On April 23, 2021, the National Information Security Standardization Technical Committee of China published a draft standard (in Chinese) on Security Requirements of Facial Recognition Data (the “Standard”). The Standard, which is non-mandatory, details requirements for collecting, processing, sharing and transferring data used for facial recognition.
The Standard is one of many new proposed standards relating to privacy and cybersecurity in China. As we previously reported, the privacy landscape in China is undergoing significant development, and a proposed personal information protection law is currently under review by the National People’s Congress of the People’s Republic of China.
The Standard includes the following key requirements:
- Facial recognition should be used only for identification purposes and not to make predictions about individuals (e.g., in relation to their health, work performance or interests);
- Facial recognition should be used only when an alternative technology not involving the use of facial recognition is insufficient in terms of security or convenience (e.g., for identity verification in airports);
- Facial recognition should not be used to identify individuals under 14 years of age;
- Storing facial recognition data is prohibited unless an organization obtains consent; and
- Facial recognition data generated or collected in China should be stored only in China.
The Standard is open for public consultation until June 22, 2021.