Language

All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions

 

Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: November 10, 2021

 

Introduction

From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.

 

What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.

 

PIPL on facial recognition

 

1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).

 

2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]

 

A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.

 

First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.

 

Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.

 

Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.

 

Conclusion

After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.



 



[1] See https://www.globaltimes.cn/content/1067645.shtml.

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018), https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf.

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See https://edpb.europa.eu/news/national-news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_sv.

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See https://gdpr-info.eu/art-4-gdpr/.

[10] See https://www.privacy-regulation.eu/en/recital-43-GDPR.htm.

[11] See https://xw.qq.com/cmsid/20201120A0EPDD00.

[12] See https://m.thepaper.cn/baijiahao_13819929.

[13] See http://en.pkulaw.cn/Display.aspx?Lib=law&Id=36687&keyword.


  • 相关资讯 More
  • 点击次数: 4
    2023 - 02 - 03
    作者:刘文娟国家知识产权局于近日发布了《商标法修订草案(征求意见稿)》(以下简称“修订草案”),公开征求对商标法的修改意见。在上述修订草案中,我们可以欣喜地发现,立法机关已经开始在立法层面纠正目前商标注册“注而不用”、授权程序冗长繁复、恶意注册非法成本低的弊端。笔者仅就修订草案中涉及商标使用及打击恶意注册的部分进行分析,供大家参考。 第一, 修订草案增加了注册商标权利人主动提交商标使用说明的义务; 此条款借鉴了美国等国家关于商标注册人主动提交商标使用证据的相关规定,是对商标权利人最重要的修改条款。修订草案第六十一条规定,商标注册人应当自商标核准注册之日起每满五年之后的十二个月内,向国务院知识产权行政部门说明该商标在核定商品上的使用情况或者不使用的正当理由。 为了不过度增加权利人的举证义务且要达到督促注册商标使用、清理闲置商标的目的,对商标权利人主动提交商标使用说明的举证标准显然不能等同于撤销注册商标连续三年不使用申请中权利人的举证标准。然而为了不架空本条款,尚有待建立权利人承诺制度及诚信等级,督促商标权的实际使用。 第二,修订草案规定申请人不得重复申请、注册商标; 修订草案第十四条及第二十一条规定,申请注册的商标不得与申请人在同一种商品上在先申请、已经注册或者在申请日前一年内被公告注销、撤销、宣告无效的在先商标相同。 理想情况下,此条款本应是区分性知识产权的应有之意,商标权的可续展性决定了一件商标授权足以满足权利的正常使用。此条规定若能正确执行,将大量有效减少商标恶意注册行为。为规避商标法对商标使用的要求,不少恶意注册人采取“接力式注册商标”,不断重新申请已被撤销或无效宣告的商标,极大增加了权利人的维权成本。 然而,在实践中,因为权利人无法及时清理在先商标的阻碍,不得已需要“接力式申请”,以避免...
  • 点击次数: 6
    2023 - 01 - 13
