China’s Supreme People’s Court, the top judicial authority in China, published guidelines addressing the application of laws on the use of facial recognition technology when handling civil cases. The document provides guidance for courts on how to apply the various rules in the Civil Code, Cybersecurity Law, Consumer Rights Protection Law, E-Commerce Law, and other relevant legislative instruments.
The Supreme Court clarified that facial recognition data constitutes biometric information, which itself is considered sensitive personal information. According to the Personal Information Protection Law, the controller of sensitive personal information must comply with certain principles: obtaining written and specific consent for the processing, providing a notice to the data subjects which includes the purposes of processing the facial recognition information and the implication on the data subject and complying with any applicable administrative restrictions.
The Supreme Court’s guidelines also addressed specific scenarios where facial recognition is frequently used, including the use of such technology to verify, identify or analyze faces in businesses or public places. The guideline’s unsurprising prohibition on using facial recognition in violation of laws is construed to imply that the use of facial recognition technology in public places requires a clear legal basis.
In addition, the Chinese Supreme Court laid out several considerations that Courts must take into account when handling civil cases involving facial recognition. These include whether the data subject is a minor; whether informed consent was obtained; and whether the purposes for processing the data were made clear. The burden of proof rests with the data controller to demonstrate it has processed data lawfully, or that it is exempt from such liability under the law.