Language

All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions

 

Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: November 10, 2021

 

Introduction

From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.

 

What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.

 

PIPL on facial recognition

 

1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).

 

2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]

 

A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.

 

First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.

 

Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.

 

Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.

 

Conclusion

After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.



 



[1] See https://www.globaltimes.cn/content/1067645.shtml.

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018), https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf.

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See https://edpb.europa.eu/news/national-news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_sv.

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See https://gdpr-info.eu/art-4-gdpr/.

[10] See https://www.privacy-regulation.eu/en/recital-43-GDPR.htm.

[11] See https://xw.qq.com/cmsid/20201120A0EPDD00.

[12] See https://m.thepaper.cn/baijiahao_13819929.

[13] See http://en.pkulaw.cn/Display.aspx?Lib=law&Id=36687&keyword.


  • 相关资讯 More
  • 点击次数: 13
    2023 - 03 - 24
    作者:金涟伊信息时代的来临带来了更多机会与市场,其中意见领袖、平台主播等自媒体是这一浪潮中最突出的弄潮儿。但不论是在什么领域,对其品牌的培养都是自媒体运营的重点。运营自媒体账户培育品牌有以下注意事项。 一、 品牌名称选取 对于自媒体相关主体,不论在哪个平台建立账号,一个好的昵称是成功的一半。该昵称也会在未来成为意见领袖、up主或主播的重要品牌,成为吸引用户的最突出的标志之一。因此对昵称的选择是非常重要的。昵称的风格可以千变万化,可以简约,可以标识重点,可以抽象或单纯富有趣味,但不论是何风格都需遵守当地法律法规以及平台规定。 以某平台为例,在平台用户服务协议明确约定,用户所设置的账号不得违反国家法律法规及平台的相关规则,用户账号名称、头像和简介等注册信息及其他个人信息中不得出现违法和不良信息,未经他人许可不得用他人名义(包括但不限于冒用他人姓名、名称、字号、头像等或采取其他足以让人引起混淆的方式)开设账号,不得恶意注册平台账号(包括但不限于频繁注册、批量注册账号等行为)。同时,用户在账号注册及使用过程中需遵守相关法律法规,不得实施任何侵害国家利益、损害其他公民合法权益,有害社会道德风尚的行为。平台有权对用户提交的注册信息进行审核,这也是平台的义务。 概括而言,注册账户名称应关注: 1、 符合法律法规及平台的规定以及公序良俗2、具有可识别性——昵称及特色3、不侵犯他人在先权利 二、 重视品牌维护 自媒体运营的领域除了其频道主要内容涉及的方向外,也应当注意广告、娱乐教育服务方面的品牌维护。自媒体账户通常盈利方式包括:1、平台分成或签约;2、广告;3、衍生产品。对以上不同盈利方式应当各有注意要点。 对于通过平台分成或签约形式盈利的自媒体,应当注意签约合同中对知识产权的约定,...
  • 点击次数: 11
    2023 - 03 - 10
