On 23 April 2021 the National Information Security Standardisation Technical Committee released the Information Security Technology – Security Requirements of Face Recognition Data (Draft for Comment) to solicit public comments by 22 June 2021. The draft for comment specifies the basic security, safe processing and security management requirements of facial recognition data. Among other things, the draft for comment clearly sets out six aspects of the basic security requirements for data controllers. For example, data controllers must take security measures to protect the rights of data subjects, including the rights to:

  • be aware of the use of facial recognition data;
  • withdraw authorisation;
  • cancel an account;
  • file a complaint; and
  • receive a timely response.

When carrying out facial verification or identification, data controllers must meet at least five requirements – for example: "in principle, facial recognition shall not be adopted for minors under the age of 14 in case of identity verification."

The draft for comment provides useful methods that enterprises can use to evaluate whether their use of facial recognition data and relevant control measures are generally reasonable. A separate email analysis has been sent to enterprises.