Language

All About Face: Use of Facial Recognition and Legal Restrictions

All About Face: Use of Facial Recognition and Legal Restrictions

 

Author: Yingying Zhu, Partner of Beijing MingDun Law Firm

Email: zhu.yingying@mdlaw.cn

Date: November 10, 2021

 

Introduction

From public places laden with facial verification cameras to residential buildings that shut strangers out with facial identification requirements, facial recognition technology is being used almost everywhere in China which has contributed to the low criminal rates and high level of public security, earning China the reputation as one of the safest places in the world to travel around.[1] Beyond the bright side, there has been at least one dark side to the overwhelming use of cameras-the possible leaks of people’s biometric identification information to outlaws and hackers. Nowadays, the public becomes increasingly concerned about providing their facial data to various service providers. The calls for safeguarding and curbing excessive uses of people’s facial data are on the rise.

 

Background

On November 1st, 2021, China’s first comprehensive data privacy law, the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), has become effective. The PIPL basically requires that the operators of websites, mobile phone applications or any other technologies doing data collection and processing should obtain consent from users in order to collect/process the users’ data.

To address the increasing public concerns of the necessity to curb the abuses of people’s biometric data, the PIPL specifically regulates the collection of biometric data and the use of facial recognition technology in public areas.

Apart from the enactment of the PIPL, there was a lawsuit in Hangzhou stemming from dispute over the use of facial recognition equipment and a judicial interpretation on the same subject promulgated by the China Supreme People’s Court.

 

What is facial recognition?

No definition is provided under the PIPL or the judicial interpretation. According to The Future of Privacy Forum, the Facial recognition (currently defined to include facial verification and facial identification) means the technology that creates, collects, compares and retains facial templates that are identified or identifiable to particular individuals.[2]

Facial verification means a task where the facial recognition system confirms an individual’s claimed identity by comparing the template generated from a submitted facial image with a specific known template generated from a previously enrolled facial image. This process is also called one-to-one verification, or authentication.[3] 

Facial Identification means searching a database for a reference matching a submitted facial template and returning a corresponding identity, also known as “one-to-many” matching.[4]

From the above definitions, it can be deduced that facial recognition technology is not an equivalent of the conventional public camera surveillance[5] because it involves more than passive facial scanning and recording. If the usage of public surveillance camera involves no creation of personably identifiable facial templates which are identified or linked, or identifiable or linkable to individuals, it would neither constitute “facial recognition” nor arouse the same type of privacy concerns discussed under this article.

 

PIPL on facial recognition

 

1) processing of facial recognition data

Under the PIPL, facial recognition data, being a type of the biometric identification information, are classified under a specific category of information, sensitive personal information,[6] that must be treated with the following extra safeguarding:

1)   Personal information processors may not process sensitive personal information unless there are specific purposes and sufficient necessity, and strict protection measures are taken (Art. 28);

2)   An individual's separate consent shall be obtained for processing his or her sensitive personal information. Where any law or administrative regulation provides that written consent shall be obtained for processing sensitive personal information, such provision shall prevail (Art. 29); and

3)   To process sensitive personal information, personal information processors shall, notify individuals of the following:

    (a) identity of the processor (Art. 17);

    (b) purposes and methods of processing of personal information, categories of personal information to be processed, and the retention periods (Art. 17);

    (c) methods and procedures for individuals to exercise their rights (Art. 17);

    (d) necessity of the processing of sensitive personal information (Art. 30); and

    (e) the impacts on individuals’ rights and interests, except that it is not required by this Law to so notify (Art. 30).

 

2) use of facial recognition technology in public areas

Regarding the use of facial recognition technology in public areas, the PIPL provides as follows:

1)   The installation of image collection or personal identification equipment in public areas shall be necessary for maintaining public security and comply with relevant regulations issued by the state (Art. 26);

2)   Conspicuous signs shall be erected (Art. 26); and

3)   The collected personal images and identification information can only be used for the purpose of maintaining public security, and shall not be used for other purposes, except with the separate consent of individuals (Art. 26).