    作者:李标田经常有人咨询,对方坚决不同意同意,说拖也要拖死我的,在离婚案件中,被告到底能拖多久?今天就从法律层面和大家分享一下这个问题,在弄清楚能拖多久之前,我们先梳理一下我国现行的离婚方式。我国现行的离婚只有二种方式,一种是协议离婚,另一种是诉讼离婚。协议离婚就是夫妻双方都同意离婚,并且双方对孩子抚养权、抚养费、探视权以及财产如何分割等问题达成协议,双方自愿去民政局申请离婚登记,然后经过30天的离婚冷静期,双方在去民政局办理离婚手续,这个过程最快需要32天。如果一方不同意离婚,或者对孩子抚养权、抚养费、探视权以及财产如何分割等问题达不成协议,而另一方又坚定离婚,这个时候就不能协议离婚了,只能去法院诉讼离婚,诉讼离婚能否成功?以及被告就是不同意离婚,最长能拖多久?根据《民法典》相关条款的规定,法院认定应该判决离婚的唯一标准是夫妻之间感情破裂,在离婚诉讼中法院如何认定夫妻之间感情破裂?又分为2种情况,一种是有法定的感情破裂判决离婚认定标准,另一种就是没有法定认定感情破裂的标准,而是根据法院实务经验总结出来的认定标准。我们分别来讨论,先分析《民法典》第一千零七十九条的规定法定判决离婚情况,主要有以下几种:有下列情形之一,调解无效的,应当准予离婚:(一)重婚或者与他人同居;(二)实施家庭暴力或者虐待、遗弃家庭成员;(三)有赌博、吸毒等恶习屡教不改;(四)因感情不和分居满二年;(五)其他导致夫妻感情破裂的情形。经人民法院判决不准离婚后,双方又分居满一年,一方再次提起离婚诉讼的,应当准予离婚。针对上述的规定,我们一一分析。第一种是重婚或者与他人同居,这儿需要注意的,民法典规定的是重婚或与他人同居,而不是出轨,根据最高人民法院关于适用《中华人民共和国民法典》婚姻家庭编的解释(一)的第二条:“民法典第一千零四十二条、第一千零七十九条、第一千零九十一条规定的“与他人同居”的情形,是指有配偶...
  • 点击次数: 11
    2022 - 12 - 30
    作者:张琳为了保护公司的商业秘密,公司可与负有保密义务的员工签订竞业限制协议,限制员工在离职后的一定期限内不得到与公司存在竞争关系的其他公司工作或自己经营、从事同类业务。竞业限制在保护公司商业秘密的同时,对员工的择业自由构成了一定的限制,因此公司通过在竞业限制期限内向员工支付经济补偿的方式弥补员工因此可能遭受的损失。竞业限制协议主要是为了保护公司的商业秘密,因此相关法律和司法解释赋与公司任意解除权,但对员工的解除权进行了较为严格的限制,仅在《最高人民法院关于审理劳动争议案件适用法律问题的解释(一)》(2021年1月1日实施)第三十八条规定:“当事人在劳动合同或者保密协议中约定了竞业限制和经济补偿,劳动合同解除或者终止后,因用人单位的原因导致三个月未支付经济补偿,劳动者请求解除竞业限制约定的,人民法院应予支持。”但是,由于有些员工对竞业限制解除的相关法律规定认识不足,认为只要公司不按时支付竞业限制经济补偿,员工就不用履行竞业限制义务,导致在实践中产生了大量的劳动纠纷。现本文拟通过北京地区的二个案例来分析和探讨上述法律问题。由于各地和不同时期的司法实践有所差异,本文的分析过程可能不够全面系统,分析结果仅供大家参考借鉴。一、案例简介案例一:北京市东城区人民法院(2015)东民初字第02422号一审民事判决书、北京市第二中级人民法院(2015)二中民终字第05775号二审民事判决书刘先生与某金融设备公司于2011年7月4日签订劳动合同,2014年10月10日签订竞业限制协议,约定竞业限制期间为劳动合同解除或终止后6个月内,列举了相应的竞争公司,约定了竞业限制补偿费标准且第一个月的竞业限制补偿费将由劳动关系终止或解除的工资结算同时发放至刘先生的工资卡,以后每月的竞业限制补偿将于每月发薪日转账至被告工资卡,还约定了任何一方违反竞业限制约定,违约方应向另一方支付竞业限制违约金,数额为已付...
  • 点击次数: 7
    2022 - 12 - 23
    作者:金涟伊2021年10月28日发布的《“十四五”国家知识产权保护和运用规划》中指出,要“推动企业实施商标品牌战略,加强商标品牌资产管理,强化商标使用导向,支持开展海外商标布局,培育具有市场竞争力、国际影响力的知名商标品牌”。加强建设高质量的商标品牌,企业可以从做好商标管理做起,注册商标和未注册商标的管理重点略有区别。 一、注册商标的管理 注册商标是由企业向国家知识产权局提交申请,经国家知识产权局审核通过并公告注册的商标。商标注册后可获得商标注册证,列明该商标的注册号、商标标识、核定使用商品或服务类别及项目、注册人、注册人地址、注册日期及有效期等信息。商标注册证记载该商标的关键信息,是商标注册人拥有商标专用权的重要凭证,企业应当注意留存。并且商标专用权届满前,企业应根据需要及时续展。 实践中,为向公众宣告商标已获准注册,企业可在使用注册商标时在该商标右上角标注注册商标标志“®”,同时应在使用中注意以下几点: 1、 应注意保存使用证据 根据商标法第四十九条的规定,注册商标没有正当理由连续三年不使用的,任何单位或者个人可以向商标局申请撤销该注册商标。合法合规地使用注册商标并妥善留存商标使用证据是企业商标管理的重点内容。 商标使用证据的主要形式可分为书面材料及实物材料。书面材料包括交易文书、产品检验报告、加工销售合同发票、宣传海报、媒体广告材料、荣誉资质证书等;实物材料包括承载商标的产品容器、标签、说明手册、包装盒、服务场所装潢等。如需提交复印件或照片的,应委托公证机关办理公证。 2、 应注意维护商标专用权 商标获准注册后,商标注册人便在核定使用的商品服务上享有商标专用权,可对侵犯其商标专用权的情况主动进行商标行政、司法保护,以维护合法权益。积极维护商标权有助于企业建立...
× 扫一扫,关注微信公众号
北京市铭盾律师事务所 www.mdlaw.cn
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开