OWith the massive implementation of remote working and online transactions in the era of the pandemic, to meet the needs for convenience, efficiency and transaction cost control, the financial industry has turned to electronic signatures using facial recognition and other biometric recognition technologies. However, biometric recognition technology is rarely used simply for electronic signatures. One possible reason is that the compliance risks that may accompany the use of electronic contracts and electronic signatures in the area of private rights are not widely known to users and cannot be effectively identified.
This article examines the laws and regulations relating to the protection of personal information, such as electronic signatures, electronic contracts and facial features in China, as well as regulatory standards in related fields, and briefly analyzes the main compliance issues. who may be involved in the application of electronic technology based on facial recognition. signatures to sign electronic contracts in the financial sector.
TRUSTED E-FINANCIAL CONTRACTS
According to article 469 of the Civil Code, the law recognizes the use of data messages as a method of signing contracts. The Process Specification for Online Conclusion of Electronic Contracts (Draft for Comments) published by the Ministry of Commerce defines an electronic contract as an agreement concluded between subjects of equal status, namely natural persons, legal persons and other organizations, to establish, modify and terminate the civil law relationship with data messages as a carrier by means of electronic communication.
Therefore, electronic contracts are not an innovative concept completely separate from traditional contracts, and their aim is to achieve the same effect as traditional contracts after signing. This corresponds to the main objective of risk control for electronic contracts, which is to ensure that the legal effect of electronic contracts is equal to that of paper contracts.
The Civil Code does not specify the effective elements of electronic contracts but, on the basis of the elements taken into account when signing and entering into force of traditional contracts, combined with the method of generating electronic contracts, to which are added the four national standards of contracts and the provisions of the law on electronic signature, a reliable electronic signature should be considered a key element of the validity of an electronic contract.
The signature and effectiveness elements for electronic contracts to perform the same function as traditional paper contracts are: (1) the confirmed identity of the subjects signing the contract; (2) reliable electronic signature; (3) the contract cannot be changed unilaterally after signing; and (4) the contract can be used as evidence and has the legal effect of the original.
The electronic signature law does not limit the means of implementing an electronic signature, but from the point of view of the impact on the validity of electronic contracts, electronic signatures can be considered reliable and general. Articles 13 and 14 of the Electronic Signature Act expressly stipulate the elements of a reliable electronic signature.
The law on electronic signature does not specifically define the mode of implementation or the technical means of electronic signatures. The application of facial recognition technology to the signing of electronic contracts does not exceed the generally accepted limit of the implementation of electronic signatures. Compared to general personal information, biometric information, such as facial features, is characterized by strong recognizability, immutability, non-anonymity and irreplaceability, meeting the four characteristics required for reliable electronic signatures. Theoretically, provided all four characteristics are met, biometric information can be identified as a legally defined reliable electronic signature.
MAIN COMPLIANCE ISSUES
Processing of sensitive personal information. Information-intensive financial institutions should pay more attention to protecting sensitive personal biometric information when using such information for electronic signatures.
The use of biometric information for electronic signatures must follow the provisions of the Civil Code; provisions on several issues regarding law enforcement in the trial of civil cases related to the processing of personal information using facial recognition technology; the law on the protection of personal information; and other laws and regulations protecting sensitive personal information.
In particular, when dealing with sensitive personal information, authorization by broad or presumed consent is prohibited by law. Acquired facial biometric information should be stored properly and the retention period should be determined based on the principle of minimum necessity.
Care should be taken to distinguish between the elements required to use facial recognition solely as a means of identity verification and as a method of implementing trusted electronic signatures. If biometric recognition such as facial recognition is intended to be the method of implementation for financial electronic contract signatures, ensure that the four basic characteristics required for trusted electronic signatures are met.
Avoid using biometrics as the only form of signature. When formulating the signing conditions of electronic contracts, financial institutions should offer several or a limited number of signing options or prevent users from making a choice. The Network Data Security Management Regulations (draft for comments), issued by the Cyberspace Administration of China on November 14, 2021, prohibits the use of biometric characteristics, including face, gait, fingerprints , iris and voiceprint as the only means of personal identity authentication. Therefore, a variety of options for implementing electronic signatures should be provided in electronic contracts.
Electronic storage of data and presentation of evidence. To ensure that electronic financial contracts signed with electronic signatures using facial recognition meet standards of forensic review and determination, financial institutions should fully authenticate the electronic evidence involved in transactions and ensure that they have adequate electronic evidence storage.
Yao Xiaomin is Partner and Zhang Xiaoke is Partner at Lantai Partners
29th Floor, Tower B, Disanzhiye Mansion
A1 Shuguang Xili,
Beijing 100028, China
Tel: +86 10 5228 7777
Fax: +86 10 5822 0039