At the end of April, China released a draft set of security standards for facial recognition data for public comment through June 22.
The standards will not be mandatory, but they reflect the spirit of major ongoing legal reforms related to personal privacy in China including the draft Personal Information Protection Law. While the focus of the reforms is on the rights and obligations of non-government actors including individuals, organizations, and corporations, there has also been some language related to state data collection and use. More importantly, the emerging regulatory regime is both responsive to and will continue to shape the public’s expectations of privacy with regard to emerging technologies.
- Individuals’ authorization is required for collecting facial recognition data.
- Facial recognition may be used for confirming identities or identifying individuals, not for assessing or predicting traits such as health, wealth, work performance, or interests.
- In principle, facial recognition should not be used for identity verification of those younger than 14 years old.
- It should only be used where other methods would be less secure or convenient, and individuals should be able to opt-out and select other methods of identity confirmation.
- Data is Localized with facial recognition data created or collected in mainland China generally being stored in China, and security assessments require for sending data abroad. When possible, collection and processing at the same device is preferred over sending data to another computer.
The Right to Know
Informed consent and authorization are central to all aspects of the use of personal information including facial recognition data in China’s privacy regime. As such, the standards explicitly require that individuals be notified of certain situations regarding their information, to ensure that their consent is knowing and voluntary.
- In the collection of data, individuals should be informed of the purposes of the collection, the types and volume of information collected, what will be done with it, and how long it will be kept.
- individuals must be informed and separate consent obtained when the data is given to a 3rd party for handling. The notice includes the identity of the receiving party, the purposes of the transfer, the types of data transferred, and possible impact.
- Notice is to be given of any leaks, destruction, or loss of facial recognition data
Minimum Impact Principle:
The standards seek to keep the impact and risk of data collection and use as small as possible. This is reflected in provisions that call for:
- Using the minimum necessary data to achieve the stated purposes of data collection and use.
- collecting the smallest number of images and image types to generate facial recognition parameters.
- deleting face images after identifications are completed.
- destroying or anonymizing data at the end of the storage period, when authorization ends, or when services are no longer applied.