Language

All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions

 

Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: November 10, 2021

 

Introduction

From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.

 

What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.

 

PIPL on facial recognition

 

1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).

 

2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]

 

A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.

 

First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.

 

Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.

 

Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.

 

Conclusion

After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.



 



[1] See https://www.globaltimes.cn/content/1067645.shtml.

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018), https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf.

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See https://edpb.europa.eu/news/national-news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_sv.

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See https://gdpr-info.eu/art-4-gdpr/.

[10] See https://www.privacy-regulation.eu/en/recital-43-GDPR.htm.

[11] See https://xw.qq.com/cmsid/20201120A0EPDD00.

[12] See https://m.thepaper.cn/baijiahao_13819929.

[13] See http://en.pkulaw.cn/Display.aspx?Lib=law&Id=36687&keyword.


  • 相关资讯 More
  • 点击次数: 1000007
    2023 - 11 - 07
    作者:张琳在交通事故中,如受害方的车辆为经营性车辆,如出租车、长途客车、货运车等,在车辆损坏后,不仅会产生车辆修理费用,还会产生停运期间的经营损失。对于该停运损失,责任方是否应当赔偿?如应当赔偿,是否可由保险公司进行理赔?    对于上述情况,相关法律法规没有明确规定,但《最高人民法院关于审理道路交通事故损害赔偿案件适用法律若干问题的解释》第十二条作出了明确规定:“因道路交通事故造成下列财产损失,当事人请求侵权人赔偿的,人民法院应予支持:......(三)依法从事货物运输、旅客运输等经营性活动的车辆,因无法从事相应经营活动所产生的合理停运损失.....”虽然上述司法解释对此作出了明确规定,但在司法实践中仍存在理解和执行上的不统一。笔者拟结合几个案例针对相关具体问题进行探讨和分析并提出自己的意见和建议。 一、案例简介案例一:郭某与赵某、某财保公司机动车交通事故责任纠纷案件(参见北京市东城区人民法院(2023)京0101民初32号一审民事判决书)郭某向法院起诉,请求赵某赔偿车辆维修期间的营运损失9000元(600元/天×15天)、交通费,某财保公司承担连带责任。法院查明,2022年某月某日,赵某驾驶的A车与郭某驾驶的B车发生交通事故,车辆损坏,无人受伤,交警部门认定赵某全责。郭某系网约车司机,某财保公司已赔付了修车费。法院经审理认定,郭某主张的停运损失属于间接损失,不属于交强险和商业险的赔偿范围,郭某要求某财险公司理赔的诉讼请求不予支持;赵某负全责,应赔偿郭某合理停运损失;停运损失的具体数额,结合车辆停运时间、郭某运营成本、运营能力、运营收入等因素确定;郭某主张的15天维修天数超出合理期限,结合郭某车辆损坏程度和维修项目,酌定为8天;综合考虑事故车辆受损、停运、运营行业收入水平等因素,酌定郭某合理停运损失为300元/天...
  • 点击次数: 1000005
    2023 - 10 - 30
