Lifting the Veil of Mystery in Facial Recognition: Privacy Protection from Private Entities’ Misuse of Information in China

Abstract

In the past few years, improvements in facial recognition technology have caused a rapid increase in the collection of facial recognition information in the private sector. In China, data subjects’ facial recognition information could be easily collected with or without their knowledge as they enter into some public business premises such as hotels, banks, and other physical public places. As public spaces extend to digital public spaces, the collection of facial recognition may happen online. For example, platform providers extract and collect facial recognition information from uploading photos publicly available online, with or without data subjects’ consent. Privacy concerns unavoidably come with the illegal collection of facial recognition information. Personal Information Protection Law (PIPL) regards facial recognition information as sensitive information and sets up rules to protect data subjects’ facial recognition information from illegal collection by private entities in physical public places. However, the law has not yet fully developed to protect this information effectively, and more privacy issues happen in China. Later, several regulations and judicial interpretations are established to address the issues, especially issues in physical public places. This essay endeavours to examine data subjects’ informational privacy rights regarding facial recognition information and whether existing Chinese regulatory mechanisms are effective enough to protect their rights to facial recognition information from the misuse of information by private entities in public spaces. After discussing the nature of facial recognition information, this article points out that issues in the illegal collection, process, and use of facial recognition information by private entities potentially intersect with both the protection of personal information and informational privacy protection. Data subjects’ informational privacy rights regarding facial recognition information deserve protection. Next, it conducts a comparative analysis to compare rules regulating the misuse of facial recognition information in the private sector among the EU, the US, and China. It finds that different jurisdictions have different focal points, which lead to different protection patterns. The EU protects data subjects’ informational privacy rights regarding facial recognition information as fundamental rights, and the US prioritizes the free flow of information, while China focuses on the specific activities of data processors. Finally, it proposes that the Chinese pattern could be improved to protect data subjects’ privacy rights to facial recognition information comprehensively, such as by flexible application of the informed consent principle.