On December 1, the Tianjin Municipal People's Congress Standing Committee voted to adopt the Tianjin Social Credit Regulations (hereinafter referred to as "Regulations"). Article 16 of the Regulations stipulates that market credit information providers shall collect information on natural persons with the consent of the person concerned and agree on the use of such information, except as otherwise provided by laws and administrative regulations. Market credit information providers shall not collect a natural person's religious beliefs, blood type, disease and medical history, biometric information, and other personal information whose collection is prohibited by laws and administrative regulations. Accordingly, enterprises and public institutions, trade associations and chambers of commerce are prohibited from collecting biometric information such as faces, fingerprints and voices.
Face recognition is a biometric technology based on human facial features for identification, this technology through the collection of portraits, key point extraction, pre-processing of portraits, feature extraction, face recognition comparison, to achieve the purpose of personal identification verification.
In the industry's view, the prohibited face recognition technology stipulated in the Regulations for market credit information collectors in specific scenarios implies that there may be technical abuse in the above areas. Based on this, a number of places such as Nanjing, Xuzhou and Hangzhou have previously also respectively required sales offices not to take facial information of visitors without consent as well as property servicers not to force owners to use *** facilities and equipment through fingerprints, face recognition and other bio-information.
Industrial blue ocean under the risk and opportunity co-exist
According to statistics, 2010-2018, China's face recognition industry market size compound annual growth rate of 30.7%, is expected to 2024 market size will exceed 10 billion yuan. However, in front of the vast blue ocean, the development of the industry is still facing many information security problems. Especially in the financial sector, fingerprints, face recognition and other technologies are more risky hidden danger.
Between the above, in recent years, a number of places are also constantly face recognition and other technologies to regulate. 2019 January, Shanghai released "accelerate the construction of the Shanghai financial technology center implementation plan" mentioned that it will promote the face recognition of offline payment and other 23 financial technology application pilot; in February of the same year, the People's Bank of China Fuzhou central sub-branch formally issued the "Fujian face recognition offline payment security application pilot". Implementation Program".
On August 23, 2019, the People's Bank of China issued the Financial Technology (FinTech) Development Plan (2019-2021), which mentions that it will explore the security application of face recognition for offline payment, and with the help of cryptographic identification, privacy computing, data labeling, pattern recognition and other technologies, it will utilize the realization of transaction authentication, and be constructed by licensed financial institutions to use the facial features as the routing identification of the The transfer clearing mode, realize the unity of security and convenience of payment tools.
In particular, in January this year, the China Payment Clearing Association also formulated the "Face Recognition Offline Payment Industry Self-discipline Convention (Trial)" in the collection and storage requirements, adhere to the "user authorization, the minimum sufficient", clearly inform the user of the information use of the purpose, mode and scope, and to obtain the user's authorization, avoiding features collection unrelated to the demand. The collection of features unrelated to demand is avoided.
But from the industry's point of view, face swipe payment has become the focus of competition for large payment organizations in the past two years. At the previous stage, WeChat Pay and Alipay face payment land grabbing war attracted wide attention. In the view of Sacks Research Institute senior researcher Su Xiaorui, why the leading payment institutions vigorously promote face swipe payment, first of all, because face swipe payment as a way of biological payment, the current penetration rate is relatively low, there is a wide range of space for development, the giants pursue to seize the high ground of the emerging model.
Secondly, it is true that face-swipe payment can alleviate cashier queues to a certain extent, which is helpful in improving transaction efficiency. Furthermore, WeChat, Alipay and other payment giants have a huge financial ecosystem, the future does not rule out the user's face record and its credit, risk control and other links, such as face payment brush more, credit score has improved, or the user's future in the application for a loan, its face information will be compared with many other observations.
Personal information security legislation is still not perfect
What is worth paying attention to is that "China's first case of face recognition" in ushered in the first trial decision. November 29, "network law practice circle" was informed that. "The first case of face recognition" plaintiff Guo Bing did not accept the first instance judgment (first instance judgment: "the first case of face recognition" judgment (full text)), has in the afternoon of the same day to send a statement of appeal.