    作者:刘艳玲              商业秘密有三个构成要件:一是该信息不为公众所知悉,即该信息是不能从公开渠道直接获取的;二是该信息能为权利人带来经济利益,具有实用性;三是权利人对该信息采取了保密措施。概括地说,不能从公开渠道直接获取的,能为权利人带来经济利益,具有实用性,并经权利人采取保密措施的信息,即为《反不正当竞争法》所保护的商业秘密。 技术秘密纠纷案件由于其技术复杂性、案件背景复杂性和有效证据取得性等原因在司法实践中一直属于较难的案件。权利人主张被诉侵权人侵犯自己所有的技术秘密,权利人需要提供证据证明以下几个方面的事实和理由:第一,明确其技术秘密的内容,通常需要细化固定和明确其主张的技术密点;第二、举证该技术秘密具有商业价值;第三、被诉侵权人持有的侵权信息;第四、被诉侵权人持有的侵权信息与权利人的商业秘密构成实质上相同;第五、被诉侵权人实施了《反不正当竞争法》第九条中所列的侵权行为之一。首先,技术秘密内容的查明作为商业秘密的确权基础就是司法实践中的难点,本文结合现有裁决文书对技术秘密纠纷中技术密点的分析和认定进行讨论。  【案号】(2015)闽民初字第152-3号民事裁定书和(2020)最高法知民终385号二审民事裁定书[汕头海洋投资发展有限公司与北大方正物产集团有限公司、福建方兴化工有限公司等其他侵害商业秘密纠纷] 【一审基本案情】汕头海洋投资发展有限公司(简称“汕头海洋公司”)主张其系S.O.E第二代聚苯乙烯成套工艺、装备专有技术许可的所有权人,并将该专有技术许可给了泉港海洋公司使用。后泉港海洋公司的资产经司法拍卖后归被告之一方兴公司所有。为能启动生产,方兴公司在原泉港海洋公司部分高管和技术骨干尚未解除劳动合同并负有保密和竞业限制义务的情况...
  • 点击次数: 1000005
    2023 - 10 - 16
    作者:陈巴特基本案情2022年8月22日,原告宗某某到被告某保健品经营部所经营的店铺购买燕窝,支付价款5000元。原告称其在准备送人时发现涉案产品“燕窝”外包装标签仅仅标注了产品名称,未标注配料表、生产日期、执行标准、保质期、储存条件、厂名厂址、生产许可证编号、联系方式等相关信息,属于无证生产、来路不明的“三无产品”。遂依据《食品安全法》《消费者权益保护法》等相关法律规定,将被告诉至人民法院,请求:1、被告支付原告货款损失5000元;2、被告支付原告十倍赔偿50000元;3、被告承担本案诉讼费。被告某保健品经营部辩称涉案产品“燕窝”属于食用农产品,并不存在质量安全问题;原告购买产品后立即举报、索赔,属于典型的职业打假人,不属于正常消费者,不应适用《食品安全法》及《消费者权益保护法》对原告进行保护。代理意见在审理中,法院总结了本案的几个争议焦点问题,原被告双方及代理律师紧紧围绕焦点问题展开举证、质证、辩论。法院为查清案件事实,亦依职权进行了必要的调查。1、原告宗某某不是普通消费者,而是“知假买假”的职业打假人。原告宗某某在本案中究竟是普通消费者,还是职业打假人,这一身份的认定对本案审理至关重要。通常,产品外包装标签肉眼可见,相关信息是否标注,购买人一看便知。宗某某在购买涉案产品时,必然明知涉案产品外包装标签上没有配料表、生产日期、厂名厂址等各项相关信息,其仍然购买,显然是“知假买假”。宗某某购买涉案产品不是为了生活消费的需要,其动机并非为了净化市场,而是利用惩罚性赔偿条款牟取不当利益,其为职业打假人。为证明这一主张,被告在网络上搜集了一些宗某某近年来十多起购买食品、药品后,以所购产品是“三无产品”为由,向经营者主张十倍赔偿的案例,并提交法庭。为了查明案件事实,法院在审理中,依职权检索了关联案件,检索结果为:2023年1月以来,宗某某在法院所在省内十数个法院起诉共有19起案件,...
  • 点击次数: 1000006
    2023 - 09 - 15
    作者:赵丹青在商标实务中,对于将与他人在先登记、使用并具有一定知名度的字号相同或者基本相同的文字申请注册为商标,容易导致相关公众混淆的,可以依据《商标法》第三十二条主张系争商标对他人在先字号权的损害,要求将系争商标不予核准注册或者予以无效宣告。 若是反过来,将他人在先注册商标作为企业名称中的字号使用,应当如何进行维权呢?下面,我们通过案例进行说明。 案例一 案情简介 台联良子公司于2004年注册“良子”商标,核定使用在第44类服务上,即蒸汽浴室;按摩;公共卫生浴室;美容院;修指甲;高级理发店。台联良子公司及关联公司于2005年、2006年均被授予全国“百佳诚信单位”“2005年中国十大行业隐形冠军”。2015年,良子获得创新医疗大赛180+项目,2016年获得中美健康峰会100+项目。《北京晚报》等多家媒体报道了台联良子公司的发展历程。 2020年,足间道良子公司成立,曾用名北京阿丽良子健康管理有限公司,于2020年4月变更为现名称。经营范围包括健康咨询服务、体育健康服务、生活美容服务、足浴服务等。足间道良子公司在其店铺招牌、靠垫、毛巾、前台等处均突出使用“足间道良子”标识。台联良子公司发现上述行为后,向法院提起诉讼。 案例分析 《商标法》第五十七条规定,未经商标注册人的许可,在同一种商品上使用与其注册商标近似的商标,或者在类似商品上使用与其注册商标相同或者近似的商标,容易导致混淆的,属于侵犯注册商标专用权的行为。 本案中,台联良子公司涉案商标核准注册服务包括第44类的按摩、洗浴、美容理发,结合足间道良子公司经营范围、店招、店内装潢及宣传材料,足间道良子公司提供的是与涉案商标核定服务项目类似的按摩及足浴服务,两者服务类别相同。足间道良子公司未经台联良子公司许可,在经营场所的店招突出使用了与上述注...
× 扫一扫,关注微信公众号
北京市铭盾律师事务所 www.mdlaw.cn
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开