China considers biometric data protection law to curb facial recognition abuses and secure PII

Concerns about the impact of facial recognition and other biometrics on the privacy of Chinese citizens may soon find their way into the country’s laws. A legal framework for privacy rights and protecting personal information is included in a provision being considered for inclusion in China’s draft civil code, according to state-owned television network CCTV.com.

Technological developments including the widespread use of facial recognition and the threat of deepfakes have undermined privacy to the point of collapse, CCTV reports.

The article quotes Geely Automobile Chairman Li Shufu as saying “there is no such thing as privacy and security,” and suggests the sentiment is common among Chinese people.

In response, according to the article, privacy and private information are defined for the first time in Chinese law in the draft civil code. The definition is based on consent, and CCTV notes that incidents like Ant Financial’s default enrollment in a credit scoring scheme and Zao’s sale of facial images would fall afoul of the requirement. While biometric verification use cases would typically be easy to build consent into, public facial recognition systems could be challenging to build notice and consent mechanisms into.

The proposed changes include a ban on providing personal information to third parties without user consent, and a right for individuals to have data deleted if it is shared in violation of the law. One proposal would mandate encryption and data masking for sensitive personal information, but it is not clear whether the proposal is likely to be included in any final rule change.

Up to this point, personal data protection in China comes from the 2016 Cybersecurity Law and the 2018 Personal Information Security Specification, which both mainly cover relations between government and private entities, and the latter of which establishes guidelines for collection, transfer, and use of personal data.

The Personal Information Security Specification was updated earlier this year to force apps to be granted explicit consent to collect and use biometrics.

A survey released late last year shows common data privacy concerns among Chinese citizens, including a worry held by four out of five that biometric data will be leaked by system operators.

“The regulation over biometric information in the draft civil code shows that legislators are trying to balance between security and innovation, taking a cautious approach to the application of facial recognition technology,” Wu Shenkuo, assistant dean of the Internet Institute of Beijing Normal University, told CGTN.

The article concludes that a comprehensive legal framework can help address the ethical and legal concerns generated by the omnipresence of new technologies and their “often inscrutable terms,” and bring the country closer to establishing privacy in the digital world.

Article Topics

biometric data  |  China  |  data collection  |  data protection  |  deepfakes  |  facial recognition  |  legislation  |  privacy