Facial recognition technology (FRT) has been actively deployed by both private and public sectors for a wide range of purposes in China. As the technology has become more prevalent, the laws governing FRT have developed rapidly in recent years. While the use of FRT is increasingly regulated in the country, the regulatory restrictions can be invariably lifted for the reason of public security. Government agencies have consistently claimed this regulatory exemption for their massive FRT deployment. Moreover, the liability for government’s abuse or misuse of personal data is relatively insignificant when compared with that for private parties. Based on recent laws and cases, this chapter explains China’s asymmetric regulatory framework and the factors shaping it.

Chapter 1 ties together the problems of central elements of privacy law: the individual choice-based system, the fair information principles that originated it, the view that privacy is about secrecy, and dichotomies such as public versus private. We don’t have actual choices about our data beyond mechanically agreeing to privacy policies because we lack outside options and information such as what the choice means and what risk we’re taking on by agreeing. The choice-based approach creates a false binary of secret and open information when, in reality, privacy is a spectrum. The idea that someone, at any given time, has either total privacy or no privacy at all is unfounded. Additionally, data are bundled: you can’t reveal just one thing without letting companies infer other things. Reckoning with this reality defeats the popular “I have nothing to hide” argument, which traces back to Joseph Goebbels.

Schools are the keepers of personal and sensitive data which is provided at the time of enrolment and entrusted to the school. As the student progresses through his or her academic years, further information and performance data are collected and stored in order to best gauge the position of the student and provide support. Some of this information is for administrative purposes while other data is collected to track achievement or bring attention to a particular area of need. With the convenience and space available for online and cloud storage of student data, teachers have an increased responsibility towards protecting personal information. This information can typically include names, addresses, religious affiliations, nationality, date of birth, behavioural notes and medical information. Photographs, video clips, and online and hard-copy documents used in schools also fit the criteria of personal information (Australian Law Reform Commission, ). Personal information is not limited to students as it can also apply to staff, volunteers, contractors, parents and others who are connected to the school.

Chapter 9 examines how new forms of information privacy law could develop to interrupt modulated forms of power. It highlights some design points for future legal reform. The design points outline some key areas that would allow reforms to develop based on Julie Cohen’s work. The implementation of these principles would require some form of detachment from information privacy’s core process protections, so the law could apply in gaps and spaces at the outskirts of process. These gaps and spaces are important because this is where selfhood flourishes and would therefore be a prime target for modulated forms of data collection. The design points would allow protection of gaps and spaces through the construction of new boundary options that create pauses in seamless forms of data collection and analysis. All of this would assist in information privacy law’s new role in exposing modulation. The chapter contends that a greater focus on relational forms of personal information is needed along with a collection principle based on fairness. New legal vocabularies and new ways of incentivising value discourse, as well as compliance orientations, in data collecting institutions are required.

Chapter 6 investigates the different foundational structures and jurisdictional perspectives of information privacy law that involve EU, US and Australian legal frameworks. A historical perspective of information privacy law developments in each jurisdiction is provided based on three founding legal instruments for each jurisdiction. Historical development is important because it highlights that, although different jurisdictional laws are based on the same principled approach, different jurisdictions adopt different emphases. Two particularly emphases are examined: the type of regulated information that triggers regulatory response, namely, personally identifiable information in the US, and personal data in the EU and personal information in Australia. Information privacy law’s principled process of protection is also examined. Attention is given to collection principles as a means of outlining foundational differences between sectoral and comprehensive regimes of information privacy, particularly regarding the overt use of a notice and consent model.