A facial recognition case in Tianjin was won, and a community that used facial recognition as the only way to pass was found to be illegal

A property company in Tianjin was sued by residents for using facial recognition as the only verification method for entering and exiting the community. The court of first instance held that the relevant evidence could not prove that the defendant had violated his right to privacy. Recently, the second instance of the case changed the verdict. The court required the property company to delete the plaintiff’s facial information and provide him with other verification methods for entering and exiting the community.

Interviewed experts said that the breakthrough of the second instance judgment was that the court correctly and reasonably applied the "Supreme People's Court's Notice on the Use of Facial Recognition Technology to Process Personal Information and Other Related Civil Affairs" that was implemented on August 1, 2021. According to the relevant provisions of the "Provisions on Several Issues Applicable to the Law of the Case", the property company must provide other reasonable verification methods other than facial recognition to the owners or other persons with the right to enter and exit.

Reject community face recognition: privacy dispute or personal information protection dispute?

Gu lives in Chengji Economic and Trade Center, Heping District, Tianjin. The property company of this community uses face recognition as a verification method for entering and exiting the community.

The judgment shows that between August 2 and 5, 2021, Gu and the staff of the Chengji Economic and Trade Center Project Department of Lanzhou Chengguan Property Service Group Co., Ltd. Tianjin Branch (hereinafter referred to as "Chengguan Tianjin Company") They communicated many times and asked to delete his facial information and provide him with a barrier-free way to enter and exit the community, but the property company rejected Gu's request. Afterwards, Gu entrusted a law firm to send a lawyer's letter to Chengguan Tianjin Company, making the same request. After the latter signed the lawyer's letter, it did not contact Gu or his agent.

In September 2021, Gu sued Lanzhou Chengguan Property Service Group Co., Ltd. and Chengguan Tianjin Company to court.

Gu claimed that the defendant refused to delete his facial recognition information and used facial recognition as the only verification method for entering and exiting the property service area, which violated the plaintiff's personality rights and violated the regulations that need to be followed when processing facial information. The principles of legality, legitimacy and necessity. Chengguan Tianjin Company argued that the collection of facial recognition information was jointly completed by the owners’ committee, comprehensive coordination office, community, and sub-district offices. At the same time, network monitoring was carried out at the Heping Branch of the Tianjin Public Security Bureau, and it complied with the current epidemic control requirements. The plaintiff Face information is only used on access control.

The cause of action in the first instance of this case was determined by the court to be a privacy dispute. According to Article 64 of the Civil Procedure Law, "Parties have the responsibility to provide evidence for their own claims." The court of first instance held that the plaintiff Gu did not submit relevant evidence that the defendant had leaked, tampered with, or lost his information. evidence, and the relevant evidence provided cannot prove that the second defendant violated his right to privacy. Therefore, the plaintiff's claims have no factual and legal basis and are not supported. All claims are dismissed.

Gu refused to accept the first-instance judgment and later appealed to the Tianjin No. 1 Intermediate People’s Court. The appellant believed that the main legal issue in this case was the protection of personal information rather than the right to privacy. The court of first instance applied the law incorrectly and chose the cause of the case incorrectly. It did not claim that personal information was leaked, tampered with, or lost, and there was no need to provide relevant evidence. The first-instance court erred in determining the burden of proof.

The second-instance court confirmed the facts found by the first-instance court and held that this case was a dispute arising from the handling of personal information, and the cause of the case should be determined as a personal information protection dispute.

Wei Dongdong, a partner at Beijing Weiheng (Chengdu) Law Firm, has long been concerned about the field of data compliance and personal information protection. She told reporters that privacy and personal information are two different and intersecting personal rights. The legal rules protecting the two are also different. “Privacy can only be protected when it is subject to actual infringement or potential threat. The burden of proof in privacy cases is mainly borne by the plaintiff, while in personal information cases the burden of proof is reversed. The court of second instance corrected the cause of the case to a personal information protection dispute. , the main burden of proof shifts to the property management company. This is the basis for the plaintiff to win the second instance of this case.”

Court: The property management company needs to provide a common verification method other than facial recognition

Lao Dongyan, a professor at Tsinghua University Law School, told reporters that according to the "Personal Information Protection Law" and other relevant regulations, facial information as biometric information belongs to the category of sensitive personal information protected by law, and should be strictly observed when using facial recognition technology Relevant legal provisions on the protection of personal information. Unless otherwise provided by laws and administrative regulations, the processing of personal information must obtain the consent of the natural person or his guardian, and
must comply with the principles of legality, legitimacy, and necessity.

Gu also believed in the appeal that the court of first instance held that Chengguan Tianjin Company’s processing of face information was necessary for epidemic prevention and control, which had no factual and legal basis and did not comply with the principles of necessity and legality.

The court of second instance pointed out that Chengguan Tianjin Company activated facial recognition in February 2020 with the consent of the owners and property users due to the dense population and difficulty in security prevention in the community involved. As an access verification method for owners and property users, the system can more accurately identify people entering and exiting the community. It has played a major role in the prevention and control of the new coronavirus epidemic and does not violate legal regulations.

However, the court of second instance also pointed out that according to Article 10 of the "Regulations of the Supreme People's Court on Several Issues concerning the Application of Law in the Trial of Civil Cases Related to the Use of Facial Recognition Technology to Process Personal Information" that will be implemented on August 1, 2021, if there is If the owner or property user does not agree to adopt the above verification method and requests the property company to provide other reasonable verification methods, the property company cannot refuse on the grounds of intelligent management.

