On July 27, 2021, China Supreme People’s Court released the Provisions on Several Issues concerning the Application of Law in the Trial of Civil Cases Relating to the Use of Facial Recognition Technologies to Process Personal Information (the “Judicial Interpretations”), which will be effective on August 1, 2021, and held a press conference on this. With the increasingly popular use of face recognition technology in daily life, privacy concern is becoming an important social issue. Related civil disputes also emerge, for example, a lawsuit brought by a law professor against a zoo for facial recognition in zoo pass. Therefore, China’s highest court feels the urge to provide clarification on related legal rules.
The Judicial Interpretations confirm that facial information is “biometric information” which is a category of personal information under the Civil Code. Then, detailed rules on substantive issues are provided, particularly as to when a consent is considered valid to process facial information and when such processing is subject to civil liabilities under torts or contract law. The Judicial Interpretations also endeavor to facilitates plaintiffs’ actions by clarifying some procedural rules, for example, the burden of proof, joint and several liabilities, available injunctions and scope of damages. It is also noteworthy that according to the press release, the Judicial Interpretations are also intended to bridge with the proposed Personal Information Protection Law (the “PIPL”), which is still under deliberation and expected to pass in August.
I. Substantive rules: When is facial recognition allowed or prohibited?
a. Valid consent for processing facial information
In China, by now consent is the only legal basis of processing personal information under the Cybersecurity Law. However, in practice, what constitutes a valid consent is always controversial. In Article 4, the Judicial Interpretations make it clear that consents in the following forms would not be treated valid:
- If the provision of products or services is conditioned on the consent, while such facial information is not necessary for providing the products or services;
- A blanket consent that is bundled with other user authorizations;
- Other ways of forcing or forcing in a disguised manner to collect user consent.
Please note that after the PIPL is enacted, there will be other legal basis of processing personal information, such as for the conclusion or performance of a contract with the individual, and for the performance of statutory duties or for compliance with legal obligations. But for personal information controllers that would still rely on consent to process personal information, it is important to assess whether the collected consent is valid.
b. Processing of facial information as a tort
The Judicial Interpretations explicitly provide that processing personal information in the following ways would be deemed as an infringement of individuals’ personal rights:
- Using facial recognition in violation of laws or administrative regulations in business or public places such as hotels, malls, banks, stations, airports, stadiums and gymnasiums or entertainment venues;
- Failure to disclose the rules of processing facial information or to explicitly indicate the purpose, method or scope of processing;
- Failure to collect a separate consent of the person or his/her guardian, or failure to collect a written consent that is required in accordance with laws or administrative regulations, where the processing is based on consent;
- Violating the purpose, method or scope of processing facial information as explicitly indicated or agreed upon;
- Resulting in the breaching, tampering or loss of facial information due to failure to take necessary technical measures or other measures;
- Providing facial information to others in violation of laws or administrative regulations or the agreement between the parties;
- Processing facial information in violation of public order or good morals; or
- Other processing of facial information in violation of the principles of legality, legitimacy and necessity.
c. Processing of facial information under Contract Law
The Judicial Interpretations also provide how facial recognition related issues would be ruled under the contract law, including:
- If an information controller requires an individual’s authorization to process facial information that is infinite in time, irrevocable or can be sub-authorized in a standard form contract, such a clause would be deemed void;
- If an information controller processes facial information in violation of its agreement with individuals, an individual can sue for breach of contract and, additionally, ask the court to order the controller to delete facial information.
In order to address public concerns, the Judicial Interpretations stipulate, very specifically, that a property management company cannot require to use face recognition as the only verification means for property owners to enter or leave relevant area. It is not clarified whether it constitutes a void contract or a breach of contract. But a concurrent tort liability can arise if any of the above-mentioned situation occurs.
There has been a contractual dispute in China related to facial recognition that attracted heated discussion. A law professor purchased a zoo membership card which was based on fingerprint recognition, though the zoo collected both fingerprint and facial information. Later on, the zoo unilaterally announced to change its entry system from fingerprint recognition to facial recognition, which led to this lawsuit. The court ruled that unilateral notice by one party is not a valid modification of contract terms, therefore constituting breach of contract. However, it was not ruled in this case as to whether the use of facial recognition is necessary for entry pass or the authorization is valid as a standard form contract.
