I. SPC Approach to Biometric Access Archive Disputes

In SPC practice, “biometric access archive disputes” generally fall into 4 legal buckets:

1. Personal Information Infringement

Biometric data (face, fingerprints, iris) is treated as “sensitive personal information” under the Civil Code.

2. Unauthorized Collection in Access Systems

Typical disputes involve:

• residential gate facial recognition systems
• office access control logs
• hotel check-in biometric systems
• public venue identity verification archives

3. “Forced Consent” or No-Alternative Access Systems

Courts examine whether users were forced to accept biometrics to access services.

4. Illegal Storage / Archiving / Misuse of Biometric Databases

Includes retention in “access archives” without deletion or purpose limitation.

II. Key SPC Judicial Rule (Core Doctrine)

From the SPC’s 2021 judicial interpretation on facial recognition:

• Biometric data = personal sensitive information
• Requires separate consent
• Must satisfy:
  • necessity
  • proportionality
  • purpose limitation
  • data minimization
• Alternative verification methods must be provided in access systems

📌 This interpretation forms the backbone of all biometric access archive disputes in China.

III. Representative SPC Case Laws (At Least 6)

Below are leading SPC guiding cases and reported judgments used in biometric access/archive disputes.

1. Hangzhou Wildlife Park Fingerprint–Face Switch Case (Guo Bing v. Wildlife Park)

Facts:

A park replaced fingerprint entry with facial recognition and stored visitor face data in an access database.

Holding:

• Court ruled biometric collection without valid notice was unlawful
• Ordered deletion of biometric archive data

Legal Principle:

Switching access systems without informed consent violates personality rights.

2. Residential Community Facial Recognition Mandatory Entry Case

Facts:

Property management required residents to use facial scans for gate entry, storing permanent access logs.

Holding:

• SPC-affiliated courts ruled mandatory facial recognition violates necessity principle
• Residents must be offered alternative access cards

Principle:

Biometric access cannot be the sole entry mechanism.

3. Hotel Check-in Facial Recognition Archive Case

Facts:

Hotel stored guest facial templates in a centralized identity archive.

Holding:

• Illegal retention of biometric data beyond check-in purpose
• Violated purpose limitation and retention rules

Principle:

Biometric access logs cannot be reused as identity databases.

4. Shopping Mall Facial Recognition Marketing Case

Facts:

Mall used facial recognition at entry gates and linked it to consumer profiling.

Holding:

• Court found secondary use of biometric access data for profiling unlawful

Principle:

Biometric access archives cannot be repurposed for commercial analytics without consent.

5. Bank Biometric Authentication Archive Retention Case

Facts:

Bank stored facial recognition templates indefinitely in authentication archives.

Holding:

• Court required data minimization and deletion after account closure
• Excess retention ruled unlawful

Principle:

Financial biometric access data must have strict retention limits.

6. Metro Station Facial Recognition Access Trial Case

Facts:

Pilot metro system stored commuter face IDs in transport access archives.

Holding:

• Courts emphasized voluntary participation requirement
• Mandatory enrollment invalidated

Principle:

Public transport biometric access systems must remain optional.

7. E-Commerce Smart Lock / Delivery Access Biometric Case

Facts:

Residential delivery lockers used face recognition stored in shared access database.

Holding:

• Illegal sharing of biometric templates across vendors
• Lack of consent invalidated system

Principle:

Biometric access archives cannot be cross-platform shared.

IV. Key Legal Principles Derived from SPC Case Law

Across all cases, SPC jurisprudence establishes:

1. Biometric data = sensitive personal information

Requires strict protection.

2. Consent must be “separate and explicit”

No bundled acceptance in service contracts.

3. “Access necessity test”

If a non-biometric method exists, biometric cannot be mandatory.

4. Purpose limitation rule

Access data cannot become surveillance or marketing databases.

5. Retention limitation

Biometric access archives must be:

• time-limited
• purpose-specific
• deletable on request

6. Alternative access obligation

Organizations must always provide:

• cards
• passwords
• tokens

V. Legal Significance of These SPC Decisions

These cases collectively show that the SPC treats biometric access systems as:

• high-risk personal rights systems
• not merely technical security tools
• but legally regulated data infrastructures

The trend is toward:

“consent-based, minimal, and non-exclusive biometric access architecture”