November 20, 2020, Hangzhou Fuyang District People's Court on the case of public hearing, and pronounced the following sentence: the defendant wildlife company compensation for the plaintiff's loss of contractual interests and transportation costs *** totaling 1038 yuan, delete the plaintiff for fingerprints submitted when the annual card, including photographs of the facial characteristics of the information, while rejecting the plaintiff put forward to confirm that the zoo store notices, SMS notification of other litigation requests. At the same time, the plaintiff's other claims to confirm the invalidity of the relevant content in the zoo shop notice and SMS notification were rejected.
The court held that the focus of this case is to evaluate and regulate the handling of consumers' personal information, especially fingerprints and faces. China's laws for the collection of personal information in the field of consumption, the use of personal information is not prohibited, but emphasizes the supervision and management of personal information handling process, that is, the collection of personal information to follow the principle of "lawful, legitimate, necessary" and the consent of the parties concerned; personal information to follow the use of personal information to ensure the safety of the principle of not divulging, selling or illegally providing to others; personal information is infringed upon, the use of personal information to ensure safety. The use of personal information should follow the principle of ensuring safety, and should not be leaked, sold or provided to others illegally; when personal information is infringed upon, the operator should bear the corresponding tort liability.
On Nov. 30, related media reported that Guo Bing, the main litigant in the case, was informed that because some of his requests were not supported by the court, he had sent a civil lawsuit the day before, requesting that the People's Court of Fuyang District, Hangzhou City, be revoked (2020) 浙0111民初6971号民事判决, and that all of his first-instance litigation requests be supported instead.
It is worth mentioning that on October 13, the National People's Congress (NPC) Standing Committee meeting to consider the draft law on the protection of personal information provides that the handling of personal information should be fully informed beforehand on the premise of obtaining the consent of the individual, and the individual has the right to withdraw consent; important changes should be made to obtain the consent of the individual again; the individual shall not be refused the provision of products or services based on the reasons that the individual does not agree. Commercial marketing and information pushing through automated decision-making shall be accompanied by the option of not targeting their personal characteristics.
And not long ago, the State Internet Information Office also released the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications (APP) (Draft for Opinion) (hereinafter referred to as the "Draft for Opinion") which excludes biometric information, such as face recognition and fingerprint recognition, from the scope of necessary personal information for 38 types of common APPs.
The Exposure Draft specifies the scope of necessary personal information for 38 common types of APPs, such as short videos, map navigation, online car rental, learning and education, and puts a "straitjacket" on the excessive collection of personal information. Necessary personal information refers to the personal information necessary to ensure the normal operation of the basic functions of the APP, the lack of which the APP cannot provide basic functional services. As long as the user agrees to collect the necessary personal information, the APP shall not refuse the user to install and use.
The depth of the Institute of Science and Technology President Zhang Xiaorong said, the Office of the Internet Information Office to limit the APP unlimited "demand" for personal privacy information of the evil wind has finally been curbed, China's information protection in the era of APP has finally taken a step forward. The draft of the opinion of the management of a wide range, all types of APP almost a net.
But Zhang Xiaorong also believes that the new provisions for the associated login does not have detailed provisions. Previously, the "Personal Information Security Guidelines" mentioned that when registering and logging in to multiple APPs with the same account, it can provide a channel to unlink individual APP user accounts. This unmentioned associated login may bypass the new regulations of the Office of the Internet Information Office and still collect user privacy.
"In addition, personal information has long been collected by APPs, and the only ones who haven't been victimized are some of the post-00s. The Exposure Draft has a protective effect on new netizens after 00, but the protection of old users' rights and interests seems to be somewhat insufficient." Zhang Xiaorong further pointed out that, "and for the abuse of brush face recognition technology, there is no direct clear, for fingerprint identification technology to collect information is also no restriction, but personal biometrics collection of information is more likely to produce harm than common text information."