Language

All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions

 

Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: November 10, 2021

 

Introduction

From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.

 

What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.

 

PIPL on facial recognition

 

1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).

 

2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]

 

A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.

 

First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.

 

Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.

 

Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.

 

Conclusion

After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.



 



[1] See https://www.globaltimes.cn/content/1067645.shtml.

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018), https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf.

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See https://edpb.europa.eu/news/national-news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_sv.

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See https://gdpr-info.eu/art-4-gdpr/.

[10] See https://www.privacy-regulation.eu/en/recital-43-GDPR.htm.

[11] See https://xw.qq.com/cmsid/20201120A0EPDD00.

[12] See https://m.thepaper.cn/baijiahao_13819929.

[13] See http://en.pkulaw.cn/Display.aspx?Lib=law&Id=36687&keyword.


  • 相关资讯 More
  • 点击次数: 999999
    2025 - 05 - 16
    作者:张嘉畅2025年4月21日,在世界知识产权日来临之际,最高人民法院举行了知识产权宣传周新闻发布会,并在会上发布2024年人民法院知识产权典型案例。其中第八案,浙江省东阳市人民法院(2024)浙0783刑初585号案为著作权侵权案件。侵权人最终被认定触犯侵犯著作权罪,刑期最高长达4年,最低有期徒刑10个月(缓刑1年零4个月)。此外,3名侵权人还被处以最高150万元的民事罚金。在本案当中,被告陆某某自2020年起,开设了多个违规盗版视频网站,未经权利人授权许可,非法向公众提供各类影视作品。另外两被告季某某、方某明在明知陆某某开设的网站为违规网站的情况下,依然向其出售影视网站模板,并持续为其提供技术服务,共计收取6990余元。在此期间,陆某某与非法广告商合作,在其开设的盗版网站上投放涉黄、涉赌广告,广告费收入超过148万元人民币。2024年初,3名被告人被公安机关抓获归案,公诉机关指控三被告人触犯《中华人民共和国刑法》第二百一十七条侵犯著作权罪。又因上述盗版网站大量传播当时影院热映的《飞驰人生2》、《第二十条》、《热辣滚烫》等贺岁档电影,各电影出品方提起了附带民事诉讼,要求被告人赔偿经济损失。浙江省东阳市人民法院一审认定,被告人陆某某以盈利为目的,未经著作权人许可,通过信息网络向公众传播他人视听作品,违法所得数额巨大;被告人方某、季某某明知他人侵犯著作权仍提供帮助,以上被告人均构成侵犯著作权罪。综合在案事实,法院最终判处被告人陆某某有期徒刑四年,并处罚金150万元;被告人方某有期徒刑一年,缓刑一年六个月,并处罚金1.6万元;被告人季某某有期徒刑十个月,缓刑一年四个月,并处罚金1万元;被告人陆某某赔偿附带民事诉讼各原告人经济损失共计88万元。本案判决充分彰显了知识产权民事、刑事、行政“三合一”审判模式的效能。它不仅妥善解决了各被告人的定罪及量刑问题,还有效处理了被害人的民事赔...
  • 点击次数: 1000002
    2025 - 05 - 09
