Yue Zhongming, spokesman for the Legislative Affairs Commission of China’s legislature, said on Monday morning that the proposed Personal Information Protection Law (PIPL) will make clear that sensitive information such as facial biometrics must be “used for specific purposes and only when sufficiently necessary”, and that a risk assessment should be conducted in advance.
In the draft text of the law, released for public consultation in mid-October, Article 29 specifies that “sensitive personal information” includes information on race, ethnicity, religious beliefs, individual biometric features, medical health, financial accounts and individual location tracking.
Get the latest insights and analysis from our Global Impact newsletter on the big stories originating in China.
“The use and development of facial recognition and other new technologies has created new challenges for the protection of personal information,” Yue said. “The Legislative Affairs Commission will listen further to a wide range of opinions on this issue, and conduct in-depth research and assessment.”
He said that the PIPL would clarify the rights of individuals regarding their personal information and the obligations of those processing it, including obtaining people’s consent and taking measures to safeguard it.
Legal experts have welcomed the draft text, drawing parallels with the European Union’s data legislation, the General Data Protection Regulation, which states that individuals own their own data and companies are only stewards of it.
The Chinese legislation has proposed fines of up to 50 million yuan (US$7.6 million) or 5 per cent of a company’s annual revenue for violations of data privacy, and will also apply to organisations outside China that use data about individuals in China.
But some observers have raised issues about the vague details in the draft law on how businesses can be compliant, and the relatively light penalty in comparison with the billion-dollar big-data market and the risks of data breaches.
There have been growing demands from Chinese consumers and the country’s more than 900 million internet users for better privacy protections, given the increasing use of technology in China’s private sector and lax approaches to consumer data privacy. There are existing laws on cybersecurity and data security, but they do not specify provisions on personal data privacy.
In November, a court in Hangzhou ruled in the country’s first facial recognition lawsuit that the use of facial recognition technology for admission to a local safari park was “unnecessary and lacked legitimacy”.
Also in eastern China, several real estate companies in Nanjing were ordered by the authorities to remove facial recognition systems that were used to categorise clients, while a video shared widely online showed a man in Jinan wearing a motorcycle helmet to a property exhibition to evade facial recognition cameras.
Cybersecurity firm Comparitech found that China was the worst country when it came to collection, use and storage of biometric data, including for its “widespread and invasive use of facial recognition technology in CCTV cameras”.
Chinese technology companies including Huawei Technologies Co., Megvii and Alibaba – parent company of the South China Morning Post – were found to have offered facial recognition software that can detect Uygurs, the Turkic ethnic minority targeted in the country’s far-western Xinjiang region.
Huawei said the technology had “not seen real-world application”, Megvii said its systems were not designed to target ethnic groups, and Alibaba said it would not allow its technology to target specific ethnic groups.
More from South China Morning Post:
This article China’s new data privacy law ‘will state how facial recognition can be used’ first appeared on South China Morning Post