The court of second instance held that although Gu agreed to the Chengguan Tianjin Company extracting his face information as a means of verification when checking in, he subsequently asked the Chengguan Tianjin Company to extract his face information as the only means of verification many times. Raise objections. Chengguan Tianjin Company used the facial recognition verification method as a defense reason for the owners' committee to refuse to provide Gu with other verification methods, which was contrary to the aforementioned regulations. There is no evidence to support Chengguan Tianjin Company’s claim that the facial recognition verification method is used in compliance with relevant regulations and requirements for epidemic prevention and control.

In the end, the second-instance court revoked the first-instance judgment and required Chengguan Tianjin Company to delete Gu’s face information, provide other common verification methods, and compensate for a reasonable fee of 6,200 yuan.

Lao Dongyan believes that in addition to redefining the nature of the case, that is, this case involves personal information rights rather than privacy rights, the key to the appeal being able to change the judgment is that the second instance court has a better understanding of existing laws, regulations and judicial interpretations. For accuracy, such as the understanding of the principle of necessity.

Wei Dongdong said that the judgment on the necessity of collecting facial information needs to be based on determining the purpose of collection and comprehensively considering whether collecting facial information is a necessary way to achieve the purpose, whether there are other alternatives, and Do the dangers posed by facial recognition outweigh the purpose itself? "It is unnecessary to use face recognition for entry and exit of the community. The convenience and security of swiping the card in and out are also guaranteed. The benefits brought by face recognition are not obvious, but it may bring privacy and personal information to the residents of the community. Risks such as leakage and property loss."

"In addition, the "Personal Information Protection Law" originally stipulates the right to withdraw. If personal information is processed based on individual consent, the individual has the right to withdraw consent. Personal information processors should provide Convenient way to withdraw consent. For owners, there is no need to meet the premise that personal information is in danger of being leaked, tampered with, lost, etc. before they can request the property to withdraw or delete it," said Lao Dongyan.

There are risks in collecting facial information, and property companies must store it legally and compliantly

Facial information is unique, immutable and easy to obtain, which is why facial information is Identification technology brings value, but also risks. Wei Dongdong said that the risk of facial recognition abuse is mainly to increase the risk of facial information leakage, which may endanger an individual's personal safety, privacy and property security. For example, leaked facial information may be used to track personal whereabouts. , stealing capital accounts, breaking into residences and entering confidential places without authorization, etc.

In order to protect the legitimate rights and interests of residents, some areas have legislated to regulate the collection of personal information by properties. The newly revised "Hangzhou Property Management Regulations" that will be implemented in March 2022 stipulates that property service providers shall not force owners or non-owner users to enter the property management area or use shared parts by providing biometric information such as faces, fingerprints, etc., and shall not disclose it. Personal information of owners and non-owner users obtained from property services.

During the installation process of facial recognition facilities, Lao Dongyan particularly emphasized the basic requirements of the "information-consent" principle-the personal information collector must make clear and clear statements on the purpose, scope, and risks of collection. Full notification and prior separate consent from the person being collected.

"According to the relevant provisions of the Personal Information Protection Law, facial information is sensitive personal information. Before using facial recognition facilities, the property needs to obtain the consent of each resident individually." Lao Dongyan said, " In addition, in some communities where facial recognition devices have been installed, it seems that many residents have agreed. However, the consent obtained in this case may be because when seeking consent, the property management company did not disclose the possible risks of collecting facial information. Inform residents comprehensively. Strictly speaking, such consent is legally invalid."

After facial information is collected, the storage and custody of data become an important issue.

Shi Yuhang, a lawyer at Shanghai Huiye Law Firm and a registered information security professional (CISP), told reporters that at present, the face database of residential face recognition systems is generally managed by the property management, and technology providers may Will participate in the construction of the system, but whether to participate in management depends on the specific system architecture, and government departments are mainly responsible for supervision.

Wei Dongdong introduced that relevant laws, regulations and national standards have many compliance requirements for the collection and storage of facial information, and property companies must fulfill a series of obligations when storing facial information. When storing face information, the property company should not store the original face photo, but only store the message summary of the face, take encryption measures for the storage and transmission of face information, and set appropriate access and operation rights for face information; A personal information protection impact assessment (PIA) should also be conducted, a written assessment report should be formed and kept for more than three years, and employees should be trained on personal information protection.

"Technically, property companies should store facial information and personal identity information (such as personal ID numbers) separately, which can greatly reduce the harm caused by the leakage of facial information. The premise for facial information to cause harm is' If you know who the facial information belongs to, if you don’t know who the owner of the facial information is, naturally it cannot be used for tracking and fraud," Wei Dongdong said.

At the National Two Sessions in 2022, Yi Jie, a representative of the National People's Congress and chairman of Guangxi Hongzhi Technology Co., Ltd., said that there are still gaps in face recognition in terms of technology, application management and government supervision. "On the one hand, data is stored haphazardly, and some scattered and uncertified storage units have weak security technologies, so data security cannot be guaranteed; on the other hand, massive unsupervised facial data poses the risk of being bought and sold."

Yijie proposed that a nationally unified third-party face information database supervised by government departments should be established in accordance with relevant specifications and requirements, and special management systems or regulations should be introduced to strictly require all units that perform face recognition to only Store the collected data in a third-party face information database.

The above is the detailed content of A facial recognition case in Tianjin was won, and a community that used facial recognition as the only way to pass was found to be illegal. For more information, please follow other related articles on the PHP Chinese website!