Policy designs for adaptive governance of disruptive technologies: the case of facial recognition technology (FRT) in China

Abstract Recent regulations introduced by the Chinese government regarding big data technologies are welcome to those long concerned about the risks associated with their rapid deployment. However, these changes are not sufficient to safeguard privacy and data security. More importantly, these policies may not have fully accounted for the disruptive nature of these technologies. In this paper, we examine the need and the potential of new approaches in policy design regarding disruptive technologies by examining the case of facial recognition technology (FRT) in China. We argue that adaptive governance provides a useful framework for future policy design. Regulatory sandbox approach, policy mix and stakeholder engagement are among key policy measures to overcome regulatory challenges.


Introduction
The ubiquity of face recognition technology (FRT) that identifies individuals in static images and videos by analyzing their faces has been a global source of controversy and tension (Hill 2020;Noorden 2020). FRT is a disruptive technology, innovation that significant alters the ways consumers, industries, businesses operate (Danneels 2004;Kostoff, Boylan, and Simons 2004). While facial recognition comes naturally to humans as a cognitive task, FRT automates the task in massive scale with high precision and fast speed. As a result, FRT has been deployed to enhance security and improve operational efficiency across many areas such as national security, law enforcement, public health, finance, and marketing. For instance, FRT has been used to enforce social distancing measures to slow the spread COVID-19 (Cha 2021;Kaye 2021). Based on a recent study, FRT has been deployed in about 100 countries globally (Bischoff 2021).
As the use of FRT has grown rapidly, so have concerns over privacy, data security, and social equity. The disruptive force of FRT not only has significant impacts on industries and businesses, but also deeply affects government and the society. Unlike other data regularly collected by governments and businesses, facial biometric data can be collected without permission, making the use of such data especially vulnerable to potential biases, misuse, and abuse. A growing number of cities have imposed stricter regulations on the use of the FRT, with some of them banning the use of FRT in public spaces entirely (Lavoie 2021;Metz, 2019).
While much attention has been focused on reducing privacy, data leakage, and social equity risks with better regulations, this approach is inadequate for dealing with critical issues caused by disruptive technologies such as FRT. First, existing regulatory approaches could be ineffective for disruptive technologies. For example, informed consent is a basic requirement for the commercial use of FRT, but existing regulations regarding informed consent cannot cope with the dynamic way that online platforms and apps manage such consent.
Second, regulations may have a range of unintended consequences that affect the pace of technological advancement. In fact, rapid advances in technology can alter the tradeoff between security and privacy. The integration of blockchain technology into FRT could simultaneously strengthen both security and privacy (Perryman 2019), while overly strict regulations on the use of FRT could dampen technological development (Tait, Banda, and Watkins 2017).
Third, policy responses to disruptive technologies are shaped not only by institutional factors such as regime type, political ideologies, and cultural norms, but also by events and crises. Public acceptance of surveillance technology in the US increased significantly after 9/11. Even in China, where there has been high social acceptance of extensive personal data collection, recent scandals regarding privacy violations from the abuse of such data has increased public awareness regarding data privacy issues (Liu et al. 2021).
In this article, we suggest that the adaptive governance framework provides useful insights for policy design when it comes to disruptive technologies such as FRT. Adaptive governance grew out of the need for more sophisticated and flexible governance to respond to rapid environmental changes; and was first used in environment and socio-ecology research to cope with the dynamic relationship between the humanity, society, and nature (Bronen and Chapin, 2013;Dietz et al., 2003;Folke et al. 2005;Schultz et al. 2015). More recently, a growing number of studies have applied the adaptive governance framework from different perspectives to disruptive technologies (Janssen and van der Voort 2016;Wang, Medaglia, and Zheng 2018;Brass and Sowell 2021;Tait, Banda, and Watkins 2017).
The development and deployment of FRT in China offers an ideal opportunity to examine the challenges and potential of the disruptive technologies, and to apply the adaptive governance framework. For the last two decades, China has been in the forefront for both the development and deployment of FRT. The country is also a major exporter of the FRT, which means that FRT advances in China have global impact. The wide range of applications for FRT in China provides an opportunity to study the promises and pitfalls associated with the use of technology, and this case study has important implications for the design of data policies in general.
Our paper tackles three research questions: 1) What are the policy problems associated with the development and application of FRT in China? 2) What are the policy responses to problems that China encountered in the development and application of FRT, and how effective have they been? 3) What lessons are there for other disruptive technologies and other countries, and how should we approach policy design for FRT under adaptive governance?