    作者:陈巴特将银行账户借给父亲临时周转,儿子凭什么要承担还款责任?这或许是很多人的第一反应。正是因为持有这种想法的人很多,现实生活中,亲友、同事甚至企业和员工之间,借用银行账户的情形大量存在。殊不知,出借银行账户,出借人存在很大法律风险,很可能和借款人或债务人承担连带责任或补充责任。一定条件下,出借人甚至可能构成犯罪。一、基本案情陈某与张某系多年好友关系。2021年初,陈某因资金周转需要,向张某提出借款30万元,月利率为1%,按月还息,先息后本,两年还清。张某考虑双方好友关系以及有利可图,便同意借款。因张某在农业银行账户有足够的活期存款可使用,遂要求陈某使用农业银行账户接收借款。又因陈某此前未开设农业银行账户,故在未向儿子陈小某告知用途的情况下,借用儿子的农业银行账户,并指示张某将借款转入该账户。于是,张某将30万元借款转入陈小某的农业银行账户。陈小某对父亲陈某使用其银行账户借款并不知情,亦未实际使用该借款。 借款期限届满后,陈某只偿还了一年的利息。张某多次催讨,陈某虽向张某承诺一定会偿还剩余借款本息,但其迟迟未予偿还。张某忍无可忍,将陈某和陈小某一同诉至人民法院,要求陈某偿还本息,陈小某承担连带清偿责任。二、争议焦点庭审中,原告张某提交的证据《借条》和《银行交易明细清单》,能充分证明陈某向其借款及偿还了一年利息的事实,被告陈某亦完全认可尚未偿还的借款本息金额且愿意偿还。但是,双方在陈小某是否应当承担连带还款责任的问题上,产生重大分歧。法庭围绕该争议焦点展开辩论。原告张某主张:首先,原告虽要求陈某提供农业银行账户接收借款,但陈某完全可以亲自到农业银行新开设自己的农业银行账户,不必借用其儿子陈小某的农业银行账户接收借款。 其次,被告陈某和陈小某系父子关系,原告完全有理由相信陈某借用陈小某的农业银行账户时向陈小某告知了用途,陈小某对自己的农业银行账户接收张某...
  • 点击次数: 1000007
    2025 - 04 - 25
    作者:常春摘要:在当今激烈的商业竞争中,知识产权已成为企业核心竞争力的重要组成部分。然而,随着知识产权保护意识的增强和权利类型的多样化,不同知识产权之间的冲突也日益凸显。特别是外观设计专利权与商标权之间的冲突,近年来在汽车、鞋服、电子产品等领域频繁发生。本文将通过国家知识产权局公布的"汽车"外观设计专利无效案(第57220号决定)和"运动鞋"外观设计专利维持有效案(第563861号决定)两起典型案例,深入剖析外观设计专利权与在先商标权冲突的法律适用标准、判断方法及实务应对策略,并给出乐法律适用标准的系统梳理与前瞻思考。 一、外观设计与商标权冲突的法律框架与理论基础知识产权体系中的外观设计专利权与商标权在保护客体和功能上存在本质差异,却又在实践中常常产生交叉与冲突。我国《专利法》第二条第四款明确规定:"外观设计,是指对产品的整体或者局部的形状、图案或者其结合以及色彩与形状、图案的结合所作出的富有美感并适于工业应用的新设计。"而《商标法》第八条则规定,任何能够将自然人、法人或者其他组织的商品与他人的商品区别开的标志,包括文字、图形、字母、数字、三维标志、颜色组合和声音等,以及上述要素的组合,均可以作为商标申请注册。这两种权利在保护目的上各有侧重——外观设计专利保护的是产品具有美感的创新设计,防止他人未经许可实施该设计;商标权保护的则是识别商品或服务来源的标志,防止他人使用相同或近似标志造成市场混淆。 正是由于外观设计中可能包含具有识别功能的图案、色彩等元素,而商标也可能具有装饰性美感,二者在特定情况下会产生保护客体的重合。《专利法》第二十三条第三款专门针对这一问题作出规定:"授予专利权的外观设计不得与他人在申请日以前已经取得的合法权利相冲突。"这一条款确立了商标权等在先权利对外观...
  • 点击次数: 100010
    2025 - 04 - 18
    作者:王辉对于待岗没有合同约定,亦没有制度规定,就待岗事宜也未与员工协商一致,用人单位仅凭一纸通知强行安排员工待岗,在该种情况下,员工如何通过法律手段维权?且看下文案例及本文律师浅见。一、实务案例◆案例1:(2023)京01民终3298号某股份公司与李某签订了自2013年8月26日起的无固定期限劳动合同。2021年1月18日某股份公司向李某发送内容为《待岗通知书》的电子邮件,载明“……一、待岗原因。因公司业务调整,您所在部门整体撤销,而您未服从调岗也未竞聘新的岗位,造成目前无部门和岗位接收,已待岗数月,经数次协商,截至目前未就变更劳动合同达成一致意见,考虑到稳定员工就业关系及基本生活保障,以及企业现实困难等因素,公司不行使劳动合同单方解除权,即日起通知待岗。二、待岗起始时间:2021年1月18日。三、待岗终止时间:竞聘公司新岗位成功。四、待岗期间待遇:……按照工作所在地最低工资标准发放,……待岗期间,公司不安排工作任务,无特殊情况不需到岗。……待岗期间相关补助不再发放……”2021年1月20日李某回复邮件称“对于公司2021年1月18日出具的待岗通知书,我完全不认可并且不接受。后李某以要求某股份公司支付工资为由,向北京市海淀区劳动人事争议仲裁委员会提出申请,该委作出京海劳人仲字[2021]第9220号裁决书。李某对裁决不服提起诉讼,主张某股份公司应向其支付自2020年9月26日至2021年7月25日期间的工资差额共计306590.53元。一审法院认为,某股份公司通知李某自2021年1月18日起待岗,李某明确表示不同意待岗,并经常询问工作任务,某股份公司并未安排工作。某股份公司未举证证明存在企业停产停业等合法合理安排待岗的情形,亦未就待岗安排及待岗期间的待遇与李某达成协商一致,应自行承担相应法律后果。因此,被安排待岗期间李某之所以未能正常提供劳动,系因某股份公司未依据劳动合同...
× 扫一扫,关注微信公众号
铭盾MiNGDUN www.mdlaw.cn
Copyright© 2008 - 2025 铭盾京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开