The above provisions basically provide that the use of facial recognition technology in public areas is only allowed for the purpose of maintaining public security where conspicuous signs shall be erected. It cannot be used for marketing, targeted advertising or any other commercial purposes, unless separate consent of individuals has been obtained.

One has but one face. Facial information is of a unique and unchangeable character for the individuals. As improper disclosures of facial data can cause greater harm and damage to the image, reputation or security of an individual, it is of significant importance to ensure that facial data be specifically categorized and appropriately protected. The PIPL’s position in regulating the use of facial recognition data echoes with that of the GDPR. [7]

 

A GDPR decision on the use of facial recognition

A decision handed down in August 2019 under the GDPR could shed some light on the position taken by the GDPR towards the use of facial recognition data. The Swedish Data Protection Authority (“DPA”) has imposed a fine of approximately 20,000 euros upon a municipality for using facial recognition technology to monitor the attendance of students in school. The school in northern Sweden has conducted a trial program using facial recognition to keep track of students’ attendance in school. The students’ guardians were asked to give and gave explicit consent and they also had the option of excluding their child from the program. The school has based the processing on consent but the Swedish DPA considers that consent was not a valid legal basis given the clear imbalance between the data subject and the controller. The Swedish DPA concluded the school has processed sensitive biometric data unlawfully and failed to do an adequate impact assessment including seeking prior consultation with the Swedish DPA. [8]

Under the GDPR, biometric data, [9] including that generated through facial recognition technology, is protected as a special category of personal data since it is uniquely and strongly identifying to a person. The GDPR prohibits the processing of such data unless there is explicit consent, a legal obligation or public interest. In order to ensure that consent is freely given, consent should not provide a valid legal ground for the processing of personal data in a specific case where there is a clear imbalance between the data subject and the controller, in particular where the controller is a public authority and it is therefore unlikely that consent was freely given in all the circumstances of that specific situation.[10] Judging from the clear imbalance between the students/their guardians and the school in the above case, the Swedish Data Protection Authority held the school liable under the GDPR for unlawfully processing the students’ facial data.

 

First lawsuit over facial recognition in China

Interestingly in contrast with the Swedish school case, also happened in 2019 and before the enactment of the PIPL, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park constituted a breach of the contract between the plaintiff and the Park.

Guo Bing, an associate law professor in Hangzhou city, filed a civil lawsuit against Hangzhou Safari Park in late 2019 after the Park required a facial identification process for his annual membership pass. He argued the Hangzhou Safari Park has no legal basis to collect visitors’ biometric data. Both courts in the first instance and second instance ruled in favor of Guo Bing, ordering the Park to refund him and delete his facial data and fingerprints.[11]

However, the courts’ judgements are criticized for being too narrow and also for the failure to touch on the legitimacy of the Park’s overbearing policy which mandated facial identification for entry. From the perspective of contract law, the courts of first and second instance ruled that the Park’s requirement of facial recognition to enter the park does not have legal effect on Guo contractually, but the courts avoided the review of the arbitrary clause that 'users who have not registered their face for facial recognition will not be able to enter the park ever'. That is however the key claim in Guo’s lawsuit against the Park.

 The above being said, Guo’s case is still significant as the first lawsuit to challenge the commercial use of facial recognition technology. Citing Guo’s case, China’s Supreme People’s Court (“SPC”) announced that consumers’ privacy must be protected from unwarranted face tracking,[12] a signal that China is tightening the leash on the facial recognition industry.

 

Judicial interpretation on use of facial recognition

On July 28, 2021 the SPC promulgated the Provisions (the “Provisions”) on several issues concerning the application of law in the trial of civil cases relating to processing of personal information by using the facial recognition technology.[13] The Provisions came into force on August 1, 2021.

