![Sample our Law journals, sign in here to start your FREE access for 14 days]({"type":"image" , "src" : "/sda/5942/TOC-Subject-Sample-2021-Law.jpg"})
Abstract
The legal protection of biometric data is becoming an increasingly important issue in the information society. China attaches importance to the legal protection of biometric data. Over the past decades, the rapid development of digital technology has profoundly influenced Chinese information society. However, digital technology may also trigger substantial risks. In this article, we provide an in-depth examination of existing Chinese laws protecting biometric data. We explore general laws and facial recognition laws, administrative regulations, sector-based rules, judicial interpretations, regulatory documents, policy documents, and (draft) national standards. We find gaps in laws in China. Building on this analysis, we elaborate on five principles for the legal protection of biometric data: (1) legality, propriety, and necessity; (2) integrity; (3) purpose; (4) minimization; and (5) controllability. We provide three policy recommendations for the legal protection of biometric data: (1) sufficiently considering the purpose of the collection of biometric data, (2) creating controllable mechanisms, and (3) implementing regulatory compliance programs.
DISCLOSURE STATEMENT
The authors declare that they have no conflict of interest.
Notes
1 See Personal Data Protection Commission & Security Association Singapore, Guide on Responsible Use of Biometric Data in Security Applications (2022), https://www.pdpc.gov.sg/-/media/Files/PDPC/PDF-Files/Other-Guides/Guide-toBiometric_17May2022.ashx?la=en.
2 See Wang Lin & Xi Sun Ji, AI Security Companies Were Exposed to Data Leakage and Sounded the Alarm on Face Recognition Security, CCTV.com (Feb. 26, 2019, 6:45 AM), https://news.cctv.com/2019/02/26/ARTIpBI3zrVbQxjZ78yraD83190226.shtml.
3 See Bloomberg, Facebook Data on 533 Million Users Reemerge Online for Free, L.A. Times (Apr. 3, 2021, 1:40 PM), https://www.latimes.com/business/story/2021-04-03/facebook-data-hack.
4 See Central Florida Inpatient Medicine Breach, ID Strong (Sept. 16, 2022), https://www.idstrong.com/sentinel/central-florida-inpatient-medicine-breach/.
5 740 Ill. Comp. Stat. Ann. 14/10 (West 2008).
6 California Consumer Privacy Act of 2018, Cal. Civ. Code §§ 1798.100-199 (West 2019).
7 Washington Privacy Act, S.B. 5376, 66th Leg., Reg. Sess. (Wash. 2019).
8 Deepfake Report Act of 2019, S. 2065, 116th Cong. (2019).
9 2016 O.J. (L. 119/1) 679.
10 Eur. Parl. Doc. (52021PC0206) 206 (Proposal for a Regulation Laying Down Harmonised Rules on Artificial Intelligence (Artificial Intelligence Act) and Amending Certain Union Legislative Acts).
11 See xìnxī ānquán jìshù gèrén xìnxī ānquán guīfàn (信息安全技术 个人信息安全规范) [Information Security Technology—Personal Information (PI) Security Specification] (promulgated by State Administration for Market Regulation, Oct. 11, 2021, effective May 1, 2022) GB/T 40660—2021, Oct. 11, 2021, at 5, https://www.chinesestandard.net/PDF.aspx/GBT40660-2021.
12 See SHĒNGWÙ SHÍBIÉ YĬNSĪ BĂOHÙ YÁNJIŪ BÀOGÀO (生物識別隱私保護研究報告) [Biometric Privacy Protection Research Report], CAICT (中國信通院) [CAICT], http://www.caict.ac.cn/kxyj/qwfb/ztbg/202010/P020201028364732231494.pdf (last visited Dec. 21, 2023).
13 See Rénliǎnshíbié Shíshī Guānchá: Jìshùlànyòng,Yìngyòng Mángqū, 70% Yònghù Dānxīn Shùjù Xièlòu (人臉識別實施觀察:技術濫用,應用盲區,70%使用者擔心數據洩露) [Observation of Facial Recognition Implementation: Abuse of Technology, Blind Spots of Applications, 70% of Users Concerned about Data Breaches], nándū réngōngzhìnéng lúnlǐ yánjiūzǔ (南都人工智慧倫理研究組) [Nandu Artificial Intelligence Ethics Research Group] (Jan. 7, 2020, 4:29 PM), http://cbdio.com/BigData/2020-01/07/content_6154002.htm.