Disruptive technologies and adaptive governance
While the conventional policy response to disruptive technologies has been to introduce new regulations; regulatory effectiveness is impaired by challenges inherent in disruptive technologies such as information asymmetry between technology companies and governments, uncertainty over the trajectory of technology development, intensive complexity and uncertainty regarding the interaction between society and technology, and so on (Janssen and van der Voort 2016;Taeihagh, Ramesh, and Howlett 2021). It has been frequently observed that the use of disruptive technologies elicits new regulations that rapidly become outdated as these technologies evolve (see Morrison 2018 for IoT; Pasztor and Wall 2016 for Drone; Raths 2015 for Healthcare innovation; Stern 2017 for Fintech).
The adaptive governance framework provides useful insights into the challenges inherent in responding to disruptive technologies, such as complexity and uncertainty (Busquet et al. 2020;Eggers, Turley, and Kishnani 2018). Janssen and van der Voort described five key features of adaptive governance for disruptive innovation: "decentralized decision-making, efforts to mobilize internal and external capabilities, bottom-up (and top-down) decision making, wider participation to spot and internalize developments, and continuous adjustment to deal with uncertainty" (Janssen and van der Voort 2016, p4).
The adaptive governance framework has several advantages over existing approaches that rely heavily on regulations. First, it can help balance risks and benefits in the development and use of disruptive technologies (Janssen and van der Voort 2016;Wang, Medaglia, and Zheng 2018;Brass and Sowell 2021;Tait, Banda, and Watkins 2017). Under the existing approaches, governments are often caught between over-regulating and under-regulating. Whereas a complete ban or extremely tight restrictions on technology development could be overly precautious relative to potential risks (Tait, Banda, and Watkins 2017); laissez-faire policies could lead to downsides that vastly outweigh any benefits.
Second, unlike regulatory approaches, adaptive governance emphasizes the cooperation ofand participation fromdifferent stakeholders during the policy-making process. Establishing cooperation models is a crucial part of this new governance framework (Busquet et al. 2020); and the adaptive governance framework emphasizes the complexity, uncertainty, and unpredictability of interacting systems, as well as the importance of collaboration across different organizations in responding to wicked problems (Chaffin, Gosnell, and Cosens 2014;Folke et al. 2005;Olsson et al. 2006;Schultz et al. 2015).
Third, adaptive governance highlights the need to adapt to the different stages of development of disruptive technologies. For example, standards and guidelines can be emphasized in earlier stages to encourage the sharing of expertise and private sector cooperation; with the focus switching to regulations and more substantial standards and guidelines as these technologies mature (Tait, Banda, and Watkins 2017;Brass and Sowell 2021).

The development and diffusion of FRT in China
Early development of FRT in China was bolstered by a surge in demand from public security and banking. Under national surveillance projects such as "Skynet" and "Xueliang," a tremendous number of surveillance cameras with FRT have been installed nationwide for public security purposes (T. Li 2019; Mao 2019). Chinese banks were also early adopters of FRT. In October 2016, Agricultural Bank of China (ABC) became the first of four Chinese state-owned banks to deploy FRT across all their devices. Other state-owned banks quickly followed suit, which made FRT essential to banking in China.
In addition to financial support via government procurement, the Chinese government has enacted policies to promote the development of FRT. Artificial Intelligence has been emphasized as key area of technological innovation, with FRT playing a central role. In 2017, China's Ministry of Industry and Information Technology devised the Three-year Action Plan for Artificial Intelligence Industry Development, which forecast FRT accuracy in excess of 90% by 2020 (Science and Technology Division 2017).
Strategic planning and financial support from the Chinese government have accelerated the development of FRT and the industry, which have both advanced rapidly. According to the China National Knowledge Infrastructure (CNKI) patent database, the number of FRT-related patents reached 16,262 by mid-2022. The number of invention patents and the number of utility model patents granted have both increased substantially since 2019 (Table 1). According to Espacenet, a patent database maintained by the European Patent Office, China ranks second in the number of FRT patents at 101,837, second only to the US. 1  2011  54  26  2012  74  56  2013  148  49  2014  84  32  2015  235  56  2016  345  155  2017  416  199  2018  884  254  2019  1178  379  2020  2279  568  2021 3228 861 FRT is widely deployed across different settings in China. A recent report ranked China as having the most widespread and invasive use of FRT (Bischoff 2021). According to a consulting company in China, the market for FRT in 2021 was estimated to be worth $5.6 billion RMB, with an annual growth rate of 24.4% (M. Wang 2022). As a result, many Chinese FRT developers such as CloudWalk, SenseTime, and Beihang University are becoming dominant players in the global market for FRT (Yang and Murgi; Grother et al. 2022). SenseTime, a leading FRT company in China, reported a total revenue of RMB4.7 billion and gross profit of RMB3.3 billion in 2021 (SenseTime Group Inc 2022). In 2019, there were a total of 2,342 FRT companies in China.
FRT has been deployed extensively by the Chinese government. The country's social credit system and its investment into smart cities generated huge demand for cameras and software with FRT. China's "Skynet" projectpart of its social credit systemwas completed in 2018 with more than 20 million security cameras installed nationwide (according to the state media's official documentary Amazing China). IHS Markit estimated the total number of security cameras in China at more than 560 million in 2021, accounting for slightly more than half of the global total (Yang and Murgi). According to CKNI data, there were more than 2 thousand procurement notices for FRT in mid-2022. These government procurements provide not only financial incentives for FRT, but also create opportunities for companies to test and fine-tune FRT under different application scenarios. Besides public safety, the Chinese government also utilizes FRT to improve the provision of public services. In 2021, Tianjin Railway invested about RMB136.2 million to implement FRT in its payment systems, enabling people to ride the metro without having to purchase tickets beforehand.
FRT has also been deployed in educational settings. Some Chinese universities have used FRT to track class attendance. In Nanjing, FRT-enabled cameras were installed in university classrooms to reduce absentee rates and identify inattentive students. FRT has also been used to monitor China's annual National College Entrance Examinations (NCEE). In early 2016, biometrics such as through FRT and fingerprints, were used to verify the identity of candidates and detect imposters.
The use of FRT has also become prevalent in the private sector. Services and products with FRT frequently tout their safety and convenience. Payment systems that leverage FRT can now facilitate transactions without the use of smartphones, enabling consumers to make purchases by just presenting their faces to cameras embedded in payment terminals. This service has been launched for the two leading electronic payment platforms -Alipay and WeChat Pay; and have been getting more sophisticated. However, not all FRT deployments have been aimed at growing the number of users. Recently, Tencent used FRT to prevent children from playing computer games between 10 p.m. and 8 a.m. FRT is a powerful tool for the prevention of gaming addiction in children, which is mandated by the Chinese government.