The Provisions apply to civil cases that involve facial recognition technology. The Provisions set forth that hotels, shopping malls, airports and other commercial venues should not use facial recognition in violation of the laws and administrative regulations. The use of the technology is only allowed when there is clear legal basis and cannot exceed what is necessary, and companies must take measures to protect the facial data. The Provisions also provide that consent is not a valid legal basis if companies denied providing products or services on the condition that a consent is given, unless the processing of facial information is necessary for the provision of such products or services. Property management companies must obtain the consent of the residents before using facial recognition. In case of refusal of consent, alternative verification methods must be offered.

While the Provisions are not clear on what counts as necessary use, the possibility of penalties from lawsuits is likely to curb some excessive uses of people’s facial data. The Provisions also specifies a mechanism for the public to sue if their privacy has been violated and option for injunction is also available in cases where irreparable harm would be caused without an injunctive relief.

 

Key Takeaways

·   Thorough impact assessment should be conducted prior to the launching of any facial recognition implementation.

·   For businesses to stay compliant with the PIPL, despite the scale and the intent of the use of facial recognition technology, regulatory and professional opinions have to be consulted.

·   Consent should not provide a valid legal ground for the processing of personal data in cases where there is a clear imbalance between the data subject and the controller.

·   Consent should be invalid if there is an “opt-in-or-leave” situation, unless the processing of facial data is absolutely necessary for the products or services offered.

 

Conclusion

After the enactment of the PIPL and the China Supreme People’s Court’s promulgation of the Provisions, it remains to be seen how the administration will enforce these rules, how the courts will adjudicate in lawsuits involving facial recognition and whether such enforcement/adjudication will actually curb the abuses of facial recognition technology. For whatever the future holds, one thing is certain: businesses must realize that to advance any frontier technology, building public trust is essential to the effectuation that the public can enjoy the benefits offered by the technology. Before the public can entrust their sensitive personal data to the facial recognition businesses, they must have confidence that the use is with necessity, and that the use is lawful, fair, transparent and also safely guarded.



 



[1] See https://www.globaltimes.cn/content/1067645.shtml.

[2] See The Future of Privacy Forum, Privacy Principles for Facial-Recognition Technology in Commercial Applications (September 2018), https://fpf.org/wp-content/uploads/2019/03/Final-Privacy-Principles-Edits-1.pdf.

[3] Ibid.

[4] Ibid.

[5] Closed-circuit television (CCTV) or video surveillance is camera systems used to transmit signals to a specific location often with visualization on a limited number of televisions or computer monitors. See Hong Kong Lawyer, CCTV and Privacy Rights (December 2019).

[6]  Under the PIPL, sensitive personal information is defined as “the personal information of which the leakage or illegal use   could easily lead to the violation of the personal dignity of a natural person or harm to personal or property safety, including    information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, and personal information of minors under the age of fourteen.” (Art. 28).

[7] The General Data Protection Regulation (EU) 2016/679.

[8] See https://edpb.europa.eu/news/national-news/2019/facial-recognition-school-renders-swedens-first-gdpr-fine_sv.

[9] GDPR defines “biometric data” as personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data. See https://gdpr-info.eu/art-4-gdpr/.

[10] See https://www.privacy-regulation.eu/en/recital-43-GDPR.htm.

[11] See https://xw.qq.com/cmsid/20201120A0EPDD00.

[12] See https://m.thepaper.cn/baijiahao_13819929.

[13] See http://en.pkulaw.cn/Display.aspx?Lib=law&Id=36687&keyword.