14 These laws and regulations in China mainly include: the Decision on Strengthening Network Information Security by the NPC Standing Committee (promulgated by the Nat’l People’s Cong. Standing Comm., Dec. 28, 2012, effective Dec. 28, 2012), China Copyright and Media: The Law and Policy of Media in China; Regulations Regarding Telecom and Internet Users’ Personal Information Protection by the Ministry of Industry and Information Technology (promulgated by Ministry of Industry and Information Technology, June 28, 2013, effective Sept. 1, 2013), DIGICHINA, July 16, 2013, https://digichina.stanford.edu/work/telecommunications-and-internet-personal-user-data-protection-regulations/; and the Biosecurity Law (promulgated by Nat’l People’s Cong. Standing Comm., Oct. 17, 2020, effective Apr. 15, 2021), The Nat’l People’s Cong. of China, Oct. 17, 2020, http://en.npc.gov.cn.cdurl.cn/2020-10/17/c_703568.htm; etc.
15 It is commonly acknowledged that fundamental laws in China are the Cybersecurity Law (2016), the Biosecurity Law (2020), the Civil Code (2020), the Personal Information Protection Law (2021), and the Data Security Law (2021). See Cybersecurity Law of China (promulgated by Nat’l People’s Cong. Standing Comm., Nov. 7, 2016, effective June 1, 2017), Cyberspace Admin. of China, Nov. 7, 2016, http://www.cac.gov.cn/2016-11/07/c_1119867116_3.htm; see id., Biosecurity Law; Civil Code of China (promulgated by Nat’l People’s Cong. Standing Comm., May 28, 2020, effective Jan. 1, 2021), The State Council of China, Dec. 31, 2020, https://english.www.gov.cn/archive/lawsregulations/202012/31/content_WS5fedad98c6d0f72576943005.html; Personal Information Protection Law of China (promulgated by Nat’l People’s Cong. Standing Comm., Aug. 20, 2021, effective Nov. 1, 2021), China Briefing, Aug. 24, 2021, https://www.china-briefing.com/news/the-prc-personal-information-protection-law-final-a-full-translation/; Data Security Law of China (promulgated by Nat’l People’s Cong. Standing Comm., June 10, 2021, effective Sept. 1, 2021) The Nat’l People’s Cong. of China, June 10, 2021, http://www.npc.gov.cn/englishnpc/c2759/c23934/202112/t20211209_385109.html.
16 Yan Luo & Rui Guo, Facial Recognition in China: Current Status, Comparative Approach and the Road Ahead, 25 U. Pa. J.L. Soc. Change 153, 158 (2021).
17 Iria Giuffrida, Liability for AI Decision-Making: Some Legal and Ethical Considerations, 88 Fordham L. Rev. 439, 440 (2019).
18 See Luo & Guo, supra note 16, 159-62.
19 See Cybersecurity Law of China, supra note 15, art. 41.
20 See Biosecurity Law, supra note 14, art. 85(8).
21 See id., art 55.
22 See Civil Code of China, supra note 15, art. 1034.
23 See Personal Information Protection Law of China, supra note 15, art. 26.
24 Id.
25 See Personal Information Protection Law of China, supra note 15, ch. 2, sec. 2.
26 See Data Security Law of China, supra note 15, art. 21.
27 See Regulation on the Administration of Credit Investigation Industry (promulgated by the State Council, Dec. 26, 2012, effective Mar. 15, 2013), art. 14, The People’s Bank of China, Jan. 21, 2013, http://www.pbc.gov.cn/en/3688253/3689006/3858830/index.html.
28 See Zhongshao Gao, “Multi-Layered” Legal Norms Protecting Facial Recognition Data (in Chinese), Prosecutor Daily (Sept. 8, 2019), https://www.spp.gov.cn/spp/llyj/202109/t20210908_528821.shtml.
29 See Notice of the Cyberspace Administration of China on the “Regulations on the Management of Network Data Security (Draft for Solicitation of Comments)” for Public Solicitation of Comments, art. 25, Cyberspace Admin. of China, Nov. 14, 2021, http://www.cac.gov.cn/2021-11/14/c_1638501991577898.htm.
