Shanghai Says “No” to the Abuse of Facial Recognition

Face Recognition Payments, Face Unlock, Face Recognition Door Entry, Face Recognition for Station Entry… “Face Recognition” is increasingly becoming a part of our daily lives.

In the Age of Face Recognition, Who Will Protect My Facial Information Security?

In response to the excessive and even abusive use of face recognition technology in public places, Shanghai has accelerated its efforts in 2024 through the “Sword of Justice – Pujiang 2024” special law enforcement action for personal information protection in the consumer sector, aiming to achieve the goal of “no face recognition as a principle, face recognition as an exception” in public places.

As a third party, the Intelligent Law Department of East China University of Political Science and Law, led by Professor Gao Fuping, conducted an evaluation of the “Sword of Justice – Pujiang 2024” special law enforcement action. The evaluation team believes that the rectification of abusive face recognition by Shanghai’s cybersecurity and information technology department has effectively safeguarded citizens’ personal information rights. It has significantly reduced risks while raising awareness of personal information protection among businesses and consumers, optimizing the business and consumption environment, and providing the “Shanghai experience” for the wider application of face recognition technology.

Law Enforcement Takes Aim at Violations

The risks of abusive face recognition technology have always been a top concern for Shanghai’s regulatory and law enforcement agencies.

In 2021, CCTV’s “3.15” Evening News exposed that some Kohler bathroom stores in Shanghai had installed cameras with face recognition capabilities. Customers entering the stores would be captured by the cameras and automatically assigned a number without their knowledge.

Following the exposure, the Shanghai Jing’an District Market Supervision and Administration Bureau immediately initiated an investigation and subsequently announced the investigation results and penalties. Notably, the involved company was ordered to rectify its behavior and was fined RMB 500,000 based on relevant provisions of the Consumer Rights Protection Law, with the enforcement carried out by the Jing’an District Market Supervision and Administration Bureau.

On November 1, 2021, China’s first specialized law on personal information protection, the Personal Information Protection Law, was officially implemented. Shanghai has strengthened protection for personal information, especially sensitive biometric information such as facial data.

On June 16, 2023, in response to issues such as “excessive collection, compulsory requests, induced collection, and illegal use” of personal information in the consumer sector, the Shanghai Cybersecurity and Information Technology Office and the Shanghai Market Supervision and Administration Bureau jointly launched the “Sword of Justice – Pujiang Special Law Enforcement Action for Personal Information Protection in the Consumer Sector.” The action targeted eight major consumption scenarios with high social concern and prominent issues of excessive personal information collection, including QR code-based ordering, parking fees payment, children’s education and training, online financial management and small loans, real estate agency services, shared power bank rental, supermarket shopping, and automobile 4S dealerships.

Based on the experience gained in 2023, the Shanghai Cybersecurity and Information Technology Office and the Shanghai Market Supervision and Administration Bureau initiated research and planning for the “Sword of Justice – Pujiang 2024” special law enforcement action, with a focus on rectifying the abusive use of face recognition. Participating agencies included regulatory and law enforcement departments, industry supervisory departments such as the Shanghai Municipal Public Security Bureau, the Shanghai Municipal Sports Bureau, the Shanghai Municipal Commerce Commission, and the Shanghai Housing and Urban-Rural Development Administration, as well as the Shanghai Consumer Protection Commission and relevant industry associations.

On April 29, 2024, a news report titled “Complaints Lodged Against a Swimming Pool in Shanghai for Using Face Recognition in Changing Room Cabinets” attracted widespread attention. According to Jiefang Daily, Ms. Zhu from Shanghai’s Songjiang District noticed that the changing room at the Yongle Swimming Pool (Yunjian Grain Warehouse Branch) near her home used face recognition to open the cabinets. “When I stood in front of the device, the camera’s light turned on, and the screen displayed images of nearby customers who were not wearing clothes. I quickly covered the camera with a towel and wrapped myself in a bath towel!”

After obtaining the report, the Songjiang District Committee’s Cybersecurity and Information Technology Office, along with relevant departments such as market supervision and public security cybersecurity, conducted two verifications and inspections on April 29 and May 6, guiding rectifications. For the illegal and违规 facts, the Songjiang District Committee’s Cybersecurity and Information Technology Office imposed an administrative penalty of a warning on the operating entity of the involved swimming pool, Shanghai Kuxue Sports Investment Management Co., Ltd. This case also became the first law enforcement case in the field of face recognition technology jointly conducted by Shanghai’s municipal and district-level cybersecurity and information technology departments based on the Personal Information Protection Law.