    作者:刘艳玲当专利申请人向多个国家/地区提交专利申请时,如果希望专利申请加快审查进程,我们知道专利审查高速路(PPH)是一个可以利用的方式。PPH是专利审查机构直接开展的审查结果共享的业务合作,旨在帮助申请人的他国同族专利申请早日获得授权。当申请人在一国审查局提交的专利申请中有一项或多项权利要求被确定为可授权时,可以以此为基础向他国审查局就同族专利申请提出加快审查请求。除了可以加快审查以外,答复审查意见通知书的次数也可能会减少,并且申请被授予专利权的可能性也能增加。同族专利申请的审查结果除了上述应用以外,还有其他的利用方式。在此根据实践经验进行相应介绍。 美国根据美国专利相关法规,专利申请的申请人及密切相关人员在该美国专利申请的过程中有义务将对该申请的专利性重要的现有技术文件(包括专利文献和非专利文献)提交给美国专利商标局以供审查员在审查时考虑。这个程序也称IDS(Information Disclosure Statement,信息公开声明提交)。申请人如果没履行IDS提交义务会导致授权专利无法执行(unenforceable)。美国专利实施细则37CFR1.97-1.98以及专利审查指南MPEP609中给出了IDS文件的具体内容提交要求和时限要求,读者可进一步检索查看。这其中包括申请人及相关人员需要向美国专利商标局提交外国同族专利申请的审查意见/审查结果中引用的对比文件,而且需要在收到审查意见/审查结果后3个月内提交且该期限不可延长。对于以PCT方式进美国的国家申请,审查员审查时会考虑美国专利商标局IFW系统中的所有美国专利文献;如果美国专利商标局下发的PCT/DO/EO/903表中指出了国际检索报告和相关文件的副本已经在国家阶段文件包中,审查员审查时会考虑这些对比文件。由于存在法律适用的不同情形,处理申请时请就提交细节向代理专利申请的合作专利律师/代理师咨询。印度 根...
  • 点击次数: 9
    2023 - 02 - 24
    作者:常春引言:  最高人民法院近日公开的(2021)最高法知民终1363号案件的判决书给出了关于侵犯技术秘密的侵权获利计算的新方式,即可以将侵权人在特定项目上的全部获利作为侵权获利只要侵权人有明显过错且该侵权行为直接决定商业机会的得失。这一计算方式是对技术秘密侵权案件中侵权获利计算方法的一种细化,也为其他知识产权侵权的计算方法提供了参照和启示。 案情概述:  A公司与Y公司同时参加某项目招投标,Y公司以相对较低价格中标。A公司发现中标的Y公司实际为其前核心员工组建且均与A公司签署有保密协议,保密协议约定对他们知悉的A公司技术秘密保密。A公司起诉Y公司商业秘密侵权。法院在审理认为Y公司核心员工李某的电脑中保存的该项目的标书、中期报告等文件中包含A公司的技术秘密,而且因为Y公司使该等技术秘密的行为使得其以低价中标,进而使得A公司错失了在该项目中的交易机会。因此,法院基于Y公司在该项目中的营业利润判定给与A公司赔偿。 铭盾分析:反不正当竞争法规定了侵犯技术秘密的赔偿述额需要按实际损失、侵权获利、法定赔偿的顺序确定。其中,侵权获利的计算方法可以参照确定侵犯专利权的损害赔偿额的方法进行。而专利侵权的侵权获利的计算方法则包括侵权人因侵权所获得的利益可以根据该侵权产品(服务)在市场上销售的总数乘以每件侵权产品(服务)的合理利润所得之积计算。侵权人因侵权所获得的利益一般按照侵权人的营业利润计算,对于完全以侵权为业的侵权人,可以按照销售利润计算,但其中应当合理扣除因其他权利所产生的利益,即应当考虑专利在利润中的贡献率。按照上述的计算方法,对于并非以侵权为业的侵权人技术秘密侵权行为的获利可以按以下方式计算:侵权获利=侵权产品(服务)量X侵权产品(服务)营业利润X技术秘密对利润的贡献率;其中,营业利润=销售利润-管理费用-财务费用。但在本案中,法院认为招投标项目有其特殊性,...
  • 点击次数: 12
    2023 - 02 - 17
    作者:金涟伊现如今,品牌对于企业发展的重要性已经无可非议,大型企业甚至成立专门的知识产权公司以统一管理、运营、保护其知识产权。而对于中小企业,品牌保护对自身发展有着更重要的意义。能否另辟新径,避开企业规模的劣势,令其品牌直面消费者,使自身获得相应市场地位,成为中小企业树立优质品牌的工作重点。然而,中小企业品牌在面对猖獗的恶意抢注行为时显得更为脆弱,由于自身规模及可调用资源的限制,通常难以与怀有恶意的商标抢注人,甚至同行业竞争者相抗争。本文将简要介绍目前常见的打击恶意商标申请的办法,为中小企业打击恶意商标申请提供思路参考。 一、 何为恶意商标注册申请及法律相关规定 实践中常见的恶意商标注册申请主要可分为两类:以囤积倒卖商标为目的的恶意商标注册申请;侵犯他人在先权利的恶意商标注册申请。 (一)以囤积倒卖商标为目的的恶意商标注册申请 以囤积倒卖商标为目的的恶意商标注册申请,是指申请人在多个类别大量申请商标,明显超出实际生产经营活动所需。商标法第四条规定,“自然人、法人或者其他组织在生产经营活动中,对其商品或者服务需要取得商标专用权的,应当向商标局申请商标注册。不以使用为目的的恶意商标注册申请,应当予以驳回。”该条规定了向国家知识产权局商标局申请注册的商标应当是生产经营活动所需,不以使用为目的的商标注册申请是恶意商标注册申请,国家知识产权局将予以驳回。 国家知识产权局对不以使用为目的、囤积商标的恶意注册申请的打击力度较重,一旦发现此种申请,将对该申请人所申请的全部商标均予以驳回。此种驳回目前公示在国家知识产权局商标局官网的商标注册审查决定文书栏目中。 尽管国家知识产权局会依职权主动对此种恶意注册商标行为采取行动,但在审查中仍可能存在漏网之鱼。由于此种恶意注册申请会侵占大量商标资源,可能导致企业在申请自创商标时遭遇...
× 扫一扫,关注微信公众号
北京市铭盾律师事务所 www.mdlaw.cn
Copyright© 2008 - 2020北京市铭盾律师事务所京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开