30 See zuìgāorénmínfǎyuàn guānyú shěnlǐ shǐyòng rénliǎnshíbié jìshù chǔlǐ gèrénxìnxī xiāngguān mínshì ànjiàn shìyòng fǎlǜ ruògān wèntí de guiding (最高人民法院关于审理使用人脸识别技术处理个人信息相关民事案件适用法律若干问题的规定) [Provisions of the Supreme People’s Court on Several Issues Concerning the Application of Law in the Trial of Civil Cases Relating to Processing of Personal Information by Using Facial Recognition Technology], art. 1, Libr. Of Cong. (Sup. People’s Ct. Jun. 8, 2021) (China), https://www.loc.gov/item/global-legal-monitor/2021-08-15/china-supreme-peoples-court-issues-judicial-interpretation-against-misuse-of-facial-recognition-technology/.
31 See id. at art. 4.
32 See Provisions of the Supreme People’s Court on Several Issues Concerning the Application of Law, supra note 30, art. 5.
33 Supra note 11.
34 See Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications (promulgated by Cyberspace Administration of China, the Ministry of Industry and Information Technology, and the Ministry of Public Security, and the State Administration for Market Regulation, Mar. 12, 2021, effective May 1. 2021), China Network Information Network, Mar. 22, 2021, http://www.cac.gov.cn/2021-03/22/c_1617990997054277.htm.
35 See Measures for Determination of Violations of Laws and Regulations in APPs’ Collection and Use of Personal Information (Draft for the Solicitation of Comments), sec. 2.3, China Law Translate, May 7, 2019, https://www.chinalawtranslate.com/en/measures-for-determination-of-violations-of-laws-and-regulations-in-apps-collection-and-use-of-personal-information-draft-for-the-solicitation-of-comments/.
36 See Provisions on the Security Management of the Application of Facial Recognition Technology (Provisional), art. 4, Cyberspace Administration of China, Aug. 8, 2023, https://mp.weixin.qq.com/s/ZbsL8qfU0fXF031ZUomE3A.
37 See id. at art. 6.
38 Supra note 11.
39 See Qi Zhang & Dongmei Xiao, The Judicial Application Dilemma and Outlet of Biometric Information Definition in China (in Chinese), 42(7) Libr. Trib. 53 (2022).
40 See Xiuwen Gu & Bo Zhang, Research on Legal Regulation of Personal Biometric Information Application Risk (in Chinese), 187(4) Soc. Sci. Heilongjiang 76 (2021).
41 See Xianquan Liu & Yimin Lu, Construction and Perfection of Criminal Law Protection of Biometric Information (in Chinese), 117(1) J. Soochow U. (Phil.& Soc. Sci. Edition) 62 (2022).
42 See id.
43 See Liping Gu, From Identity Recognition to Body Manipulation: Research on Privacy Protection in Intelligent Biometric Technology (in Chinese), 64(5) J. Shanghai Normal U. (Phil.& Soc. Sci. Edition) 11 (2021).
44 See Kunru Yan & Dan Liu, Involvement of Technology and Its Ethical Protocol Based on Biometric Identification Technology (in Chinese), 19(1) J. Ne. U. (Soc. Sci.) 4 (2017).
45 See Liping Gu, Identity Recognition and Replication: Privacy Protection in the Application of Intelligent Biometrics (in Chinese), 50(4) J. Soc. Sci. of Hunan Normal U. 126 (2021).
46 See 郭兵与杭州野生动物世界有限公司服务合同涉人脸识别纠纷(guō bīng v hángzhōu yěshēng dòngwùshìjiè) [Bing Guo v. Hangzhou Wildlife World Co., Ltd.], China Laws Portal (Hangzhou Fuyang District People’s Court Nov. 20, 2020) (China).
47 See Nenggao He & Jingkun Wang, Legal Risks and Rules of Biometric Technology Application: A Case Study of Bing Guo (in Chinese), 258(6) Just. China 44 (2021).
48 See Yang Yu, On the Regulatory Structure of the Application Risk of Personal Biometric Information (in Chinese), 29(6) Admin. L. Rev. 103 (2021).
49 See Guorui Sun, Will a “ZAO” Face-Swapping Software Confront Copyright Risks? (in Chinese), People.cn (September 6, 2019), http://ip.people.com.cn/n1/2019/0906/c179663-31340892.html.
