China’s adoption of facial recognition has been so aggressive that even gyms are using it. And it may come as no surprise that some are not using it responsibly. Last week, police in the city of Suqian, in eastern Jiangsu province, found that a local gym using facial recognition for access control left facial data on more than 20,000 members unencrypted and unprotected. The Suqian police posted about it on its official Weibo account and the story was picked up by local media.
Suqian police said that the gym violated China’s Cybersecurity Law by failing to inform users about the purpose of collecting and using their personal data. The police also said the gym failed to take “technical or other necessary measures” to ensure the security of that data, as required by the law. Other data collected by the gym included names, phone numbers and fingerprints.
Suqian police said that they discovered the problem while conducting a cybersecurity check at the gym in late April during an “internet cleaning” campaign. The police gave the gym a warning and ordered it to "rectify" the problems. Chinese newspaper Southern Metropolis Daily reported that this is the first time a physical shop was punished for the illegal use of people’s facial data. Previous cases only involved online applications, according to the paper.