Standardize the application of facial recognition technology! National Cyberspace Administration publicly solicits opinions from users | processing | identity | facial information | use | should | personal | facial recognition technology
In order to standardize the application of face recognition technology, the State Internet Information Office has drafted the Administrative Provisions on the Security of Face Recognition Technology Application in accordance with the Cyber Security Law of the People's Republic of China, the Data Security Law of the People's Republic of China, the Personal Information Protection Law of the People's Republic of China and other laws and regulations, and now solicits public opinions. The public can provide feedback through the following channels and methods:
1. Log in to the Chinese Government Legal Information Network of the Ministry of Justice of the People's Republic of China and enter the "Legislative Opinion Collection" column on the main menu of the homepage to submit opinions.
2. Send via email to: shujuju@cac.gov.cn .
3. Send your comments by letter to the Network Data Management Bureau of the State Internet Information Office, No. 15, Fucheng Road, Haidian District, Beijing, 100048, and indicate "Comments on the Safety Management Regulations on the Application of Face Recognition Technology" on the envelope.
The deadline for feedback is September 7, 2023.
Attachment: Safety Management Regulations for Facial Recognition Technology Application
National Internet Information Office
August 8, 2023
Regulations on the Security Management of Facial Recognition Technology Applications
Article 1: In order to standardize the application of facial recognition technology, protect personal information rights and other personal and property rights, maintain social order and public safety, this regulation is formulated in accordance with laws such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China.
Article 2: The use of facial recognition technology to process facial information and the provision of facial recognition technology products or services within the territory of the People's Republic of China shall comply with these regulations. If there are other provisions in laws and administrative regulations, they shall prevail.
Article 3: The use of facial recognition technology shall comply with laws and regulations, abide by public order, respect social morality, assume social responsibility, fulfill personal information protection obligations, and shall not use facial recognition technology to engage in activities prohibited by laws and regulations, such as endangering national security, damaging public interests, disrupting social order, and infringing on the legitimate rights and interests of individuals and organizations.
Article 4: Facial recognition technology can only be used to process facial information when it has a specific purpose and sufficient necessity, and strict protective measures are taken. If other non biometric recognition technology solutions exist to achieve the same purpose or meet the same business requirements, priority should be given to choosing non biometric recognition technology solutions.
For those who use facial recognition technology to verify personal identity and identify specific natural persons, priority is encouraged to use authoritative channels such as the National Population Basic Information Database and the National Network Identity Authentication Public Service.
Article 5: The use of facial recognition technology to process facial information shall obtain individual consent or written consent in accordance with the law. Except for cases where personal consent is not required by laws and administrative regulations.
Article 6: Hotel rooms, public bathrooms, changing rooms, bathrooms, and other places that may infringe upon the privacy of others shall not be equipped with image capture and personal identity recognition equipment.
Article 7: When installing image capture and personal identity recognition equipment in public places, it shall be necessary to maintain public safety, comply with relevant national regulations, and set up prominent warning signs.
The construction, use, operation and maintenance units that install image capture and personal identification equipment in public places shall have the obligation to keep confidential the personal images and identification information obtained, and shall not illegally disclose or provide them to the public. The collected personal images and identification information can only be used for the purpose of maintaining public safety and cannot be used for other purposes; Except for obtaining individual consent.
Article 8: If an organization installs image acquisition and personal identity recognition equipment for internal management, it shall reasonably determine the image information acquisition area according to actual needs, take strict protective measures, prevent illegal access, copying, disclosure, external provision, dissemination of personal images, and prevent personal information leakage, tampering, loss, or illegal acquisition or utilization.
Article 9 Hotels, banks, train stations, airports, sports venues, exhibition halls, museums, art galleries, libraries and other business premises, except for those that are required by laws and administrative regulations to use facial recognition technology to verify personal identity, shall not force, mislead, deceive, or coerce individuals to accept facial recognition technology for the purpose of handling business or improving service quality.
Individuals who voluntarily choose to use facial recognition technology to verify their identity should ensure that they are fully informed and actively participate. During the verification process, clear and understandable voice or text should be used to promptly and clearly indicate the purpose of identity verification.
Article 10: The use of facial recognition technology in public places or business premises to remotely and imperceptibly identify specific natural persons shall be necessary for maintaining national security, public safety, or protecting the life, health, and property safety of natural persons in emergency situations, and shall be voluntarily proposed by individuals or stakeholders.
If a user of facial recognition technology requests to use facial recognition technology to identify a specific individual or interested party remotely and imperceptibly, the relevant services shall be limited to the minimum necessary time, location, or crowd range, and shall not be associated with personal information that is not directly or necessarily related to the individual's request.
Article 11: Except as necessary for maintaining national security, public safety, or protecting the life, health, and property safety of natural persons in emergency situations, or with the sole consent of individuals, no organization or individual shall use facial recognition technology to analyze sensitive personal information such as race, ethnicity, religious beliefs, health status, social class, etc.
Article 12: If it involves significant personal interests such as social assistance and real estate disposal, facial recognition technology shall not be used as a substitute for manual verification of personal identity. Facial recognition technology can serve as an auxiliary means of verifying personal identity.