Analysis of problems of FRT and policy responses
While the widespread use of FRT in China has delivered much convenience to consumers, efficiency improvements for the government, and new business opportunities for the private sector; there are growing concerns over the privacy, data security, and social equity risks stemming from the misuse and abuse of FRT. For example, representatives from Suzhou's urban management office published images of supposedly "uncivilized behavior" captured by FRT-enabled cameras, which turned out to be just citizens wearing pajamas in public. FRT has even deployed in public toilets to reduce the wastage of toilet paper (Xinhuanet 2020). In a study of 6,100 Chinese citizens, 83% of respondents wanted more control over their data, and 75% preferred traditional methods of identity verification over FRT (Nandu Personal Information Protection Research Center, 2019).
The use of FRT is also prone to data security threats as it depends on machinereadable information storage systems. The stored facial data is also alluring to hackers because of its high commercial value. In 2019, Shenzhen Deepnet Vision Technology Co Ltd suffered a massive data breach of over 2.5 million people's data with 6.8 million pieces of data leaked, including identity card information and facial recognition images. The leakage of such information exposes affected individuals to various types of risks, such as identity theft and online fraud.
Despite significant recent advances in the processing of facial data, FRT's high error rate remains a significant problem due to inherent structural limitations of deep learning algorithms, which leaves room for spoofing attacks. In 2019, Alipay's FRT was tricked by the US AI company Kneron using a 3 D-printed mask. Grey market actors perfecting these cracking techniques could lead to threats such as theft and privacy leaks.
While the Chinese government has been enacting laws in recent years to address data governance issues arising from the use of disruptive technologies (see Table 2), none of them specifically protects facial information or even personal biometric information more broadly. It was not until the implementation of the Civil Code on 1 January 2021 that China explicitly classified biometric informationincluding facial informationas personal information (National People's Congress of the PRC, 2020).
In addition to the inclusion of facial information as a personal information in the Civil Code, several major laws have been enacted to strengthen FRT data governance. These include the Personal Information Protection Law (PIPL) and Data Security Law. The PIPL specifically classifies biometric information as a primary type of "sensitive personal information," and emphasizes that such sensitive personal information can only be processed with the individual's consent, for a specific purpose, with sufficient necessity requiring a prior risk assessment (National People's Congress of the PRC, 2021). The Data Security Law emphasizes that data-related activities must be "conducive to economic and social development, promote people's wellbeing, and comply with social morality and ethics" (National People's Congress of the PRC, 2021).
On 21 July 2022, the Cyberspace Administration of China (CAC) fined DiDi Global, China's ride-hailing giant, an unprecedented RMB8.026 billion for data breaches, and for the excessive collection of 107 million pieces of facial recognition data from its passengers. Some local governments in China have also passed their own regulations that are even stricter. In 2021, Tianjin, Shenzhen, and Hangzhou enacted regulations explicitly prohibiting the collection of biometric data (including facial data) without informed consent. A good example is the Shenzhen Special Economic Zone Data Regulation, which aims to curb the misuse of biometric data (Lin et al., 2022), and stipulates that service providers should "provide alternative solutions for processing other non-biometric data." Although China has adopted more stringent regulations to reduce privacy and data security risks, and possible social equity issues caused by FRT's rapid deployment, the effectiveness of these regulations cannot be taken for granted. For example, the principle of informed consent is foundational to the protection of personal information, but is difficult to achieve in practice (Guo, 2020;Xing, 2020;Zhang and Wang 2022). User agreements that supposedly "inform" users of privacy practices to obtain their consent are usually lengthy and laden with jargon, making them impossible for users to comprehend. The protection of personal information is not always prioritized by private companies and may even run counter to business objectives. This means that businesses may not have a strong incentive to comply with such regulations, blunting their effectiveness.
In addition, strict regulations imposed on the collection of facial data may do little to alleviate data security concerns. Although the industry is constantly improving and optimizing their algorithms, they are engaged in a constant arms race against hackers. Solutions to technical problems cannot be implemented with just laws and regulations; they also require the cooperation of companies, research institutes, and other organizations.
Finally, strictly regulating FRT applications could slow future technology advances and negatively impact growth prospects for the industry. Table 3 shows that both the number of registrations of FRT-related businesses and number of FRT-related patents have declined significantly in 2021. Regulatory approaches to FRT tend to focus on minimizing privacy and data security risks, but it is also important to facilitate the realization of FRT's potential benefits. Nevertheless, FRT's promised benefits obviously need to be delicately balanced against downsides such as digital mass surveillance, discrimination, and privacy risks.

