A court in China has upheld a ruling forcing a zoo operator to delete a visitor’s facial recognition data, in what has been described as a key judgement for data rights in the country.

The case arose from Hangzhou Safari Park replacing its fingerprint-based admission system in late 2019 with one that uses facial recognition, telling customers they would be refused entry if they did not use the new system. Guo Bing, an associate professor of law at the Zhejiang Sci-Tech University, concerned it might be used to steal his identity, asked for a refund. When the zoo refused, he sued for breach of contract.

Last November the Hangzhou Fuyang People’s Court awarded him RMB1,038 ($159, €133) compensation and ordered the zoo to delete his facial recognition data.

The court did not recognise the safari park’s behaviour as fraud nor did it order the zoo to refund Guo’s annual pass, prompting both to appeal.

After considering the appeals, the court announced it would uphold its original judgment and went further, also ordering the zoo to delete Guo’s fingerprint information.

He Yuan, executive director of Shanghai Jiao Tong University’s Data Law Research Centre, said the ruling is “hugely meaningful” as for the first time a court has ruled Chinese citizens can demand their data be deleted.

“[The court] let the principle of data minimisation go unnoticed, which in this case is to determine whether facial recognition is necessary for entering a zoo, and whether it has offered people the option to choose a less invasive verification method,” the South China Morning Post quoted He as saying.

He pointed out the original suit was over breach of contract, not data use.

On the wider issue of regulation, He said China still lacks an adequate legal framework for protection of personal information, adding courts have to consider how to strike a balance between protecting biometric data and the needs of economic development.

The government’s current five-year plan includes the proposed Personal Information Protection Law (PIPL) and the Data Security Law. PIPL is still under review after a draft version was issued last year.

Register to receive the latest data protection and privacy news and analysis straight to your inbox