  • 相关资讯 More
  • 点击次数: 100008
    2024 - 11 - 29
    作者:金涟伊2024年,政府工作报告首次将“品牌出海”纳入工作任务,提出要“加强标准引领和质量支撑,打造更多有国际影响力的‘中国制造’品牌”。而为了给“品牌出海”保驾护航,企业应当重视其海外目标市场的商标布局,尽可能排除侵权风险,令其品牌获得当地知识产权管理部门的商标保护。商标的保护具有地域性,各个国家或地区的商标法规定不同,对企业品牌(即商标)的保护方式也有不同。本文将对美国地区商标保护及注册申请流程进行简单介绍。  一、商标保护对象 在美国可使用及注册的商标可以是任何文字、短语、符号、图形或前述的组合,用以识别商品或服务的来源。 由于美国各个州之间对商标保护的法律规定各有不同,申请人如仅在任一州申请注册商标,则无法跨州获得保护。因此我们所述的美国商标注册,通常上是指联邦商标注册,即向美国专利商标局(USPTO)申请注册商标,则将在整个美国领土范围内获得商标权利。  二、重视商标使用 值得注意的是,美国强调商标所有者只有商业使用其商标才有权获得联邦保护,在申请时以及整个商标生命周期中,企业都需要定期展示商标的使用情况。 若想获得商标注册,商标应在美国商业活动中实际使用。如尚未使用的,应当以意图使用为基础提交注册申请。只有在某些特定情况下,申请注册商标时无需提交使用证明,例如当商标已在其他国家注册,并以此为基础在美国申请注册,或通过马德里协议将商标延伸注册至美国。 然而,通过马德里协议延伸至美国的商标注册申请,目前面临着较高的官方审查风险,可能需要补充提供使用证据。 三、商标注册申请流程 美国商标注册申请需提供相关信息,包括申请人名称、国籍、住所地/营业场所所在地,以及: 1、 类别及指定商品或服务描述;2、 商标名称或标识,如存在特殊...
  • 点击次数: 1000012
    2024 - 11 - 22
    作者:张嘉畅在当今这个知识产权(IP)经济蓬勃发展的时代,从影视、文学、游戏到音乐,IP的身影无处不在。数据显示,中国的IP产业市场规模已突破千亿元大关,并持续增长。发展到现在,尤其是在“打卡探店”经济的推动下,餐饮行业也纷纷利用IP主题餐厅、IP食品和布景打卡等方式吸引顾客。  (伦敦Pooh corner咖啡厅,图源自小红书用户Kunkunnnnn)知识产权(IP)是一个广义概念,包括专利权、著作权、商标权和商业秘密等无形资产权利。在本文中,我们将“IP”主要理解为文学、艺术和科学作品,而“IP权利”则特指作品著作权(版权)。本文也将仅围绕著作权侵权相关问题进行讨论。对于店铺经营者来讲,伴随着高额的经济利益而来的,是潜在的著作权侵权风险。在餐厅、咖啡厅等餐饮店当中,风格模仿、主题布景、主题饮食产品,或是售卖或赠送的主题周边是比较常见的IP应用的场景。那么,开设主题餐饮店或使用IP吸引顾客时,哪些情况下可能产生著作权侵权风险呢?一、经营者应确定所使用的IP是否受到版权保护有一些餐厅经营者是出于情怀或爱好,为了结交同好或扩大自己喜欢的IP的影响力而在其经营的店铺中使用IP元素。这时,如果被使用的作品已经超出著作权保护期限,即已经进入公有领域,其财产权不再受到版权保护。根据《中华人民共和国著作权法》第二十三条规定,自然人的作品财产权保护期为作者终生及其死亡后五十年;法人作品财产权截止于作品首次发表后第五十年的12月31日;视听作品的财产权保护期为五十年,截止于作品首次发表后第五十年的12月31日。不受版权保护的作品可以在不篡改或扭曲其作品本质的情况下用于商业使用。在我国比较常见的主题有四大名著主题餐厅,或艺术主题餐厅(使用世界名画、名著当中的文字摘录进行装潢)等,均是使用了广为大众所知的IP对餐厅进行了包装加工。在仅适用作品元素的情况下,无论是主题布景或是...
  • 点击次数: 1000004
    2024 - 11 - 15
