China's first face-scan lawsuit highlights call for privacy protection
David Lee

Editor's note: David Lee is a consultant and author based in Beijing who focuses on energy, health, international politics and international development. The article reflects the author's opinion, and not necessarily the views of CGTN. 

In October, a new rule of the Wildlife Park in east China's Hangzhou City badly backfired, resulting in a legal case brought against the park by Guo Bing, one of its annual pass holders.

The new rule required the annual pass holder to register his or her facial features with the park, in an apparent effort to streamline the process of pass holder identification at the park's gate. 

Previously, the park had only recorded the fingerprints, but the fingerprint scanner would respond slowly at times and thus undermine user experience.

According to the park, using the updated facial recognition technology to replace the fingerprint scanner would help ensure a "hassle-free" experience. Guo disagreed. Particularly, he was against the recording of his facial features by the park. He protested against the decision with park operators.

Failing to get a satisfactory response from the park authorities, Guo decided to sue the park. In Chinese media, the case is being known as the first facial recognition litigation in China.

While I understand Guo's obvious concern for the safety of his facial features, once collected, stored and used by the park authorities, it must be mentioned that facial recognition is only one form of biometrics identification technologies, albeit one of the most convenient ways for identification and arguably one that is receiving the biggest attention from the industry and investors alike.

If Guo is concerned about the recording of his facial features, he should have also been concerned about the collection of his fingerprints.

In essence, the outcry about facial recognition, as reflected by Guo's litigation against the park authorities, should be better understood within a more robust framework of biometrics information management.

A passenger enters an airlock for facial recognition at Nice international airport's immigration section in Nice, France, July 16, 2018. /VCG Photo

A passenger enters an airlock for facial recognition at Nice international airport's immigration section in Nice, France, July 16, 2018. /VCG Photo

The first and foremost principle of such framework is that personal ownership of biometrics information must be respected and protected. Secondly, the collection, storage, and use of personal biometrics by entities other than national government must be strictly restricted and limited, pending clear and absolute consent by the person whose personal biometrics is to be collected, stored and used.

In Guo's case, I don't believe it's worth it to have the park collect, store and use personal biometrics, be it fingerprints or facial features, simply for the purpose of entering the park "hassle-free." The cost-benefit equation simply doesn't exist. The risk is too high.

There is no way to guarantee the safety and security of personal biometrics when it is left in the hands of the park. Even if the park doesn't do anything unscrupulous with the sensitive data, how can it ensure its information infrastructure to be impeccable, as hacking and data theft are rampant in cyberspace?

Guo's case reminds me of the latest controversy around the ZAO social media app that superimposes the user's face on famous movie characters by using the deep-fake technology, which involves collecting and using facial features.

Again, how can we ensure the safety and security of facial features collected by the app developer? Is it worthwhile to hand over key personal biometrics data to a commercial company simply to have fun? The cost-benefit equation remains dubious.

A further consideration of the framework for personal biometrics management is to establish definitive standards of collecting, storing and using biometrics information. Ideally, clear technical protocols should be put in place for this purpose.

However, unfortunately, in the fast-changing technological landscape we are in today, it seems simply impossible to set up clear-cut nationwide technical standards. Rather, it is still up to the entities themselves to ensure the security of users' biometrics data collected, which in Guo's case is the park.

As China's first facial recognition litigation highlights call for stronger privacy protection, I look towards an evolutionary regulatory framework that adapts to and supports technological advancements.

(If you want to contribute and have specific expertise, please contact us at