50 See Gu & Zhang, supra note 40, at 63.
51 Personal Information Protection Law of China, supra note 15, art. 5.
52 See id., art. 6.
53 See Civil Code of China, supra note 15, art. 8.
54 Shi Hui Qiu & Ming Hu, Legislative Moves on Biosecurity in China, 40 Biotechnology L. Rep. 30 (2021).
55 See Civil Code of China, supra note 15, art. 7.
56 See Yong Zhang, Legal Protection of Personal Bioinformation Security: A Case Study of Face Recognition (in Chinese), 42(5) Jiangxi Social Sciences 161 (2021).
57 See Ke Xu, The Integrity Principle: A Trust Path to Balance Personal Information Protection and Utilization (in Chinese), 34(5) Peking U. L. J. 1143, 1145-50 (2022).
58 See Personal Information Protection Law of China, supra note 15, art. 6.
59 Supra note 11.
60 See Personal Information Protection Law of China, supra note 15, art. 28.
61 See id., art. 6.
62 Supra note 11.
63 See Personal Information Protection Law of China, supra note 15, art. 9.
64 See Kristen E. Eichensehr, Giving Up on Cybersecurity, 64 UCLA L. Rev. Discourse 320, 324 (2016).
65 See Jin Rui Liu, The Reform of Data Security Paradigm and Its Legislative Development (in Chinese), 43(1) Glob. L. Rev. 1, 10-11 (2021).
66 See Personal Information Protection Law of China, supra note 15, art. 51.
67 See Iynkaran Natgunanathan et al., Protection of Privacy in Biometric Data, (4) IEEE Access 880, 880 (2016).
68 See Claudia Diaz, Omer Tene, & Seda Gurses, Hero or Villain: The Data Controller in Privacy Law and Technologies, 74(6) Ohio St. L. J. 923, 949 (2013).
69 See Xixue Shang, China’s Position and Institutional Approach to the Commercial Application of Biometric Information—Given the Comparative Evaluation of European and American Law Models (in Chinese), 40(2) Jiangxi Soc. Sci. 200 (2020).
70 See Muge Fazlioglu, Beyond the Nature of Data: Obstacles to Protection Sensitive Information in the European Union and the United States, 46(2) Fordham Urban L. J. 271, 302 (2019).
71 See Spiros Simitis, Privacy—An Endless Debate?, 98(6) Calif. L. Rev. 1989, 2000 (2010).
72 See Liesbet Hooghe & Gary Marks, Multi-Level Governance and European Integration, 5(11) EIoP 1, 4-5 (2001).
73 See Qian Li, Fraud Internet Flow Needing a Multi-Governance Model (in Chinese), People’s Ct. Daily (Dec. 30, 2021), https://www.chinacourt.org/article/detail/2021/12/id/6461808.shtml.
74 Robin Feldman, Considerations on the Emerging Implementation of Biometric Technology, 25 Hastings Comm. & Ent. L. J. 653, 665 (2003).
75 Id.
76 See Hui Qiang Xing, Legal Regulation of Face Recognition (in Chinese), Inst. of Rule of L., China Univ. Pol. Sci. L. (June 14, 2021), http://fzzfyjy.cupl.edu.cn/info/1035/13047.htm.
77 See Yu, supra note 48.
78 See Personal Information Protection Law of China, supra note 15, art. 56.
79 See id. at art. 57.
80 See id. at art. 64.
81 Privacy by Design, Australian Government, https://www.oaic.gov.au/privacy/privacy-for-organisations/privacy-by-design (last visited Dec. 22, 2023).
82 See Wei Fan, Reconstruction of the Path of Personal Information Protection in the Era of Big Data (in Chinese), Inst. of Rule of L., China Univ. Pol. Sci. L. (June 25, 2021), http://fzzfyjy.cupl.edu.cn/info/1035/13097.htm.
83 See Criminal Law of China (promulgated by Nat’l People’s Cong. Standing Comm., July 1, 1979, rev. Dec. 28, 2002, effective Oct. 1, 1997), art. 253, Congressional Executive Commission on China, Jan. 15, 2013, https://www.cecc.gov/resources/legal-provisions/criminal-law-of-the-peoples-republic-of-china#2%20Chapter%20XI.
84 See Huai Sheng Li, On the Criminal Responsibility about the Abuse of Personal Biometric Information—Taking Artificial Intelligence “Deepfake” as an Example (in Chinese), 38 Trib. Pol. Sci. and L. 144, 151-52 (2020).