China has taken significant steps to combat personal data breaches and regulate the use of facial recognition data. Over the past three years, the Chinese police have closed 36,000 cases related to personal data infringements, resulting in the detention of 64,000 suspects. These efforts are part of the government’s broader initiative to regulate the internet, which has also included the seizure of millions of SIM cards and “illegal” internet accounts. Criminal cases involving personal data violations have been on the rise, with industries such as healthcare, education, logistics, and e-commerce being targeted.
The Ministry of Public Security reported an incident in April 2023, where a company in Fujian province lost 4.3 million yuan ($596,510) to hackers who used AI to alter their faces. The ministry has solved 79 cases involving “AI face changing” so far. With the widespread use of facial recognition technology and advancements in AI, cybercriminals have been exploiting personal data, often using photos found on identity cards along with personal names and ID numbers for facial recognition verification.
To address these issues, China’s public security departments are conducting safety assessments of facial recognition technology and other related systems. They are also working to identify potential risks in facial recognition verification systems. The Chinese government has highlighted the existence of an underground big data market, which poses serious risks to personal data and social order.
In response, the Cyberspace Administration of China (CAC) has published draft laws specifically focused on facial recognition technology. These proposed regulations require organizations to obtain explicit or written user consent before collecting and using personal facial information. Businesses must also state the purpose and extent of data collection and use the data only for the stated purpose. Facial recognition technology cannot be used to analyze sensitive personal data, such as ethnicity, religious beliefs, race, and health status, without user consent. Exceptions are made for national security, public safety, and emergencies.
The draft laws also mandate that organizations using facial recognition technology have data protection measures in place to prevent unauthorized access and data leaks. If an organization retains more than 10,000 facial recognition datasets, they must notify the relevant cyber government authorities within 30 working days. The proposed rules outline conditions for the use of facial recognition systems and require companies to prioritize non-biometric recognition tools if they provide equivalent results.
The public has one month to provide feedback on the draft laws. In January, China implemented regulations to prevent the abuse of “deep synthesis” technology, including deepfakes and virtual reality. Interim laws will also be put in place to manage generative AI services, ensuring compliance with intellectual property rights and obtaining consent for the use of personal data.
Generative AI service providers will assume legal responsibility for the information generated and its security. They will need to sign service-level agreements with users to clarify rights and obligations. These measures aim to facilitate the sound development of generative AI while protecting national and public interests, as well as the legal rights of citizens and businesses.
China’s efforts to regulate personal data and facial recognition technology reflect the growing importance of data protection and privacy in the digital age. By implementing these laws, the Chinese government aims to safeguard personal information and prevent the misuse of AI technology. These regulations are part of a broader global trend towards stricter data protection regulations and the responsible use of AI.