On April 23, 2021, the National Technical Committee for Information Security Standardization in China published a draft standard (in Chinese) on the security requirements for facial recognition data (the “Standard”). The non-mandatory standard contains requirements for the collection, processing, disclosure and transmission of data used for facial recognition.
The standard is one of many new proposed standards related to privacy and cybersecurity in China. As we previously reported, the privacy landscape in China is undergoing significant development and a proposed law to protect personal data is currently under review by the National People’s Congress of the People’s Republic of China.
The standard contains the following main requirements:
- Face recognition should only be used for identification purposes and not to predict people (e.in relation to their health, job performance or interests);
- Face recognition should only be used if an alternative technology that does not use face recognition is inadequate in terms of security or convenience (e.to verify identity at airports);
- Face recognition should not be used to identify anyone under the age of 14.
- Saving facial recognition data is prohibited unless approved by an organization. and
- Face recognition data generated or collected in China should only be stored in China.
The standard can be publicly consulted until June 22, 2021.