Culture Dec 24

Chinese court may rule on legality of firms keeping facial database

Professor takes second case against a safari park in Hangzhou in eastern China; it comes amid growing use of facial recognition scans to authenticate mobile payments as well as rising concern about abuse of images and data collected by companies and agencies

Chinese court may rule on legality of firms keeping facial data
Some 118 million Chinese use facial recognition scans to authenticate payments via their mobile phone, and that number is till to top 700 million within the next two years. File photo by AFP.

(ATF) A Chinese law professor has filed an appeal after winning a facial recognition case against a safari park in eastern China’s Hangzhou city, asking the court to rule that the park’s collection of people's facial images is illegal.

In the meantime, a spokesperson from China’s legislature told Chinese media that China’s newly-drafted data privacy law will include provisions to protect personal biometric information.

Last month a court in Hangzhou ruled that the safari park should refund annual pass fees to Guo Bing, a law professor from Zhejiang Sci-Tech University, and delete his photo and other facial data from their database. After, Guo decided to file an appeal on the legality of the park collecting facial data, so a second trial is scheduled to start next Tuesday, on December 29.

After many years of research into ways to protect people's personal data, Guo is also pushing for the amendment of a local property management regulation in Hangzhou – to prohibit property management companies from forcibly collecting residents’ biometric information.

Guo told Southern Metropolis Daily that he was disappointed the court did not provide a ruling on whether it was “legitimate, proper and necessary” for the safari park to collect members’ biometric information and seemed to avoid the topic. He said the park continues to use facial recognition cameras at its entrance.

The goal of his lawsuit was to provide practical lessons to establish more effective legal rules and practices for the protection of personal information, he said.

Guo filed the case last year, before a draft of China’s much-anticipated Personal Information Protection Law (PIPL) was released in October for public comment. Commentators have said that many provisions of the draft PIPL resemble the General Data Protection Regulation, which states that individuals are the owners their personal data and companies are only 'stewards' of it.

Responding to growing concerns in the country over the use of facial recognition technology, Yue Zhongming, a spokesman for the Legislative Affairs Commission of China’s legislature, said on Monday the proposed law would make clear that sensitive information such as facial biometrics must be “used for specific purposes and only when sufficiently necessary”, and that a risk assessment should be conducted before it is deployed.

Article 29 of the PIPL specifies that “sensitive personal information” includes details on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts and individual location tracking.

118 million use facial recognition scans for mobile payments

Facial recognition has been used prolifically in China, particularly for mobile payment authentication. Alibaba Group’s subsidiary Alipay has been aggressively deploying facial recognition payment terminals amid the Covid-19 pandemic so people can pay without taking out their smartphones – reducing people’s exposure to the deadly virus.

According to iiMedia, there were 118 million facial recognition payment users in China in 2019, and the number is expected to reach 760 million in 2022.

While Facebook has agreed to pay $650 million to settle a facial recognition lawsuit in Illinois, Microsoft, Amazon and Google have also been sued for allegedly violating the state’s Biometric Information Privacy Act. And there have also been growing demands for Chinese consumers for better privacy protection.

Several real estate companies in Nanjing in eastern China were recently ordered by the authorities to remove facial recognition systems that were used to categorise clients, while a video shared widely online showed a man in Jinan city in Shandong province wearing a motorcycle helmet enter a property sales office to evade facial recognition cameras.

While the video may seem amusing to many, a dozen consumers in Nanning city in southern China’s Guangxi province lost their ownership of apartments earlier this year worth nearly 10 million yuan (US$1.53 million) after their faces were scanned.

An real estate broker surnamed Wei tricked his clients to scan their face using an app provided by the city’s real estate registration centre so he could “help check the property ownership records”, when in fact the step was used to authenticate the sale of their properties. The broker bagged all the money from apartment buyers as well as mortgage loans, while the original owners did not even know their properties were sold.

Amid increasing awareness of personal data protection among consumers, the Chinese government has stepped up in recent years to make laws and rules on data security and protection.

Before the unveiling of the PIPL, China also introduced the Consumer Protection Law and its Amendments in 2014, plus the Cybersecurity Law in 2017, and the Personal Information Security Specification in 2018.

The Civil Code passed in May this year included personal biometric information such as facial data in the scope of personal information protected by law.

Guo said the Personal Information Security Specification, which prohibits the storage of original biometric information and officially took effect in October, provides more specific rules on the collection and storage of biometric information. But it is only a standard or “recommendation”, and not mandatory in the legal sense.

The PIPL takes privacy protection a step further compared with the Civil Code and the Cybersecurity Law, but there is still a certain vagueness.

The law says that “the installation of image collection and personal identification devices at public locations must be for the necessary purpose of maintaining public safety.” But it did not provide a definition of “public safety”, making it possible for individuals or businesses to abuse the technology under a generalised guise of trying to ensure “public security”, Guo said.

ALSO SEE:

Chinese regulators give green light to class-action lawsuits 

China keen to beef up laws against bond, securities fraud 

Beijing out to kill abuses by its tech giants

Insights into China's new civil code

TikTok: Dark side to the fun app?

China Legal test case facial recognition Hangzhou court safari park personal data protection Guo Bing face scans mobile payment authentication Alipay PIPL new law