According to the national standard, the Information Security Technology – Requirements for Security of Face Recognition Data (Draft for Comments), published in April 2021, scenarios involving face image processing is classified into the following three categories:

1. Face verification: To compare the collected face recognition data against the face recognition data of a specific individual (one-on-one comparison) stored on file to determine whether they match. Typical applications include identity verification at airports and train stations, where face recognition devices capture face information in real time and compare such information against that stored in the system associated with the individuals recognized by the devices to verify the passengers’ identity.

2. Face identification: To compare the collected face recognition data against the recognition data within a specified scope stored in a database (one-versus-multiple comparison) to identify a specific individual. For example, attendance software of a company compares face images acquired in real time with stored face images of all employees.

3. Face analysis: In this scenario, instead of face verification or face identification, face images collected are only used for statistics, detection, or feature analysis purposes, such as collecting statistics about number of customers or the analysis of ages, genders, skin conditions, micro expressions, etc. In the case we mentioned at the beginning, the algorithm used by the company analyzes face data to obtain the composition of ages and genders of visitors. Some smart vehicles are equipped with cameras to check whether a driver is driving properly, such as detecting drowsing driving.

In China, face images are classified as “sensitive personal information". The Personal Information Protection Law imposes stricter requirements on the processing and protection of sensitive personal information compared with those applicable to general personal information. The Interpretation of the Supreme People’s Court on the Application of Law in the Trial of Civil Cases Involving Personal Information Processing with Face Recognition Technologies (“Supreme Court Interpretations on Face Recognition Cases") also provides for special requirements on the use of facial biometric information.

A face image is a person’s portrait and may also involve the privacy of the person; therefore, face images are under the protection of the Civil Code as a personality right. Under the provisions of the Civil Code, private information constitutes privacy, and a person’s right of privacy is under protection of law. In addition, the identifiable image of a specific person that is shown on certain media constitutes a portrait, and a person’s portrait right is also under protection of law.

Therefore, those entities that collect and use face images should first check what types of data information involved in the face images are collected, and then comply with corresponding regulatory requirements applicable to the type to which the information belongs.

1. Personal information

Face images constitute personal information. Under Article 4 of the Personal Information Protection Law, personal information is defined as information recorded by electronic or other means and associated with an identified or identifiable individual. In the scenarios above, face images captured for face verification, face identification, face analysis, and by surveillance cameras are information associated with identified or identifiable individuals. Therefore, the collection of face images should be subject to the provisions of the Personal Information Protection Law, the Law on the Protection of Consumers’ Rights and Interests, the Electronic Commerce Law, and other laws and regulations on the processing and protection of personal information.

2. Sensitive personal information

(1) Facial biometric information extracted from face images constitutes sensitive personal information

(i) Under Article 28 of the Personal Information Protection Law, sensitive personal information refers to personal information that is likely to cause any damage to the personal rights or property safety of an individual if it is leaked or used illegally. (ii) Sensitive personal information includes biometric information. (iii) In accordance with the Information Security Technology – Personal Information Security Specification, biometric information includes face recognition features.

(2) Some photos may also be deemed as sensitive personal information

For example, a photo containing a face image may cause damage to the privacy of a person once it is leaked or used illegally; therefore, such photo is sensitive personal information.

It should be noted that whether a face image constitutes sensitive personal information should be determined with reference to the specific image type and the specific use scenario. For example, many people use photos containing their faces as “profile pictures" on social media (such as WeChat, Weibo, and Maimai). These face images, having already been disclosed within a specific scope, are not deemed sensitive. Therefore, in general, such “profile pictures" may be used and processed as long as such use and processing are in compliance with requirements for processing public personal information. However, if a processor employs certain advanced technologies to extract face recognition features from low-resolution “profile pictures", such processing may access sensitive personal information and should therefore be subject to the requirements in the Personal Information Protection Law on processing sensitive personal information.

3. Personal privacy

Under the Civil Code, privacy is defined as the private life of individuals and their private space, private activities, and private information that they do not want to be disclosed to others. As in the example above, a photo containing a face image may also be deemed as private information, hence being included in the scope of protection concerning the right of privacy. Like the processing of personal information, unless otherwise provided by law, private information may be processed only with the explicit consent of an individual.

4. Portraits

Under the Civil Code, a portrait is an image of a person reflected in video recordings, sculptures, drawings, or on other media by which the person can be identified. Therefore, a face image may be deemed as a portrait, hence being included in the scope of protection concerning the right of portrait. In accordance with the provisions of the Civil Code, unless otherwise provided by law, a portrait of a person may be made, used, or published only with the consent of the person.

The collection and processing of facial biometric information by using face recognition devices are subject to the strictest and comprehensive administration. Facial biometric information collected by face recognition devices constitutes sensitive personal information; therefore, in addition to general provisions on the processing and protection of personal information, special provisions in the Personal Information Protection Law with respect to sensitive personal information should also apply. In addition, some other regulations also set forth requirements on the use of face recognition devices. The following is a summary of the regulatory requirements and key points of compliance in the use of face recognition devices:

1. Regulatory requirements

2. Key points of compliance

In accordance with the regulatory requirements above, regarding the use of face recognition technologies in online and offline scenarios, we recommend that collectors and users of face information pay attention to the following key points of compliance:

1) Under the requirements in the Personal Information Protection Law and the Supreme Court Regulations on Face Recognition Cases on “obtaining consent", we recommend:

a. Avoiding obtaining consent of individual for face recognition by bundling with other authorizations, i.e., a separate option shall be provided to request authorization for face recognition functions.

b. Providing multiple methods for identity verification, so that when an individual rejects verification through face recognition, the individual may be allowed to have his or her identity verified by other means to reduce the risks of facial biometric information being obtained by implicit or explicit coercive measures.

c. Providing individuals with authorization options when it is necessary to obtain consent for face recognition for a long period of time (such as “Always allow" and “Allowed while in use").

2) Under the provisions of the Personal Information Protection Law on “content of notification", we suggest notifying individuals of the purpose and method, storage period, etc. of processing facial biometric information prior to the face recognition and providing individuals with an option to select whether to grant their consent.

In addition, regarding the use of face recognition technologies in offline scenarios, special attention should be paid to the regulatory requirement of “not taking face recognition as the only method of verification." What is equally important is the method of obtaining consent to use face recognition in offline scenarios. Based on our experience, here are some suggestions for compliance in face recognition in offline scenarios:

1) Go with face recognition devices that collect face images in a non-automatic manner. For example, a face recognition screen may be used, so that face recognition is enabled only when an individual clicks for consent or stands at a specified area.

2) For face recognition devices that collect face images automatically (“automatic recognition devices"), to comply with the provisions of the Personal Information Protection Law and the Supreme Court Regulations on Face Recognition Cases on “content of notification" and “obtaining consent", we recommend:

a. Sending an alert message (such as voice prompt, warning line, etc.) to ensure that an individual is fully aware that a face recognition device is deployed in a specific area, and prevent the individual from unknowingly entering an area with automatic recognition devices in deployment;

b. Giving notice in writing to ensure that an individual is aware of the purpose and method, storage period, etc. of processing facial biometric information before entering an area with automatic recognition devices in deployment;

c. Obtaining the consent of individuals in writing or by other means;

d. Managing an area with automatic recognition devices in deployment to ensure that if there is only one route one has to take, such route will be clear of such devices; and

e. Providing individuals with other methods of identity verification in addition to face recognition and ensuring that no face image is collected by automatic recognition devices when an individual chooses another method of identity verification.