On 21 March 2025, the Cyberspace Administration of China and the Ministry of Public Security jointly announced the release of the Security Management Measures for the Application of Facial Recognition Technology (the “<span class="news-text_medium">Measures</span>”), which will take effect on 1 June 2025. Below is a summary of the scope and key requirements outlined in these Measures.
Scope of the Measures
The Measures apply to the use of facial recognition technology for processing facial data to identify individuals within China. However, they do not cover activities involving facial recognition technology used for research or algorithm development purposes. Facial information refers to biometric data related to an individual's facial features, which can be captured electronically or through other methods and pertains to an identified or identifiable person, excluding any anonymised data. Facial recognition technology refers to biometric systems that use facial data to identify a person.
Specific Processing Requirements for Facial Recognition Technology
The Measures set out specific requirements that must be followed when facial recognition technology is used. These include:
- <span class="news-text_medium">Storage:</span> Facial data must be stored within the facial recognition device and cannot be transmitted over the internet, unless explicit consent is obtained from the individual or allowed by applicable laws and regulations.
- <span class="news-text_medium">Privacy Impact Assessment (“PIA”):</span> Data handlers must conduct a PIA before processing facial data.
- <span class="news-text_medium">Public Spaces:</span> Facial recognition devices can be installed in public areas, but only if the data handler can demonstrate the necessity for maintaining public security. Additionally, the data handler must clearly define the area for facial data collection and prominently display warning signs.
- <span class="news-text_medium">Restriction:</span> Data handlers should not rely solely on facial recognition for verification if other technologies can achieve the same goal or meet the business requirements.
- <span class="news-text_medium">Filing Requirement:</span> If a data handler processes facial data of more than 100,000 individuals, they must file with the relevant Cyberspace authority at the provincial or higher level within 30 business days once that threshold is reached. The filing should include basic details about the data handler, the purpose and method of processing facial data, security measures and a copy of the PIA. If any substantial changes occur, the filing must be updated within 30 business days. If facial recognition use is discontinued, the filing must be cancelled within 30 business days and the facial data must be handled in accordance with the law.
