Coming into Focus: China’s Facial Recognition Regulations

May 4, 2020

Trustee Chair in Chinese Business and Economics > Trustee China Hand 

By Seungha Lee

This past February, China introduced new facial recognition technology that can identify faces even when wearing a mask, though with a slightly lower accuracy rate. This technology not only highlights China’s technological advances, but it also deepens Chinese citizens’ growing concerns over how the widespread use of facial recognition threatens their privacy.

In October 2019, China had its first lawsuit over the use of facial recognition technology. In this case, which is still unsettled, a university professor accused a wildlife park of “compulsorily collecting visitors' individual characteristics” via facial recognition, triggering a widespread debate in China. China’s government and the private sector have made efforts to address society's concerns on the abuse of facial recognition technology. While much progress still needs to be made, the recent developments reflect the country’s gradual steps toward greater regulation on facial recognition and data protection.

Source: Hanvon’s Website

The Development of China’s Facial Recognition Regulatory Ecosystem

Facial recognition in China is regulated by a broader data protection framework – the Cybersecurity Law of the People’s Republic of China. The law imposes legal obligations on network operators by stating the requirements for the collection, use, and protection of personally identifiable information (PII), which includes biometric data. However, biometric data is not the central focus of the law, and it is not discussed beyond the definition section. To this end, China’s formulation of the “Personal Information Security Specification” and efforts in developing a new data privacy law deserve further attention. 

The Specification covers data protection with a higher degree of granularity, but it is nonbinding. It specifies guidelines on data-handling and protection to prevent PII – including biometrics – from illegal collection, abuse, and access. Despite its lack of penalties, the Specification is considered to establish best practices and to serve as an important reference for government agencies. Additionally, China recently released the newest version of the Specification in March 2020, and it will take effect on October 1, 2020. Notably, the updated version strengthens privacy protection and revises the “exceptions to soliciting consent" and refinements for personal biometric information.

Meanwhile, the Chinese legislature has been drafting a new data privacy law with a stronger focus on biometrics. At the moment, the details of the new data privacy law are unavailable, and the enactment timeline is unclear. However, according to a statement by the National People’s Congress (NPC), the Chinese government is aware of the need and demand for a centralized data protection law. For this reason, the initiative itself still marks a major step towards protecting its citizen’s personal data.

Self-regulation Efforts

China’s private sector has also been addressing privacy concerns through self-regulation. Two major initiatives are led by Megvii and SenseTime respectively.

Megvii, a leading Chinese facial recognition company, issued the foremost guidelines on AI applications (人工智能应用准则). Consisting of six parts, the guidelines provide corresponding intervention measures for each dimension. For example, the guidelines claim that AI should “make accurate decisions while providing adequate protection of the public from potential security risks.” In addition, the guidelines emphasize the necessity of strict data security and privacy protection.

Separately, a larger initiative is being taken by 27 tech companies—including SenseTime, Tencent, and Xiaomi—to draft the country’s first industry standards for facial recognition. According to SenseTime, the standards “will be guidance and foundation for the yardsticks of facial recognition in all fields.” Industry standards do not have the force of law in China, but tech companies’ ongoing efforts to guide the appropriate use of facial recognition is expected to be critical in building a sustainable environment for facial recognition technology.

Visitors being filmed by a security camera with facial recognition technology.
Source: Photo by NICOLAS ASFOURI/AFP via Getty Images.

In all, China has made tentative progress, but it is still too soon to predict the ultimate outcome. This is because the effort is largely top-down, led by the government and tech giants. Although there is a growing public concern (as witnessed by the reaction to the lawsuit), civil society has limited means to shape policies during the drafting process. In the end, as with many initiatives, the outcome will depend on how the new regulations and standards are implemented.

Trustee Chair in Chinese Business and Economics > Trustee China Hand 

Seungha Lee is a research intern with the Trustee Chair in Chinese Business and Economics at CSIS.