China’s draft measures demand ‘individual consent’ for facial recognition use
The pervasive use of facial recognition technology across all facets of life in China has elicited both praise for its convenience and backlash around privacy concerns. The widespread adoption has also fueled the exponential growth of valuations in companies specializing in the field, such as AI giants SenseTime and Megvii.
Now the industry is facing some potentially significant changes as Beijing steps up efforts to establish more defined boundaries for the technology’s usage. The move is building upon the implementation of major tech regulations that rolled out in recent years targeting cybersecurity, data security, and privacy protection.
On Tuesday, the Cyberspace Administration of China (CAC), the nation’s top internet watchdog, unveiled a series of proposed measures aimed at regulating the application of facial recognition. The technology has been extensively employed in both the public and private sectors, ranging from facial scans used to authenticate payments in supermarkets to identity verification procedures at airport boarding gates — the latter an increasingly common practice not only in China but also across the U.S.
Critics have raised concerns over privacy and bias over the use of facial recognition. They complain that some residential compounds have made facial scans the only way of accessing buildings. There are also concerns about the accuracy and fairness of algorithms, particularly in recognizing the faces of minorities, which could lead to the unjust targeting of certain groups.
The proposed measures appear to provide individuals with more rights to opt out of facial recognition in specific circumstances — but they come with limitations.
The utilization of facial recognition should be limited to “specific purposes and full necessity,” requiring individual approval or written consent, according to the draft measures.
The rules emphasize the need for clear signage in public areas where facial recognition is employed. Venues such as hotels, airports, and museums are prohibited from coercing individuals into accepting facial scans for such reasons as “business operations” or “service enhancements”. Moreover, facial recognition should not serve as the sole means of access to a building.
When it comes to collecting facial biometric data from individuals under the age of 14, the consent of their parents or legal guardians must be obtained.
Organizations and individuals will bear higher operational costs for using the technology. Entities in possession of facial data on more than 10,000 individuals must register with a local branch of the CAC. The filing needs to explain the purpose of collecting such data and plans for data protection. Unless authorized by individuals, collectors are prohibited from retaining facial images in their original resolution.
The proposed measures, If effectively enforced, hold the potential to enhance security within an industry that has been relatively loosely regulated so far and lower the risk of data mishandling. China has seen several major biometric data breaches in recent years, compromising the sensitive information of millions of people.
The country has also drawn fire for deploying facial recognition systems to identify people’s ethnicities, particularly in the case of Uyghurs; but that won’t change with the new rules. According to the proposed measures, any organization or individual should refrain from utilizing facial recognition technology to create profiles based on race, ethnic group, religion, health, social class, or other sensitive information, unless it’s deemed necessary for reasons including national security and public security.
The proposal is seeking public opinions until September 7.