China Issues New Regulations on Facial Recognition Technologies
Published 1 April 2025
Fei Dang
On March 13, 2025, the Cyberspace Administration of China (CAC) and the Ministry of the Public Safety co-issued the Regulations on Security Management of the Application of Facial Recognition Technology (the Regulations), which will become effective on June 1, 2025.
The Regulations contain 20 articles, and they are applied to the application of the facial recognition technologies within China, but excluding those engagements in the face recognition technology research and development, algorithm training activities for the application of face recognition technology to process face information.
The Regulations provides that the personal information processor, which is defined as “organizations and individuals who independently decide on the purpose and manner of processing in the course of personal information processing activities,” shall notify the individual of the following matters in a conspicuous manner and in clear and understandable language that is truthful, accurate, and complete: (1) The name or name and contact information of the personal information processor; (2) Purpose of processing face information, processing methods, and the retention period of the processed face information; (3) The necessity of processing the face information and the impact on the rights and interests of the individual; (4) The manner and procedure for individuals to exercise their rights in accordance with the law; (5) Other matters that shall be notified as stipulated by laws and administrative regulations. Any changes to the matters above shall also be notified to the said individual.
It is worth noting that the Regulations provides that it shall comply with the national regulations on barrier-free environment construction when it comes to processing the facial information of disabled and elderly people, as well as special rules to store, use, transfer, disclose, and so on when it comes to processing the underage no more than 14 years old. Further, it shall also obtain consent from the parents or other guardians of such underage individuals when dealing with their facial information.
The Regulations requires the facial information to be stored in the facial recognition equipment and forbid its transfer via the internet, unless it is provided by laws and regulations or acquires consent from the individual otherwise. The storage of such facial information shall not exceed the minimum time necessary to achieve the purpose of the treatment.
The Regulations also specifies that a prior personal information protection impact evaluation shall be conducted and recorded for the personal information processor, and the following content shall be included in the evaluation: (1) Whether the purpose of processing facial information and the way of processing are lawful, legitimate, and necessary; (2) The impact on the rights and interests of individuals and whether the measures to reduce the adverse impact are effective; (3) The risk of leakage, tampering, loss, destruction, or illegal access, sale, or use of facial information, and the harm that may be caused; (4) Whether the protection measures taken are legal, effective, and appropriate to the degree of risk. Such evaluations and records are required to be kept for at least three years. In case of a change to the purpose or manner of handling the facial information, or a major security incident, the evaluation shall be re-conducted.
In case the storage number of the facial information processed by the facial recognition technologies application exceeds 100,000, the personal information processor shall make a record at the cyberspace administration over the provincial level where it is located within 30 working days since the day it reaches the said figure, with the following materials: (1) Basic information about the processor of personal information; (2) Purpose of face information processing and processing methods; (3) The quantity of face information stored and security protection measures; (4) Rules and operating procedures for processing face information; (5) Personal information protection impact assessment report. Any significant change to the said information above shall also be recorded within 30 days since it happens.
In addition, the Regulations set outs some provisions to prevent the abuse of facial recognition technologies, including but not limited to: the facial recognition technologies shall not be used as the only authentication method if there are other non-facial recognition technologies methods existed to achieve the same purpose or to meet the same business requirements; channels such as the national population basic information database and the National Public Services for Online Identity Authentication, and so on, are encouraged to be implemented when using the facial recognition technologies to verify personal identities and identify specific individuals in order to reduce the collection and storage of facial information and protect the security of the facial information; no facial recognition equipment is allowed to be installed inside private spaces in public places such as hotel rooms, public bathrooms, public locker rooms and public restrooms; facial recognition technologies application system should take data encryption, security audit, access control, authorization management, intrusion detection and defense, and other measures to protect the facial information security.
The Regulations also provides that any organization or individual has the right to make a complaint or report to the department responsible for the protection of personal information on activities involving the illegal application of facial recognition technologies to process the facial information. The departments that receive such complaints or reports shall handle them promptly in accordance with the laws and inform the complainant or reporter of the results.
[Comment]
It can be seen from above that the Regulations focus on regulating the application of the facial recognition technologies from the following aspects: 1) basic requirements of the application, such as compliance with laws and regulations, social public morals and ethics, etc.; 2) handling rules of the application, such as the obligations of the personal information processor to notify the individuals, evaluate the impact on the personal information protection, etc.; 3) safety rules of the application, such as requirements on the installation of the facial recognition equipment in public places, etc.; 4) supervision and management responsibilities and liabilities, such as recordal at the CAC department over the provincial level when the storage of the facial information exceeds 100,000, etc.
As the facial recognition technologies develop, they have been applied not only to unlock our personal smartphones, but also in many public domains, such as verification in the financial systems and getting access to public areas (i.e., shops, gyms, residential neighborhoods, etc.). While such extensive use of the facial recognition technologies brings convenience to people’s daily lives, it also generates an urgent demand to regulate such applications to prevent abuse and infringement of privacy. In a word, the issuance of the Regulations is necessary and timely.
