China closes record number of personal data breaches, considers facial recognition law.

China closes record number of personal data breaches, considers facial recognition law.

China Takes Action Against Data Breaches and Regulates Facial Recognition

alt text

China has recently made significant strides in addressing personal data breaches and implementing regulations on the use of facial recognition data. The Ministry of Public Security reported that over the past three years, Chinese police have closed an unprecedented 36,000 cases related to personal data infringements and detained 64,000 suspects. These efforts are part of the government’s ongoing initiative to regulate the internet, which has also resulted in the seizure of more than 30 million SIM cards and 300 million “illegal” internet accounts.

The cases investigated by the police covered a wide range of industries, including healthcare, education, logistics, and e-commerce. Criminal incidents involving artificial intelligence (AI) have also been on the rise. In one instance, a company in Fujian province lost 4.3 million yuan ($596,510) due to hackers using AI technology to alter their faces. The police have already solved 79 cases involving “AI face changing.”

The use of facial recognition technology alongside AI advancements has led to the emergence of cases exploiting this data. Cybercriminals have been using personal photos, particularly those found on identity cards, together with names and ID numbers, to bypass facial recognition verification systems.

Recognizing the severity of the situation, China’s public security departments are collaborating with state facilities to conduct safety assessments of facial recognition technology and identify potential risks. Chinese government officials have emphasized the significant risks posed by the “underground big data” market, which has arisen from cybercriminal ecosystems involved in data theft, reselling, and money laundering.

To address these issues, the Cyberspace Administration of China (CAC) recently published draft laws specifically targeting facial recognition technology. These proposed regulations require organizations to obtain explicit or written user consent before collecting and using personal facial information. Businesses must also disclose the purpose and extent of the data they are collecting, using it only for the stated purpose.

The draft laws prohibit the use of facial recognition technology to analyze sensitive personal data, such as ethnicity, religious beliefs, race, and health status, without user consent. However, exceptions are made for cases related to national security, public safety, and the health and property of individuals during emergencies. Organizations utilizing facial recognition technology must implement data protection measures to prevent unauthorized access or data leaks.

Furthermore, the draft laws stipulate that any person or organization storing over 10,000 facial recognition datasets must notify the relevant cyber government authorities within 30 working days.

The proposed regulations also define the conditions under which facial recognition systems should operate and mandate companies to prioritize the use of non-biometric recognition tools if they provide equivalent results. These regulations aim to strike a balance between technological development and protecting individuals’ privacy rights.

The public now has one month to provide feedback on the draft laws, enabling authorities to take into account public opinion and make appropriate adjustments.

In addition to addressing facial recognition technology, China has also implemented regulations to prevent the abuse of “deep synthesis” technology, including deepfakes and virtual reality. Furthermore, interim laws managing generative AI services will soon come into effect, ensuring the responsible and legitimate use of the technology.

Under these interim laws, generative AI developers must comply with various measures to protect national and public interests, as well as the legal rights of citizens and businesses. They must use data from legitimate sources that adhere to intellectual property rights, obtain consent when using personal data, and improve the quality and accuracy of training data.

Generative AI service providers will also assume legal responsibility for the information generated and its security. They will be required to sign service-level agreements with users, clarifying the rights and obligations of both parties.

Overall, China’s actions in closing personal data breach cases and regulating facial recognition technology demonstrate the government’s commitment to protecting individuals’ privacy rights and ensuring the responsible use of AI technology. These efforts align with global trends in addressing data privacy and showcase China’s determination to create a safe and secure digital environment.