切针对原告的商业诋毁等不正当竞争行为,赔礼道歉、消除影响,连带赔偿200万元。“小红花测评”答...
  • 点击次数: 1000005
    2024 - 04 - 19
    作者:刘艳玲作为商标权人,你对自己的注册商标拥有垄断权,可以许可其他人使用你的注册商标。通过与被许可人之间签订许可协议,商标权人可以获得许可费作为一笔营收或收入,相应地被许可人获得你的商标使用权。商标使用许可合同中一般会约定许可期限、许可范围和许可费。许可合同需要在合同签订之日起3个月内由商标权人向国家知识产权局报送备案,否则该许可合同不能对抗善意第三人。这里的善意第三人是针对不同被许可人之间的关系,属于商标许可意义上的对抗而非商标侵权意义上的对抗。未经备案并不影响商标权人或独占许可人等有起诉资格的人进行商标维权[1]。商标许可使用的类型包括独占使用许可、排他使用许可和普通使用许可,被许可人仅能按照许可合同中约定的类型使用商标,并符合《商标法》第43条规定的管理规范。 商标能反映产品或服务的起源、质量以及留在消费者中的独特印象。随着商标的知名度越高,商标权人的市场地位也越强,商标的经济价值也越高,与此同时商标的保护力度也越强。商标权人在进行销售区域扩展时,可以考虑利用商标使用许可的方式与某一地区或某一国的经销商增进更多的商务合作可能性。例如,在品牌管理下,汽配市场中的店铺未经商标权人本田公司的许可擅自使用中国的核准注册商标“本田”、“HONDA”等标识做招牌是侵犯商标权的。我们知道,未经商标权人的许可,在相同商品上使用与注册商标相同的商标;在相同商品上使用与注册商标近似的商标或在类似商品上使用于注册商标相同或近似的商标,容易导致混淆的;属于侵犯注册商标权。根据《商标法》第63条的规定,权利人的损失或者侵权人获得的利益难易确定的,参照该商标许可使用费的倍数合理确定。那么司法实践中,是如何根据商标许可使用费来确定侵权赔偿额的呢? 由于商标使用许可在国内并没有形成一个惯常使用的方法,法院需要基于真实实际的许可使用合同作为证据来计算侵权赔偿额,因此以商标许可使用费作为赔偿基准的判决...
  • 点击次数: 1000006
    2024 - 04 - 14
    作者:张琳 在企业用工过程中,职工可能因工作遭受事故伤害或者患职业病。为保障职工获得医疗救治和经济补偿,促进工伤预防和职业康复,分散用人单位的工伤风险,我国制定了《工伤保险条例》,强制要求用人单位为职工缴纳工伤保险,在职工出现工伤时,由用人单位和工伤保险基金分担职工的工伤保险待遇相关费用。职工因工作遭受事故伤害的原因有多种情况,可能是由于职工自身原因、用人单位原因、用人单位其他职工的工作原因或非工作原因、与用人单位有合同关系(如买卖、运输、承包、服务关系等)的单位或其雇用人员与履行合同相关或无关的原因、与用人单位有合同关系(如劳务、分包、挂靠、服务、运输关系等)的个人与履行合同相关或无关的原因、前述单位、个人之外的第三人原因或意外事件等。当工伤事故是由于用人单位其他职工的职务行为时,用人单位既是承担工伤保险待遇的主体,同时又是承担民事侵权责任的主体,这时就发生了用人单位的工伤保险待遇责任和民事侵权责任的竞合。在此情况下,职工是只能选择某一种维权方式、可以在两种维权方式中自主决定选择其中一种、还是两种维权方式可以同时主张,对于这种情况的不同处理结果将极大影响职工和用人单位的相关权益。根据相关司法解释,如职工发生工伤事故,不能向用人单位主张民事侵权责任,只能按工伤保险相关程序要求享受工伤保险待遇;如果是用人单位以外的第三人侵权,可以向第三人主张民事侵权责任。该司法解释虽然是为了解决用人单位工伤保险待遇责任和民事侵权责任竞合问题,但本身具有比较强的原则性,在司法实践中经常产生不同的理解和适用,进而导致不同的裁判结果。笔者拟通过二个案例对此问题进行分析和梳理,以期让读者对此问题有一个更加清晰的认识和理解,并对统一和完善相关问题的解决提出自己的意见和建议。 一、案例简介  案例一:周某与黄某、北京某加工厂、王某提供劳务者致害责任纠纷(参见北京市...
  • 点击次数: 1000006
    2024 - 04 - 07
    作者:金涟伊什么是AI?根据百度百科的介绍,AI即人工智能(Artificial Intelligence),是一个以计算机科学(Computer Science)为基础,由计算机、心理学、哲学等多学科交叉融合的交叉学科、新兴学科,研究、开发用于模拟、延伸和扩展人的智能的理论、方法、技术及应用系统的一门新的技术科学,企图了解智能的实质,并生产出一种新的能以人类智能相似的方式做出反应的智能机器,该领域的研究包括机器人、语言识别、图像识别、自然语言处理和专家系统等。目前大家接触了解较多的人工智能包括百度的文心一言、openai的chatgpt等等。 “文心一言”“chatgpt” 目前网上存在大量关于如何利用人工智能提高效率的信息内容,例如利用AI进行内容整理,文稿撰写,数据分析,可高效助力新媒体创作、图片绘制、视频创作。曾经需要一个经验丰富的数码画师花费数个小时创作完成的插画,如今只需要输入一组关键词,几分钟之内就能输出一张成品图。但在享受人工智能便捷快速的“创作”成果时,我们仍要思考一个问题:利用AI创作的作品是否受著作权法保护? 对于人工智能创作作品是否受中国著作权法保护的问题,北京互联网法院通过一则判例给出了一种答案。2023年11月27日,北京互联网法院作出AI著作权首案宣判,判决认定原告享有其通过AI生成作品的著作权,并判定被告侵权。主要案情如下: 2023年2月24日,该案原告使用开源软件Stable Diffusion通过输入提示词的方式生成了图片,后将该图片以“春风送来了温柔”为名发布在小红书平台。 后原告发现,有百家号账号发布文章时配图使用了涉案图片,没有获得其许可,且截去了其在小红书平台的署名水印,为此,原告将被告告上了法庭。 原告认为,被告严重侵犯了其享有的署名权和信息网络传播权,要求其赔偿经济...
× 扫一扫,关注微信公众号
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务