Policy design for adaptive governance of FRT
There is a need to explore a comprehensive governance approach to FRT that incorporates rapid technological change, sophisticated knowledge and expertise, and the diverse interests of stakeholders. Adaptive governance focuses on maintaining a reasonable degree of flexibility in governance structures to adapt to uncertainties caused by disruptive technologies; and allows policymakers to learn from experience. This section discusses a few policy designs based on the adaptive governance framework that address the limitations of regulatory responses to FRT.

Adopting the regulatory sandbox approach
Adaptive governance prioritizes flexibility, and this can be provided by regulatory sandbox to evaluate the effectiveness of various regulatory responses and to undertake amendments (Tan and Taeihagh 2021). Regulatory sandboxes differ from traditional regulatory approaches in that they can help regulators obtain first-hand information regarding cutting-edge technologies and how to intervene more effectively at key technological stages with regulatory actions. They allow companies to test innovative products, services, and business models with actual individual and corporate users in real market environments by selectively relaxing restrictions and developing risk management measures.
While the authoritarian nature of the Chinese government may appear at odds with institutional environment expected for regulatory sandbox approach, the policy development in the country anything but monolithic due to vast differences in economic development and policy capacity across regions. In fact, policy pilots with different approaches and policy mixes have been conducted extensively in several policy areas, such as environmental protection and international trade (Mertha 2009), health insurance (Zhu and Xiao 2015), and urban poverty (Hammond 2013).
China can take advantage of the considerable variation in the maturity of new technologies across the country to pilot different innovative FRT products, services, and business models, as well as to test different regulatory approaches. In addition, different regulatory functions should be prioritized at different stages of technological development and deployment. For example, the government could focus on adequacy and necessity during the early stages, with more emphasis on standards and quality assurance when more information on the impact of such technologies becomes available. Furthermore, the government should strengthen its analytical capacity for the collection and processing of evidence required for testing and evaluating different approaches within regulatory sandboxes. For example, standardized surveys can be conducted regularly to determine the public response to advancements in FRT and its applications.

