Strengthen the implementation of the "inform-consent" rule for face information processing
Interlocutor
Meng Qiang, Director of the Civil Code Research Center, School of Law, Beijing Institute of Technology
Professor Liu Deliang, Beijing Normal University Law School
Zheng Ning, Dean of Law Department, School of Cultural Industry Management, Communication University of China
Wang Sixin, Vice Dean of the Institute of a Community of Shared Future for Humanity, Communication University of China
"Rules of Law Daily" reporter Zhao Li
Xing Yiming, an intern at the Rule of Law Daily
Improper storage of facial information
Easy to cause data leakage
Reporter: The "Face Recognition Application Public Survey Report (2020)" (hereinafter referred to as the "Report") shows that in terms of safety perception, the scores given by respondents are significantly lower, and only the average score of traffic security inspection scenarios exceeds 4 points. Does this reflect the respondents' worry about the security risks of face recognition?
Zheng Ning: Currently, the public has a relatively negative attitude towards the security risks of face recognition.
In the current society, it is more and more common to collect personal biological data in the name of national security, social security, and public interest.
Face information may be captured and identified hundreds of times a day without our knowledge, and the imperfect data security management system makes people worry.
If criminals use personal facial data to open relevant accounts for illegal crimes, such as money laundering, gang-related involvement, and terrorism, individuals may be involved in criminal proceedings.
Meng Qiang: Face information is sensitive personal information in personal information. Once it is leaked or used illegally, it may lead to discrimination against the subject of the face or serious threats or harm to personal and property safety.
At present, many units or enterprises are more casual and even flooded in the collection of facial information, and they have not been able to properly keep the collected facial information in accordance with the law, leading to data leakage, and even forming a black industry of buying and selling facial data on the Internet. The chain, which in turn leads to the illegal use of face information, brings property losses and personal rights losses to many people, and therefore causes a lot of worries at the social level.
Reporter: In addition, face recognition still has a prominent "mandatory use" problem.
The "Report" shows that in the "traffic security check" scenario, the respondents who encountered mandatory face recognition were the most, reaching 27.39%, followed by "real name registration" (26.42%), "account opening and cancellation" (25.94%), and "payment". "Transfer" (25.81%), "Access Control Time Attendance" (21.76%).
Zheng Ning: In the “strong authentication” scenario (such as public security, financial payment) that has been clearly required by laws and regulations, it is necessary and reasonable to use face recognition to complete accurate identity comparison and verification, but it must be Keep the face data properly and not leak or abuse it.
For some scenes that are not clearly stipulated by law, it is not appropriate to use face recognition as the only verification method.
According to the "Report", compared to face recognition, the public is more willing to use verification methods such as mobile phone verification codes and passwords. There is no legitimate and legitimate purpose, and it is not suitable to promote face recognition on a large scale.
Reporter: We have also noticed that Article 29 of the draft Personal Information Protection Law, which has recently been publicly solicited for comments, provides that personal information processors have specific purposes and sufficient necessity to process sensitive personal information.
Meng Qiang: This provision is actually targeted.
Because many units and enterprises are randomly collecting facial information, they fail to comply with the requirements of "specific purpose" and "sufficient necessity".
Facial information is collected at airports, high-speed railway stations and other places where the flow of people is concentrated and highly related to public safety, scans for unspecified people flow, and requires facial recognition authentication when specific individuals take transportation. This approach is for public safety. It is also out of social public interest and national security, so this kind of "strong certification" is reasonable.
However, there are some organizations that require users and customers to perform facial recognition authentication and have little relevance to public interest, and there is no sufficient necessity, but there is no difference in requiring facial recognition authentication for users or customers.
Such behavior can easily arouse people's vigilance and disgust.
Strengthen access to information management
Severe punishment for illegal collection
Reporter: Regarding face recognition technology, many comments also pointed out that we should not resist and oppose blindly.
Because advances in science and technology can bring unprecedented convenience to all mankind, face recognition technology plays an irreplaceable role in public safety maintenance, criminal investigation, suspect arrest, user financial property safety protection, office and residential safety protection, etc. This has been fully reflected in my country’s epidemic prevention and control work.
Meng Qiang: However, science and technology will also be a double-edged sword, which must be controlled by the rule of law, otherwise the blade may be inward, which will harm the interests of users.
For people who worry about the abuse of face recognition technology, management should be strengthened from three aspects:
One is to strengthen the management of obtaining facial information.
Propaganda must be carried out in the whole society, so that all units and the people generally realize that face information is highly sensitive personal information and must be strictly protected.
Furthermore, it is necessary to strictly implement the "specific purpose" and "sufficient necessity" conditions for acquiring facial information, and severely penalize the behavior of forcibly collecting and acquiring facial information that does not meet the conditions.
The second is to strengthen the implementation of the "inform-consent" rule for face information processing.
In practice, with regard to the requirement of obtaining user consent to collect and use their personal information, many units or institutions use their superior position, or use format clauses, to force users to consent, or to issue a "package" authorization license, resulting in user rights still being violated.
In the future, separate laws and regulations should be formulated to strengthen face recognition standards in key areas, and for some high-risk areas, it should be emphasized that consent must be made in writing to further protect users' right to informed consent.
The third is to strengthen the implementation of relevant obligations and responsibilities of state agencies in collecting and processing facial information.
State agencies and their authorized subjects are the main subjects for collecting facial information.
This type of behavior is justified because the starting point is for the needs of public security or administrative management, but it must also follow the rules of informing and asking for consent to users, and the processing of face information data must be strictly carried out in accordance with the law, otherwise once there is a state If agency staff abuse their power or neglect their duties, large-scale facial information leakage incidents are extremely likely to occur, with extremely serious consequences.
Wang Sixin: For "mandatory" application scenarios that are not clearly required by the law, in practice it does not necessarily mean that this cannot be done.
Generally speaking, the standard to measure whether a compulsory certification is reasonable can be measured from several aspects:
First, whether the corresponding procedural requirements are already in place, such as whether the authorization has been issued, and whether the user can make a free choice; second, if the free choice cannot be made, will the consumer be forced to enter the use mode? Will bring adverse effects to consumers, especially for individual consumers, will there be discrimination or different treatment in the compulsory use process; thirdly, whether the implementer of compulsory certification already has corresponding safety measures and whether these safety measures Fully show to the users.
Reporter: In the future, whether the law should place the main responsibility for protecting data security on the data controller and processor. After all, the corresponding risks are created by the collection, storage, and use of the data controller and processor. The main benefits are also enjoyed by them.
Zheng Ning: Data controllers and processors are the primary responsible parties for data security and the main beneficiaries. Risks and rewards should be proportional.
Of course, relevant departments must also strengthen supervision and law enforcement.
Liu Deliang: The personal information protection law mainly emphasizes protection, and there is currently no law to effectively solve the problem of abuse.
At present, the requirements for face recognition in our various places are basically legitimate, and what we have to worry about is the subsequent abuse.
Our educational guidance and legislation should focus on how to effectively prevent abuse.
Wang Sixin: I think it is completely unnecessary to legislate on face information. It is not necessary to formulate specific restrictions on the use scenarios and conditions of face recognition, or to put forward systemic and normative requirements for face recognition.
The problem of face recognition mainly relates to the protection of personal data privacy. It is an integral part of the protection of personal data privacy. The problems in this field can be completed through existing relevant laws on personal data protection.
Cartography/Gao Yue