Article 13: If users of facial recognition technology process facial information of minors under the age of fourteen, they shall obtain separate or written consent from the parents or other guardians of the minors.
Parents or other guardians of minors should correctly fulfill their guardianship responsibilities, educate and guide minors under the age of fourteen to enhance their awareness and ability to protect personal information.
Article 14: Property service enterprises and other building managers shall not use facial recognition technology to verify personal identity as the only way to enter and exit the property management area. If individuals do not agree to use facial information for identity verification, property service enterprises and other building managers shall provide other reasonable and convenient identity verification methods.
Article 15: When processing facial information, users of facial recognition technology shall conduct a personal information protection impact assessment in advance and record the processing results.
The impact assessment of personal information protection mainly includes the following contents:
Whether it complies with the provisions of laws, administrative regulations, and mandatory requirements of national standards, and whether it complies with ethical and moral standards;
Whether processing facial information has a specific purpose and sufficient necessity;
Is it limited to the accuracy, precision, and distance requirements necessary to achieve the purpose;
Whether the protective measures taken are legal, effective, and appropriate to the level of risk;
The risk or potential harm of facial information leakage, tampering, loss, damage, or illegal acquisition or utilization;
The potential harm and impact on personal rights, as well as the effectiveness of measures to reduce adverse effects.
The personal information protection impact assessment report should be kept for at least three years. If the purpose and method of processing facial information change, or if a major security incident occurs, users of facial recognition technology should re evaluate the impact of personal information protection.
Article 16: Users of facial recognition technology who use facial recognition technology in public places or store facial information of more than 10000 people shall register with the network information department at or above the city level within 30 working days. The following materials should be submitted for filing:
Basic information of users of facial recognition technology and their personal information protection responsible persons;
Explanation of the necessity of processing facial information;
The processing purpose, processing method, and security protection measures of facial information;
Processing rules and operating procedures for facial information;
Personal information protection impact assessment report;
Other materials deemed necessary by the Cyberspace Administration.
If users of facial recognition technology handle facial information that is required to be kept confidential by laws and administrative regulations, relevant regulations shall be followed.
If there is a substantial change in the filing information, the filing change procedures should be completed within 20 working days from the date of the change. Those who terminate the use of facial recognition technology shall complete the registration and cancellation procedures within 30 working days from the date of termination.
Article 17: Except for statutory conditions or obtaining individual consent, users of facial recognition technology shall not save original facial images, images, or videos, except for facial information that has been anonymized.
For those who provide facial recognition technology services to the public, the relevant technology systems should comply with the protection requirements of network security level three or above, and take measures such as data encryption, security auditing, access control, authorization management, intrusion detection, and defense to protect facial information security. Those belonging to critical information infrastructure should also meet the relevant requirements for security protection of critical information infrastructure.
Article 18: When using facial recognition technology to process facial information, efforts should be made to avoid collecting facial information unrelated to the provision of services. If unavoidable, it should be promptly deleted or anonymized.
Article 19: Users of facial recognition technology shall conduct annual inspections and evaluations of the security and potential risks of image acquisition equipment and personal identity recognition equipment, improve security strategies based on the inspection and evaluation results, adjust confidence thresholds, and take effective measures to protect image acquisition equipment and personal identity recognition equipment from attacks, intrusions, interference, and destruction.
Article 20: Image acquisition equipment and personal identity recognition equipment listed in the catalog of key network equipment and specialized network security products in accordance with relevant national regulations shall be certified or tested by qualified institutions in accordance with the mandatory requirements of relevant national standards before they can be sold or provided.
Article 21: The network information department, in conjunction with the telecommunications regulatory department, public security organs, market supervision departments and other relevant departments, shall strengthen supervision and inspection of the use of facial recognition technology in accordance with their responsibilities, guide and urge users of facial recognition technology to complete filing procedures, timely discover security risks, and urge rectification within a specified period of time.
Users, products or service providers of facial recognition technology shall cooperate with the supervision and inspection carried out by relevant departments in accordance with the law.
Article 22: Any organization or individual who discovers any violation of these regulations may file a complaint or report to relevant departments such as cyberspace, telecommunications, public security, and market supervision.
If relevant departments such as cyberspace, telecommunications, public security, and market supervision receive relevant complaints or reports, they shall handle them in accordance with their responsibilities in accordance with the law.
Article 23: If users of facial recognition technology or related product or service providers violate these regulations, relevant departments such as cybersecurity, telecommunications, public security, and market supervision shall, within their scope of responsibilities, impose penalties in accordance with laws and regulations such as the Cybersecurity Law of the People's Republic of China, the Data Security Law of the People's Republic of China, and the Personal Information Protection Law of the People's Republic of China. Those who violate the Law on Public Security Administration Punishments shall be punished for public security administration in accordance with the law; If a crime is constituted, criminal responsibility shall be pursued in accordance with the law.
Those who violate these regulations and cause damage to others shall bear civil liability in accordance with the law.
Article 24 The State Internet Information Office, together with the Ministry of Industry and Information Technology, the Ministry of Public Security and the State Administration of Market Supervision and Administration, is responsible for the interpretation of these Provisions.
Article 25: These regulations shall come into effect on [date].