Visitors check their phones behind the screen advertising facial recognition software during Global Mobile Internet Conference (GMIC) at the National Convention in Beijing, China April 27, 2018. [Photo/Agencies] China has stepped up efforts to protect personal information, with many localities, as well as the Cyberspace Administration of China, introducing policies to crack down on abuse of personal information collection. The policies have been put in place after heated discussions online over the wide use of facial recognition technology, which allows residential communities, enterprises, hotels and many other public places to collect people's facial images and other biometric information. The debate was prompted after a video was circulated widely online last month showing a man going to a real estate sales center in Jinan, Shandong province, with a helmet covering his head. The subtitles of the video say: "To protect my personal information, I now wear a helmet to see a property." In the video's comments, some netizens pointed out that many real estate sales centers use facial recognition cameras to differentiate customers sent by agencies and customers who come on their own. The move is said to help sales centers decide which preferential policies the customers should receive when they purchase a property. "You cannot guarantee that the real estate developers protect your facial recognition information. Compared with the security of personal information, I don't care about how big the discount could be," a resident of Guiyang, Guizhou province, who declined to reveal his name, told China Central Television during an interview. He Yanzhe, an expert from China Electronics Standardization Institute, told CCTV that China's Cybersecurity Law stipulates that "lawful, justifiable and necessary" are the three principles that govern the collection and use of personal information, and the sales center using facial recognition clearly violates the three principles. "It is a very typical illegal act and should be dealt with immediately," he said. He said simply asking real estate sales locations to uninstall all cameras would not be sufficient. Official guidance on regulating how and where cameras can be used properly should be put in place, he said, adding that the Cyberspace Administration of China has already begun to work on it. Several cities have already begun to tackle the problem. Nanjing and Xuzhou, in Jiangsu province, have issued notices forbidding real estate sales offices from taking pictures of visitors without their consent. Local legislation In addition to facial recognition, some other cities have formulated legislation to control the abuse of personal information. On Dec 1, Tianjin adopted social credit regulations that will take effect on Jan 1. Article 16 of the regulations stipulates that when credit information operators collect information from an individual, they must obtain the person's consent and reach an agreement on the purpose of its use. They may not collect information related to religious beliefs, blood types, medical histories or biometric information. That means organizations such as enterprises, institutions, associations and chambers of commerce will be prohibited from collecting biometric information including facial images, fingerprints and voices. Hangzhou, capital of Zhejiang province, has drafted a regulation on the city's property management and submitted it for deliberation in October. The draft stipulates that property management committees should not force residents to submit facial or other biometric information such as fingerprints when using public facilities or equipment. If approved, the regulations will become China's first local legislation that regulates the application of facial recognition in residential communities. Security over personal information has been a hot topic in China over the past year, fueled by the rapid development of information technologies. In 2019, Guo Bing, an associate law professor at Zhejiang Sci-tech University, sued Hangzhou Safari Park for enforcing facial recognition at its entrance. The case reached a judgment last month with a court in Hangzhou ruling that the park should delete all facial feature information of Guo when he bought the park's annual pass and pay Guo 1,038 yuan ($138) in compensation. In November, YTO Express, one of China's largest courier companies, was investigated after a few of its employees were found stealing and selling more than 400,000 items of personal information. Smartphone applications also ask users to agree to a series of privacy policies before accessing their services. Some apps also forbid users from use of their services without consenting to such policies, generating wide criticism from netizens. Abuse by apps To target excessive collection of personal information, the Cyberspace Administration of China issued a document on Dec 1 limiting the scope of personal information collection by mobile applications. Comments from the public are now being solicited for the document, which stipulates the scope of "necessary personal information" for 38 types of common apps, including maps, car-hailing, instant messaging, online shopping, food delivery and express services. It clarifies "necessary personal information" as the information that must be submitted to ensure the basic functions of the app. For example, the necessary information for a map application is location, and as long as the users allow the app to use only their location, the app must not deny them the use of its basic services. For all 38 types of apps, no biometric information such as facial or fingerprint recognition is listed as necessary. He Yanzhe, from China Electronics Standardization Institute, told CCTV that one of the biggest changes the document will bring is that users' basic right to choose will be guaranteed. He said users often see a lot of privacy policies to which they are asked to consent, but they often either don't know what will happen once they agree or are forced to click on the "agree" button in order to use even the basic functions of the app. "With such a standardized document in place, users will be able to make a decision on other information being collected by the app," he added. He said the release of the document will also push enterprises to adjust their products and business models to meet the requirements. "Comments are currently being solicited for the document. I believe that after it is implemented, there will definitely be a major rectification of apps," he added.