    作者:陈巴特2024年11月12日,《国务院办公厅关于2025年部分节假日安排的通知》发布,根据2024年11月修订的《全国年节及纪念日放假办法》,自2025年1月1日起,全体公民放假的假日增加2天,其中春节、劳动节各增加1天。根据该通知,2025年春节期间放假安排为:1月28日(农历除夕、周二)至2月4日(农历正月初七、周二)放假调休,共8天。1月26日(周日)、2月8日(周六)上班。曾经除夕不放假,多年来一直是国人吐槽的重心。对国人来说,除夕的重要性不亚于大年初一。炮竹一声除旧岁,春风送暖入屠苏。自古至今,除夕可以说是一年中最重要的一天。这一天,家人欢聚一堂,互送祝福,祭祖先,贴春联,包饺子,吃年饭,一起辞旧迎新。对于远方的游子,在外打拼一年,很大程度就是为了满足回家过年的渴望。虽然很多企事业单位考虑到除夕的重要性,每年也安排除夕放假,劳动者也可以通过休年休假实现回家过年的愿望,但毕竟此前国家法定节假日未包括除夕,回家的感觉还是不一样。如今,国家正式将除夕确定为法定节假日,可谓“喜闻乐见、大快人心、普天同庆、奔走相告”!然鹅,并不是每一位劳动者都能享受到这美好的春节假期的。地球在转,社会依然要运转,各餐饮、旅游、交通运输等服务行业的企业会比平时更加繁忙,赶工期的企业也可能加班加点……那么,问题来了!如果春节假期全在上班,企业怎么计算加班工资?一、什么是法定节假日?我国法定节假日有哪些?法定节假日是由国家法律、法规统一规定的用以开展纪念、庆祝活动的休息时间,也是劳动者休息时间的一种。劳动者在这些日子可以享受带薪休假。包括全体公民放假的节日和部分公民放假的节日及纪念日。根据2024年11月10日修订的《全国年节及纪念日放假办法》规定,全体公民放假的节日包括:1、元旦,放假1天(1月1日);2、春节,放假4天(农历除夕、正月初一至初三);3、清明节,放假1天(农历清明当日);...
  • 点击次数: 1000015
    2024 - 11 - 08
    作者:常春【摘要】在专利侵权案件中,中国专利法意义上的”制造者”不仅限于实施具体制造行为的主体,还包括组织生产资源、协调生产环节并确定产品技术方案的主体。近年来,随着生产链分工日益细化,最高法在多个案例中将具备协调、指挥等作用的主体纳入”制造者”范畴,逐步形成了扩展的制造者认定标准。本文以多个典型案例为基础,分析在专利侵权中制造者身份的认定、共同侵权构成要件及法律适用。【关键词】专利侵权、制造者、共同侵权、连带责任、专利法一、案件背景与争议焦点近日最高人民法院知识产权庭公布了第(2021)最高法知民终2301号判决的裁判要旨,其中指出专利权人某家庭制品公司发现金华某文体用品公司在京东平台销售的杯子侵犯其发明专利权。金华某文体用品公司通过购买防伪标签获得商标授权,委托永康某工贸公司生产杯子,并完成销售。此外,广州某贸易公司和浙江某工贸公司负责审核产品图样、提供授权和防伪标签。专利权人认为金华某文体用品公司、广州某贸易公司及浙江某工贸公司共同侵权,要求赔偿。在一审中,法院仅认定金华某文体用品公司为制造者,但二审中最高人民法院认为广州某贸易公司、浙江某工贸公司通过防伪标签控制和审核图样和产品样品等行为对制造环节起到了控制作用,将三家公司认定为共同侵权,要求其承担连带赔偿责任。本案的争议焦点在于:1)如何认定“制造者”身份;2)如何认定多主体构成共同侵权;3)对合法来源抗辩的适用标准。二、专利侵权案件中“制造者”身份的认定在专利侵权中,“制造者”不仅指实际的制造行为实施者,也包括间接控制和主导制造过程的主体。以下典型案例有助于进一步说明最高法在制造者认定中的标准:1. 四川金象赛瑞化工公司与山东华鲁恒升化工公司技术秘密与专利侵权案(案号:(2020)最高法知民终1559号)中,多方被告分别负责不同生产环节,共同构成了专利侵权行为的制造者。最高法认为即使没有直接制造行为,但...
× 扫一扫,关注微信公众号
铭盾MiNGDUN www.mdlaw.cn
Copyright© 2008 - 2024 铭盾京ICP备09063742号-1犀牛云提供企业云服务
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开