Deployments in public places will still be allowed on national security grounds

The technology must be used for a reason

On 8 August 2023, the Cyberspace Administration of China (CAC) published for consultation a set of draft measures to govern the use of facial recognition. The proposed regulations – which are open for comment until 7 September – aim to ensure that any application of the technology upholds the rights of individuals and protects their personal information, and does not endanger national security or social order. Facial recognition may only be used when it is necessary for a specific purpose and when strict protections are in place, with the CAC recommending that non-biometric identification solutions are preferred if they can fulfil the same objectives. Also, the processing of facial information captured by the technology requires the user to obtain an individual’s consent (either in person or written).

Regulator outlines rules for capturing biometric data

The CAC has outlined a range of locations where image collection devices should not be installed, such as hotel rooms and changing rooms, and proposed that facial recognition should not be used to analyse a person’s race, ethnicity or religion, or to identify children under the age of 14 (without permission of a parent or guardian). However, the technology may be employed in public places where it is considered necessary to maintain security or safety, including in emergency situations, so long as ‘prominent reminder signs’ are displayed and personal data is kept confidential. Entities that use facial recognition in public places or who store biometric information of more than 10,000 people should submit a report to the CAC on why and how they apply the technology, and the data processing and protection measures they have implemented.

Chinese citizens are no stranger to facial recognition

Facial recognition has been deployed extensively across China, from train stations and shops, fuelling the growth of the domestic industry. However, overuse of the technology has sparked concerns regarding the collection of personal information, especially without consent, while firms such as Hikvision and SenseTime have been blacklisted by the US for their alleged role in political repression. The CAC’s draft rules add to a growing portfolio of tech regulation, which has so far focused on cybersecurity, data protection and privacy, and reflect decisions made in other countries – e.g. Argentina – to restrict facial recognition systems. Real-time applications of the technology have also seen fierce debate in the EU as the European Parliament sought to adopt its position on the AI Act.