Using policy mix to reduce risk while encouraging innovation
In the field of innovation policy, the concept of 'policy mix' helps policymakers reevaluate basic (and often hidden) assumptions to better cope with multi-level, multi-actor, confusing, and complex realities (Flanagan, Uyarra, and Laranja 2011).
Instead of relying purely on strict regulations, the government can use a flexible combination of policy instruments to motivate businesses, such as soft instruments, economic incentives, and information-based tools under the AG framework. Once the technology has matured and is market ready, policymakers can implement formal laws and regulations with more stringent standards and guidelines.
China has started to recognize the importance of maintaining a balance between regulation and technological development, with parallel implementations of hard and soft measures (Zeng, Liang, and Zhang 2021). For example, various government departments and local authorities have been coming up with soft measures such as standards and guidelines to establish proper management and technical systems. For example, in June 2020, Xiaomi was praised by CCTV News for the excellent privacy protection features in its new system, and its share price tripled in the following six months.
More systematic effort in policy design is required in the uses of policy mixes across different areas and over time. The implementation of soft standards should be complemented with economic incentives that motivate commercial organizations. The governments may give recognition to companies that voluntarily disclose their efforts to secure facial data, strictly comply with national standards, or even make extra protective measures, by creating a whitelist of companies to which low-interest loans or tax breaks can be offered. In addition, information-based policy instrument can be applied more extensively help align the interests of private sector with policy objectives of the government without resorting to strict regulation. Last, government can use the public procurement to channel resources to technologies and applications with high potential to enhance public value. Government is among early adopters of descriptive technologies such as FRT, and public procure can have significant impacts to the development and application of such technologies.

Broadening the knowledge and expertise base with stakeholder engagement
The adaptive governance framework emphasizes a polycentric model of governance that encourages the participation of multiple stakeholders to solve problems in the face of systemic complexity and uncertainty (Schultz et al. 2015;C. Wang, Medaglia, and Zheng 2018). Public administrations are often not the most knowledgeable about new and rapidly developing technologies such as FRT. Considering the significant impact of algorithms on FRT safety and security, it is important that the public sector, private companies, universities, and non-governmental organizations (NGOs) work together to establish industry standards and certification requirements for algorithms so that the social benefits of FRT can be maximized while minimizing its downsides. Besides, the involvement of various stakeholders in the evaluation process also help boosts the analytic capacity of the government.
In China, various government departments, research institutes, and companies have recently started collaborating on the development of industry standards for FRT. For example, in 2019, the Ministry of Public Security worked together with the Beijing Network Industry Association and the Third Research Institute of the Ministry of Public Security to develop guidelines for Internet service providers on the protection of personal information. The Chinese government has also encouraged the netizens to share their opinions on controversies involved in the use of FRT for commercial purposes to balance against the interests of the private businesses.
While the Chinese government has made steady process in the right direction, neither the scope of collaboration nor the breadth of participation is far from sufficient. With emerging technologies like FRT that are rapidly advancing, potential risks and benefits are best understood by industry because of their access to the latest knowledge and expertise. Therefore, it is important that the government further engage with such companies when designing and implementing policies on FRT. On the other hand, however, a broader representation of stakeholders in policymaking is essential to avoid regulatory capture. In addition, more effort should be made to empower the public to participate in discussion and deliberation of key policy issues related to applications of FRT not only for commercial purposes but also for public uses. Disclosure of potential risks should be mandatory for face data processors, and corresponding platforms (through social media accounts, websites, or phone hotlines) for collecting feedbacks and user opinions should be widely accessible.

Conclusion
While recent policy changes regarding big data technologies are welcomed by those concerned with the negative impacts of such technologies, they are far from sufficient to safeguard privacy and data security. China's approach to FRT has emphasized the promotion of FRT applications rather than curbing their development. With its parallel system of soft standards and hard laws on the protection of personal information, China has been seeking a balance between the regulation and development of FRT.
Recent regulatory efforts in China broadly aligns with the global trends. Since the "Stop Secret Surveillance Ordinance" was enacted in San Francisco in 2019, a number of US cities have also banned the use of FRT in government departments (Lin et al., 2022). The European Union has started planning for a ban on the use of remote biometric systems such as FRT by law enforcement agencies. In April 2021, the EU introduced the Artificial Intelligence Act, which bans four types of artificial intelligence (AI) applications judged to have unacceptable risks.
However, it should not be assumed that approaches that rely heavily on regulation will be effective given the disruptive nature of such technologies. Regulations could also have a range of unintended consequences that slow the pace of technological development and advancement, such as for FRT (Tait, Banda, and Watkins 2017). Adaptive governance can provide an important framework for resolving these issues as China leads in the development and deployment of FRT. The case of FRT in China offers several important implications for policy design in terms of adaptive governance for disruptive technologies. A regulatory sandbox can be established to avoid the pitfalls of strict regulations, and policy instruments beyond regulations can be employed, especially given the uncertainties involved in the development and use of disruptive technologies. It is also important for the government to strengthen its knowledge and expertise by engaging with the private sector and research institutes to design and implement policy responses to the challenges posed by disruptive technologies.

Disclosure statement
No potential conflict of interest was reported by the author(s).