A court in Hangzhou made its final judgment in China’s first-ever lawsuit over the use of facial recognition after both parties filed for appeal, upholding its original judgment and ordering additional data to be deleted.
In late 2019, Hangzhou Safari Park replaced its fingerprint-based admission system with one that uses facial recognition, telling customers that they would be refused entry if they did not use the new system.
Guo Bing, an associate professor of law at the Zhejiang Sci-Tech University, concerned it might be used to “steal” his identity, asked for a refund. When the zoo refused, Guo sued for breach of contract.
“The purpose of the lawsuit is not to get compensation but to fight the abuse of facial recognition,” he told the Southern Metropolis Daily at the time.
In November last year, the Hangzhou Fuyang People’s Court awarded Guo with compensation of 1,038 yuan (RM655) and ordered the zoo to delete his facial data. The court, however, refused to recognise Hangzhou Safari Park’s behaviour as fraud nor did it order the zoo to refund Guo’s annual pass, prompting both to appeal.
On April 9, the court announced it will uphold the original judgments, but also ordered the zoo to delete Guo’s fingerprint information
Hailed by state-media as a landmark case, some legal experts, including Guo himself, believe any pronouncement of victory is premature.
State-run People’s Daily published a commentary piece saying that the court’s final judgment means people can now “bravely say no to facial recognition”.
Guo told the Southern Metropolis Daily that he is considering whether to file for a retrial since the court did not scrutinise the zoo’s refusal to admit customers who did not provide their facial data.
Guo did not immediately respond to a request for further comment.
He Yuan, director of Shanghai Jiao Tong University’s Data Law Research Centre, said that while the decision is “hugely meaningful” as the first time a court has ruled that citizens can demand their data be deleted, the court did not address whether it was legal for the zoo to only allow entrance by facial recognition.
“[The court] let the principle of data minimisation go unnoticed, which in this case is to determine whether facial recognition is necessary for entering a zoo, and whether it has offered people the option to choose a less invasive verification method,” He said, adding that the original suit was over breach of contract, not data use.
China still lacks an adequate legal framework for the protection of personal information, according to He, adding that courts also need to consider how to strike a balance between protecting biometric data and the needs of economic development.
China is still grappling with data privacy concerns as underground trading of personal information thrives amid Beijing’s push to have the digital sector play a bigger role in China’s domestic economy.
Without a law dedicated to protecting personal information, and the lack of clear guidelines, China’s enforcement agencies have struggled to keep up with an increasingly skilled industrial chain of insiders and data brokers.
The country’s 14th five-year plan, unveiled earlier this month, fast-tracked the roll-out of two “fundamental” pieces of legislation, the Personal Information Protection Law (PIPL) and the Data Security Law. The PIPL, as its name suggests, will address personal privacy issues, but is still under review and has not been officially rolled out after a draft version was unveiled last year.
“There are clear signs that facial recognition technology is being misused,” Guo said in a question and answer session held by Shanghai-based state media The Paper in November last year. “It not only poses great safety risks for users, but also great risks for public security.” – South China Morning Post