The collection of personal information should be lawful, justified and necessary, as a principle upheld by Chinese courts in Guo v. Hangzhou Safari Park (2020).
In April 2020, the Hangzhou Intermediate People’s Court ruled in a facial recognition dispute that the safari park had no right to collect face data without the consent of tourists.
I. Case background
The defendant Hangzhou Safari Park (“the Park”) sold annual passes to tourists and indicated that tourists could enter the Park with their annual passes and fingerprints. The plaintiff Guo Bing (“Guo”) and his wife purchased the annual pass from the Park in April 2019, and the Park collected their fingerprints and profile photos.
In October 2019, in order to improve the tourist admission efficiency, the Park changed the fingerprint recognition to facial recognition, and ceased using the fingerprint recognition device.
After the above change, the Park sent a text message to Guo, asking him to register on and activate the facial recognition system.
Later, Guo went to the Park, and was informed with the situation that fingerprint recognition was no longer available, and he could not enter the Park without the registration of the facial recognition system. Yet, Guo still refused to register on the facial recognition system and believed that the Park was in breach of contract and committed fraud.
Guo filed a lawsuit with the court to invalidate the Park’s notice of requiring tourists to register on the facial recognition system, while requesting the Park to delete Guo’s personal information, including fingerprints and profile photos collected by it, as well as to provide other compensation.
On 20 Nov. 2020, the Fuyang District People’s Court of Hangzhou, the court of first instance, ruled in favor of the plaintiff’s request of photo deletion. (see Guo Bing v. Hangzhou Safari Park Co., Ltd., [(2019) Zhe 0111 Min Chu No. 6971] ((2019)浙0111 民初6971 号)
On 9 Apr. 2021, the Hangzhou Intermediate People’s Court, the court of second instance, further supported the plaintiff’s request of fingerprint deletion. (see Guo Bing v. Hangzhou Safari Park Co., Ltd., [(2020) Zhe 01 Min Zhong No. 10940] ((2020)浙01 民终10940 号)
II. Court views
The court of first instance held that “Chinese law does not prohibit the collection and use of personal information in the consumer market, but emphasizes the supervision and management on the processing process of personal information, that is, the collection of personal information at the front-end stage shall be ‘lawful, justified and necessary’ and subject to the consent of the parties concerned; the controlling of personal information at the middle-end stage shall be safe and secure without disclosing, selling or otherwise illegally providing the personal information to others; if any personal information is leaked at the end stage, the business operator shall be subject to tort liability such as taking remedial measures according to the law.”
The purpose of collecting fingerprints and facial features is to improve the tourist admission efficiency, which is “lawful, justified and necessary”.
However, the collection of personal information shall be subject to the consent of the parties concerned. The Park told Guo that the Park would collect his fingerprints for park admission before Guo bought the annual pass; after being informed of the fingerprint collection requirement, Guo chose to buy the annual pass and agreed with the fingerprint collection. However, Guo has the right to refuse the use of facial recognition without being informed prior to his purchase of the annual pass.
Guo agreed with the Park to use fingerprint recognition when he bought the annual pass. After that, the Park took Guo’s fingerprint and photo. Therefore, the collection of facial recognition information went beyond the principle of necessity, so it was not justified.
Due to this reason, the court of first instance held that the Park should delete Guo’s photo, but there was no need to delete Guo’s fingerprint.
The court of second instance reiterated the view of the court of first instance that the collection of personal information should be “lawful, justified and necessary”, and further emphasized that “as sensitive personal information, the biometric information deeply reflects the physiological and behavioral characteristics of natural persons, and has strong personal attributes. Once it is leaked or illegally used, it may lead to discrimination or endanger personal/property safety, so we should treat the biometric information with caution and protection.”
The Park took a photo of Guo when he bought the annual pass without telling him it was for facial recognition purpose, which was obviously against the principle of justification.
The Park’s requirement of facial recognition had the possibility of endangering and infringing Guo’s personality interests. Therefore, the court of second instance upheld the view of the court of first instance that the Park should delete Guo’s photo.
Moreover, given the Park had stopped using fingerprint recognition, the Park had no reason to keep Guo’s fingerprint anymore. Therefore, the court of second instance overturned the ruling of the court of first instance related to fingerprints and requested the Park to delete Guo’s fingerprint.
III. Our comments
1. The courts’ view towards the principles of “lawfulness, justification and necessity”
The principles of “lawfulness, justification and necessity” for personal information protection mentioned by the courts were earliest provided in Article 5 of the Regulations on Personal Information Protection of Telecommunications and Internet Users (电信和互联网用户个人信息保护规定) promulgated by the Ministry of Industry and Information Technology in July 2013: “in the process of providing services, operators of telecommunication business and Internet information service providers shall collect and use personal information of users pursuant to the principles of lawfulness, justification and necessity.” After that, these principles were adopted by Article 42 of the Network Security Law (网络安全法), which came into effect on 1 June 2017.
Article 1035 of Book Four (Personality Rights) of the Civil Code of China, which came into effect on 1 Jan. 2021, also adopted these principles: “The personal information of a natural person shall be handled under the principles of lawfulness, justification and necessity.”
In this case, the courts responded to such legal provisions.
We can learn from the case that even if the information owner (i.e., the plaintiff) allows the collection of his personal information, the court will still examine whether the collection and processing of such information conforms to the principles of “justification and necessity”.
The courts both of first instance and second instance held that it was justified and necessary for the Park to collect fingerprints in order to improve the efficiency of ticket checking, and with the consent of tourists, such conduct was lawful as well.
However, the court of second instance further held that keeping the fingerprint after ceasing the fingerprint recognition was unjustified and unnecessary, even with the previous consent of the plaintiff.
In this case, the courts have made clear an attitude that the judiciary authorities will comprehensively examine whether the collection and processing of personal information conform to the principles of “lawfulness, justification and necessity”.
2. The promotion of personal information protection by legal profession
Actually, Guo Bing, the plaintiff, in this case, brought the lawsuit intentionally to some extent.
Guo received his doctoral degree in law from Zhejiang University and is an associate professor at the Law and Politics School of Zhejiang Sci-Tech University. His research focuses on the digital economy and law. During the exposure for comment stage of the Law on Personal Information Protection (Draft) (个人信息保护法(草案)), he also submitted the Proposal on Improving the Special Protection of Biometric Information, proposing to raise the threshold of using facial information recognition technology, so as to protect the personal information.
This case has attracted nationwide media attention and ignited public discussion about personal information. In this regard, Guo has fulfilled his purpose by filing this case intentionally. It is also fair to say that China’s legal profession is making a great effort to promote China’s personal information protection rules.
Contributors: Guodong Du 杜国栋 , Liu Qiang 刘强