The Regulations contain 20 articles, and they are applied to the application of the facial recognition technologies within China, but excluding those engagements in the face recognition technology research and development, algorithm training activities for the application of face recognition technology to process face information.
The Regulations provides that the personal information processor, which is defined as “organizations and individuals who independently decide on the purpose and manner of processing in the course of personal information processing activities,” shall notify the individual of the following matters in a conspicuous manner and in clear and understandable language that is truthful, accurate, and complete: (1) The name or name and contact information of the personal information processor; (2) Purpose of processing face information, processing methods, and the retention period of the processed face information; (3) The necessity of processing the face information and the impact on the rights and interests of the individual; (4) The manner and procedure for individuals to exercise their rights in accordance with the law; (5) Other matters that shall be notified as stipulated by laws and administrative regulations. Any changes to the matters above shall also be notified to the said individual.
It is worth noting that the Regulations provides that it shall comply with the national regulations on barrier-free environment construction when it comes to processing the facial information of disabled and elderly people, as well as special rules to store, use, transfer, disclose, and so on when it comes to processing the underage no more than 14 years old. Further, it shall also obtain consent from the parents or other guardians of such underage individuals when dealing with their facial information.
The Regulations requires the facial information to be stored in the facial recognition equipment and forbid its transfer via the internet, unless it is provided by laws and regulations or acquires consent from the individual otherwise. The storage of such facial information shall not exceed the minimum time necessary to achieve the purpose of the treatment.
The Regulations also specifies that a prior personal information protection impact evaluation shall be conducted and recorded for the personal information processor, and the following content shall be included in the evaluation: (1) Whether the purpose of processing facial information and the way of processing are lawful, legitimate, and necessary; (2) The impact on the rights and interests of individuals and whether the measures to reduce the adverse impact are effective; (3) The risk of leakage, tampering, loss, destruction, or illegal access, sale, or use of facial information, and the harm that may be caused; (4) Whether the protection measures taken are legal, effective, and appropriate to the degree of risk. Such evaluations and records are required to be kept for at least three years. In case of a change to the purpose or manner of handling the facial information, or a major security incident, the evaluation shall be re-conducted.
In case the storage number of the facial information processed by the facial recognition technologies application exceeds 100,000, the personal information processor shall make a record at the cyberspace administration over the provincial level where it is located within 30 working days since the day it reaches the said figure, with the following materials: (1) Basic information about the processor of personal information; (2) Purpose of face information processing and processing methods; (3) The quantity of face information stored and security protection measures; (4) Rules and operating procedures for processing face information; (5) Personal information protection impact assessment report. Any significant change to the said information above shall also be recorded within 30 days since it happens.
In addition, the Regulations set outs some provisions to prevent the abuse of facial recognition technologies, including but not limited to: the facial recognition technologies shall not be used as the only authentication method if there are other non-facial recognition technologies methods existed to achieve the same purpose or to meet the same business requirements; channels such as the national population basic information database and the National Public Services for Online Identity Authentication, and so on, are encouraged to be implemented when using the facial recognition technologies to verify personal identities and identify specific individuals in order to reduce the collection and storage of facial information and protect the security of the facial information; no facial recognition equipment is allowed to be installed inside private spaces in public places such as hotel rooms, public bathrooms, public locker rooms and public restrooms; facial recognition technologies application system should take data encryption, security audit, access control, authorization management, intrusion detection and defense, and other measures to protect the facial information security.
The Regulations also provides that any organization or individual has the right to make a complaint or report to the department responsible for the protection of personal information on activities involving the illegal application of facial recognition technologies to process the facial information. The departments that receive such complaints or reports shall handle them promptly in accordance with the laws and inform the complainant or reporter of the results.
[Comment]
It can be seen from above that the Regulations focus on regulating the application of the facial recognition technologies from the following aspects: 1) basic requirements of the application, such as compliance with laws and regulations, social public morals and ethics, etc.; 2) handling rules of the application, such as the obligations of the personal information processor to notify the individuals, evaluate the impact on the personal information protection, etc.; 3) safety rules of the application, such as requirements on the installation of the facial recognition equipment in public places, etc.; 4) supervision and management responsibilities and liabilities, such as recordal at the CAC department over the provincial level when the storage of the facial information exceeds 100,000, etc.
As the facial recognition technologies develop, they have been applied not only to unlock our personal smartphones, but also in many public domains, such as verification in the financial systems and getting access to public areas (i.e., shops, gyms, residential neighborhoods, etc.). While such extensive use of the facial recognition technologies brings convenience to people’s daily lives, it also generates an urgent demand to regulate such applications to prevent abuse and infringement of privacy. In a word, the issuance of the Regulations is necessary and timely.