China Technical Body Sets Plan to Bolster Facial Recognition Security
China has released a detailed draft of national standards to regulate the use and protection on facial recognition data amid a heated debate surrounding the widespread use of surveillance technologies in public areas across the country.
The National Information Security Standardization Technical Committee (TC260), China’s top authority in charge of unified management and supervision of standardization work, released the proposed draft (link in Chinese) Friday for a period of public comment until June 22.
After taking effect, it will become the country’s first set of national standards for the use and protection of facial recognition data. The draft plan calls for increased security standards for storing facial recognition data and written permission from subjects before businesses can share captured data.
“There are currently no clear security requirements for indiscriminate collection, storage and use of facial recognition data due to a lack of relevant standards,” according to a note released together with the draft. “This results in weak security measures and individuals’ face information being widely used without their explicit permissions.”
The draft was proposed following the release last year of Personal Information Security Specification, a rule on the collection and protection of personal data which had already required the protection of sensitive personal information, particularly personal biometric information such as fingerprint and facial recognition features. However, the new draft specifies the concepts of facial recognition while providing concrete measures to protect individuals’ facial data security.
According to the draft, facial recognition data “should not be publicly disclosed, and should in principle not be shared or transferred.” For business needs, data controllers should separately inform data subjects and get their written permissions. If the data refers to facial images, data controllers should delete them as soon as possible after completing the verification or identification.
It also urges data controllers to take responsibility for managing data security. For example, data controllers are required to be able to protect against attacks and interference with facial recognition by using face photos, videos, synthesis animations or simulated facial 3D masks – guarding against so-called “deep fakes”.
As national recommended standards, the draft will not have statutory validity like laws but is still believed to have “corresponding administrative binding force” after being included in a directive document, according to an interpretation (link in Chinese) by the Standardization Administration, a standards organization authorized by China’s State Council.
“National standards are not a formal source of law in China, but they are commonly observed by all parties in various economic and technical activities, creating a de facto binding force in the form of a ‘soft law’,” said Ge Xin, a researcher at the China Academy for Information and Communications Technology who participated in the drawing-up of the 2020 Personal Information Security Specification.
In October, a draft data protection law was deliberated by China’s highest legislative body, the Standing Committee of the National People’s Congress, as part of efforts to improve the legal system. It was later submitted for consideration after finishing the process of seeking public consultation.
Contact reporter Wang Xintong (firstname.lastname@example.org) and editor Lu Zhenhua (email@example.com)
Download our app to receive breaking news alerts and read the news on the go.
Follow the Chinese markets in real time with Caixin Global’s new stock database.
- MOST POPULAR