China’s Supreme People’s Court sets rules for facial recognition technology
China Data Protection Alert
On July 28, 2021, China’s Supreme People’s Court (the top judicial authority) published the 'Provisions on Relevant Issues on the Application of Laws in Hearing Civil Cases Related to the Application of Facial Recognition Technology in Processing Personal Information'. The provisions came into force as of August 1, 2021. They provided guidance for the courts to apply the rules scattered in Civil Code, Cybersecurity Law, Consumer Rights Protection Law, E-Commerce Law, etc. on personal data processing by using facial recognition technology, and have also set specific rules based on the recent practices of the Chinese courts. In this article we provide our comments on several highlights in the provisions.
1. Provisions made it clear that “facial information” is “biometric information”, which is a category of personal information expressly mentioned in the Civil Code. Although the Civil Code has not set special rules on processing of biometric information, it is noted that, according to the Personal Information Protection Law (PIPL), biometric information is “sensitive personal information” and processors of such information shall follow the following special rules:
Separate consent. In case the data processing is based on data subject’s consent, such consent shall be given separately, i.e. consent on facial recognition shall not be obtained together with other personal data processing activities. Furthermore, such consent will have to be obtained in written form if so required by the laws and regulations under certain circumstances. In case the data processor obtains data subject’s consent by using a standard contract requesting the data subject to grant indefinite, irrevocable, freely assignable rights to process facial information, Chinese courts may deem such standard contract invalid.
Additional information. The data processor shall notify the data subjects two additional information, i.e. the necessity of processing facial information and the implication to the data subject.
Administrative restrictions. The data processor shall obtain administrative license or comply with other restrictions on data processing with facial recognition technology if so required by the laws and regulations.
As the processing rules for sensitive personal information is still under development, the Provisions have made room for the Chinese law to further regulate the application of facial recognition technology.
2. The provisions have summarized the rules in different laws and regulations which would be applicable for the processing of personal data via facial recognition technology, including the processing criteria and the technical and organizational measures to ensure data security.
In addition, the Provisions provided rules for the following two specific scenarios where facial recognition are often adopted in practice:
Public places. The Provisions have prohibited the use of facial recognition technology to verify, identify or analyze facial information in business or public places such as hotels, shopping malls, banks, bus/train stations, airports, sports stadium, entertainment venues in violation of the laws and regulations, which may imply that the deployment of facial recognition technology in those public places will require clear legal basis under the laws and regulations.
Real property management services. In case property management companies use facial recognition as the verification method for entry into the real property service area, the residents or other property users shall have the right to request for alternative solution which does not involve facial recognition.
3. Considerations of legal liabilities. According to the provisions, courts are required to decide the legal liabilities of data processors infringe the data subject’s rights taking into account (i) whether the data subject is a minor, (ii) whether there is informed consent, and (iii) the level of necessity in data processing. It is understood that the data processor may assume higher legal liabilities in case it infringes the rights of a minor, or there has been no informed consent, or the data processing is beyond the scope of necessary.
4. Provisions have also laid down rules for the issues in civil legal actions related to data processing with facial recognition technology
Injunction. It is clearly mentioned that a data subject may apply before the court for injunction in order to stop or prevent any infringement in data processing activities using facial recognition technology.
Burden of Proof. The onus is on the data processor to demonstrate its data processing is compliant with the laws and regulations or there is a statutory exemption from legal liabilities.
Damages. The data subject may claim damages against data processor. Among others, such damages would include reasonable costs for the data subject to enforce its rights, such as the costs to investigate data processor’s infringement and collect evidence, as well as reasonable attorney’s fee.
Public Interest Litigation. The provisions also made it clear that it is possible to launch public interest litigation against data subject rights infringement. Therefore, data processors who use facial recognition in violation of the laws may face not only individual lawsuits but also public interest litigation launched by public prosecutors or consumers associations.
The provisions will not be applicable for the facial recognition processing activities before August 1, 2021. After such date, companies who consider to start deploying or continue implementing facial recognition technology in processing personal information shall take into account the provisions in evaluating its legal compliance and closely watch how Chinese courts would apply the Provisions in practice.
PIPL is currently in legislative process. The Chinese legislative body is expected to enact the law in August, 2021.