The Judicial Interpretations will provide more clear legal rules for similar disputes in the future. And where a claim could be framed either in tort or in contract, an individual could opt for a theory of claim that is more advantageous to his or her case.
d. Exemption from liabilities
At the same time, the Judicial Interpretations also provide exemptions for personal information controllers from civil liabilities under the following circumstances:
- Where the processing of facial information is necessary for responding to a public health emergency or for protecting the life, health and property safety of a natural person;
- Where facial recognition technology is used in public places in accordance with relevant laws and regulations for the purpose of maintaining public security;
- Where facial information is processed in order to carry out activities such as news reporting and public opinion surveillance for public interest that are within a reasonable scope;
- Where facial information is reasonably processed within the scope agreed by the person or his/her guardian; or
- Other circumstances as prescribed by laws and administrative regulations.
These exemptions include common scenarios such as healthcare emergency (e.g. COVID-19) or journalism. Personal information controllers should check if they could be potentially qualified for any of the scenarios.
II. Procedural rules: Is it easier to use for individuals?
a. Burden of proof
Due to the lack of class action proceeding, it is always difficult for individual users in China to sue personal information controllers for inappropriate processing. In judicial practice, some courts have tried to ease plaintiffs’ burden by re-allocating the burden of proof in individual case. For example, in 2015, a man sued an online travel agency and an airline company after he received a scam text message related to his airline ticket, which presumably was due to the defendants’ data breach. The court held that, though fault-based liability applies, the plaintiff has satisfied his burden by showing that it is highly likely that his personal information was leaked by the defendants, and it would have been impossible for him to prove the defendants’ fault by collecting evidence as to their internal data management.
The Judicial Interpretations provide two aspects: (i) it is the burden of the personal information controller to prove that it complies with the principles of legality, legitimacy and necessity, obtains valid consent, discloses processing rules which explicitly indicate the purpose, method and scope of processing, and abide by laws, regulations and agreements; (ii) personal information controllers will have the burden to prove the scenarios of exemption as described above if they assert so.
Despite of the provisions, the Judicial Interpretations actually does not and, as a judicial opinion rather than a law, are not able to relieve the plaintiffs’ burden a lot. However, the PIPL under deliberation provides the standard of “presumptive fault”, which means that a personal information handler shall be liable for the damage caused by processing unless it can prove it is not at fault. This clause, if enacted, would relieve a plaintiff’s burden of proof in a civil action and facilitate damage claims.
b. Joint and several liabilities
The Judicial Interpretations provide joint and several liabilities of multiple personal information controllers pursuant to the Civil Code, such as joint tortfeasors and aiding and abetting in a tort. In addition, exemptions for online service providers (OSP) under the Civil Code that are close to safe harbor rule similarly apply, i.e., as to when OSPs shall bear infringement liabilities for the tortious acts of their users and when OSPs can exempt if certain conditions are met.
c. Remedies: Injunction and scope of damage
In order to better protect plaintiffs, Article 9 of the Judicial Interpretations provides that if an individual could ask for a temporary injunction by satisfying the conditions in the Civil Procedural Law (close to the likelihood to succeed and irreparable harms). Moreover, due to the fact that many individuals suing for personal information infringement can collect only nominal damages, Article 8 explicitly includes in the damage a plaintiff’s reasonable expenses that are related to the lawsuit, such as investigation, evidence collection and legal fees.
d. Potential collective actions and public interest litigations
As mentioned above, there are no class actions in the strictest sense in China. Individuals usually don’t have enough incentive to bring actions against personal information controllers, which are usually big companies. Collective actions and public interest litigations have already been in existence under the Civil Procedural Law. Basically, a collective action is a merge of similar claims brought by similarly situated plaintiffs and a public interest litigation is a claim brought by the people's procuratorates, consumers’ associations or other competent organizations on behalf of the infringed individuals.
The Judicial Interpretations stipulate that victims of facial information controllers can bring collective actions or public interest litigations can be brought on their behalf. It remains to be seen whether the two proceedings would play an increasingly important role in this regard.
III. Final remarks
It is obvious that the Judicial Interpretations undertake to address social issues related to face recognition technology by clarifying substantive rules. For companies that process facial information, the rules undoubtedly should be studied and assessed. However, as a document issued by court, it is not legislation and cannot go beyond the boundary that is set out under the existing legal framework. Therefore, it is equally important to pay attention to the coming PIPL, and how the Judicial Interpretations could bridge with the PIPL rules, for example, other legal basis of processing personal information than consent or the “presumptive fault” rule in allocating burden of proof.