On July 28, 2021, the Supreme People’s Court published the “Provisions on Several Issues regarding the Application of Laws in Hearing Civil Cases concerning the Use of Facial Recognition Technology in Processing Personal Information”. These Provisions took effect on August 1, 2021, and do not apply for facial recognition processing activities prior this date.
The Provisions provide guidance for the courts on how to apply rules related to personal data processing connected to facial recognition technology and address overlaps between other relevant laws and regulations, including the Civil Code and the Cybersecurity Law.
The Provisions clarify that “the processing of facial information” includes collection, storage, use, processing, transmission, transfer, and disclosure of facial information. That ‘facial information’ is considered ‘biometric information’, which is a category of personal information as stipulated in Article 1034 of the Civil Code.
The Provisions also specify circumstances and rules under which the processing of facial information amounts to an infringement on personal rights and interests, including:
• Using facial recognition in violation of laws or administrative regulations in public places such as hotels, malls, banks, stations, airports, stadiums, and entertainment venues;
• Failing to disclose rules on processing facial information or not explicitly stating the purpose, method, and/or scope of processing;
• Processing facial information without explicit and/or written consent of an individual or their guardian;
• Violating the purpose, method, scope, etc. of processing facial information as explicitly indicated or agreed upon;
• Failing to take proper technical or other measures necessary to ensure the security of collected and stored facial information, resulting in the leak, loss, or alteration of facial information.
• Providing facial information to third parties in violation of laws, administrative regulations, or agreements between parties;
• Processing facial information in violation of public order and good morals; or
• Other situations in which facial information is processed in violation of the principles of lawfulness, fairness, and necessity.
Courts are required to apply Article 998 of the Civil Code and consider other factors such as whether the victim is a minor, whether there is informed consent, and the level of necessity in data processing when determining civil liability for the infringement.
Note that the following circumstances probably do not amount to explicit consent as discussed above:
• Where the provision of products or services is strictly conditioned on the consent, even though facial information is not necessary for the provision of products or services;
• Where the consent is bundled with other authorizations; or
• other circumstances where an individual is forced (in a disguised manner) to give consent on face information processing.
Exemption from liabilities
At the same time, the Provisions provide exemptions from civil liabilities for personal information processors under the following circumstances:
• Where the processing of facial information is necessary for responding to a public health emergency or for protecting the life, health, and/or property rights of a natural person;
• Where facial recognition technology is used in public places in accordance with relevant laws and regulations for the purpose of maintaining public safety;
• Where facial information is processed in order to carry out activities such as news reporting and public opinion surveillance for public interest that are within a reasonable scope;
• Where facial information is reasonably processed within the scope agreed by the individual or their guardian; or
• Other circumstances that comply with laws and administrative regulations.
Where property management companies or other building managers use facial recognition as the only verification method for entering the property service areas, the residents or other property users have the right to request alternative solutions that do not involve facial recognition.
The Provisions also consider Contract Law. For example, if a party uses standard terms stating that processing facial information is required indefinitely, irrevocable, or can be sub-authorized, such a clause may be deemed void. If an information processor processes facial information in violation of an agreement with another party, that party can sue for breach of contract.
The Provisions also clarify some procedural rules:
• An individual may apply to the court for an injunction to stop or prevent infringement on any privacy or other personal rights;
• The burden of proof is on the personal information processor to demonstrate that its data processing is compliant with the laws and regulations or there is an exemption from legal liabilities;
• An individual may claim for damages against the data processor, including costs for investigating and collecting evidence, as well as reasonable attorney’s fees;
• There is joint and several liability for multiple personal information processors pursuant to the Civil Code;
• It is possible to launch public interest litigation against data processors who use facial recognition in violation of the laws.
Facial recognition and associated privacy concerns have become increasingly prevalent in our daily lives. Naturally, the rules and regulations are evolving to keep up with the technology. If you have any questions about this subject, please feel free to contact us.