Subsequently, based on extensive research, the “Sword of Justice – Pujiang 2024” action developed detailed work plans specifically for the compulsory and abusive use of face recognition technology in public places. The law enforcement scenarios became more refined and granular, covering sports venues such as gyms, dance studios, and swimming pools; consumption venues such as malls, supermarkets, and vending machines; cultural and tourism venues such as performance venues, tourist attractions, hotels, and cultural venues; educational venues such as schools and training institutions; and residential venues such as real estate sales offices, residential communities, and affordable rental housing. According to law enforcement officials from the Shanghai Cybersecurity and Information Technology Office, the rectification plan clarifies that the office will lead the formation of a task force to coordinate and carry out the special rectification action. The participating agencies in the special action are members of the task force, covering the Shanghai Municipal Education Commission, the Shanghai Municipal Science and Technology Commission, the Shanghai Municipal Culture and Tourism Bureau, and the Shanghai Gardening and Greening Administration, almost encompassing all regulatory and law enforcement departments related to people’s livelihoods.

Following the overall goals of “no face recognition as a principle, face recognition as an exception” and “reducing collection while ensuring secure storage,” Shanghai has established three principles for the installation of face recognition in public places: “necessary for public safety,” “with legal basis,” and “with separate notification.” It also requires that face recognition devices in public places be “withdrawn” to the greatest extent possible, “used” within the smallest scope, and “stored” within the smallest scope, truly ensuring that consumers can “feel at ease” and users can “act with care.”

The evaluation team led by Professor Gao Fuping from East China University of Political Science and Law believes that the special action, with its standardized law enforcement procedures, scenario-based law enforcement approach, refined law enforcement concept, and information-based law enforcement support, has addressed key pain points and difficulties in various scenarios through differentiated, targeted, and precise law enforcement activities, expanding the practical achievements of Shanghai’s cybersecurity and law enforcement efforts.

Combining Firmness with Leniency to Enhance Law Enforcement Effectiveness

Statistics show that by November 2024, Shanghai had prompted over 600 supermarkets, more than 6,300 hotels, over 70 public sports venues, more than 1,200 swimming pools and fitness centers, and over 2,900 public toilets to conduct self-checks and rectify the “compulsory” and “abusive” use of face recognition.

In response to public complaints about the illegal use of face recognition in vending machines, the Shanghai Cybersecurity and Information Technology Office supervised Shentong Metro to complete the investigation and rectification of over 1,400 vending machines in subway stations across the city, suspending the face recognition payment function of 829 vending machines with issues and allowing them to be reinstated after rectification…

Behind these statistics is the innovation in law enforcement methods by Shanghai’s regulatory and law enforcement agencies—addressing individual cases to govern an entire sector and solve a category of problems, not limited to case handling itself, and replacing purely rigid law enforcement with a combination of firmness and leniency.

The Paper learned that the “Sword of Justice – Pujiang 2024” special law enforcement action explicitly stated that regulatory and law enforcement agencies should work with industry supervisory departments, the Shanghai Consumer Protection Commission, and relevant industry associations to promote compliant business operations through legal training, case-based law explanation, administrative guidance, self-checks and rectifications, and compliance guidelines.

“Apart from individual case inspections and law enforcement, we hope to help businesses understand legal and regulatory requirements and clarify the bottom line and red lines through legal training and compliance guidance. Only in this way can we balance the relationship between business development and consumer rights,” said law enforcement officials from the Shanghai Cybersecurity and Information Technology Office in an interview with The Paper.

Taking vending machine companies as an example, the Shanghai Cybersecurity and Information Technology Office and the Shanghai Market Supervision and Administration Bureau, through investigations and verifications, found six common issues in this scenario, including “collecting facial information without consent,” “incomplete or missing privacy policies,” “compulsory collection of phone numbers,” “induced collection of personal information,” “inability to close advertisements with one click,” and “lack of channels for deleting personal information.”

In November 2024, the Shanghai Cybersecurity and Information Technology Office and the Shanghai Market Supervision and Administration Bureau, jointly with Shentong Metro and the two third-party payment companies Alipay and WeChat Pay, held a “Legal Training on Personal Information Protection for Vending Machines.” The training was problem-oriented, explained the law through cases, and provided a “