China: New rules issued to further regulate application of face recognition technology in China

22 Apr 2025    9 minute read
Cybersecurity & Data Privacy DT Featured Content

In brief

On 21 March 2025, the Cyberspace Administration of China (CAC) and the Ministry of Public Security (MPS) jointly issued the Measures for the Administration of the Security of the Application of Face Recognition Technology ("FR Measures"), which will take effect from 1 June 2025.

After almost two years since CAC issued the first draft of the FR Measures in August 2023 for solicitation of public comments, CAC adopted a few notable changes in the FR Measures that are aimed to (a) avoid excessive regulatory restraints on face information processing activities and the application of face recognition (FR) technology and (b) achieve a balance between face information security protection and relevant technological innovation and application.1

Contents

It is noteworthy that before the issuance of the FR Measures, there were already pre-existing laws, regulations and rules that deal with face information protection, mainly including:

  • The Civil Code of the PRC
  • The Personal Information Protection Law of the PRC (PIPL)
  • The Regulations on the Administration of the Security of Network Data
  • Some recommended national standards, including:
    • The Information Security Technology – Security Requirements Of Face Recognition Data (GB/T 41819-2022)
    • The Information Technology – Biometrics – Face Recognition System Application Requirements (GB/T 44248-2024)
  • The Provisions of the Supreme People's Court on Several Issues concerning the Application of Law in the Trial of Civil Cases involving the Processing of Personal Information Using Facial Recognition Technology ("SPC Provisions")

On top of the above laws, regulations and rules, the FR Measures have introduced more detailed requirements for face information processing and FR technology application. We set out below a few highlights of the FR Measures.

What is face information?

The FR Measures define "face information" as biometric information on facial features, whether recorded in electronic or other formats, related to an identified or identifiable natural person, excluding anonymized information. Face information is a type of sensitive personal information2 (more specifically personal biometric information), as defined and protected under the PIPL and relevant national standards and technical documents, and accordingly all the requirements for processing of sensitive personal information should generally apply to processing of face information.

What types of activities are regulated?

The FR Measures apply to the processing of face information by using face recognition (FR) technology within China. FR technology is expressly defined in the FR Measures as the individual biometric recognition technology that uses face information to identify individual identity. The FR Measures typically apply to the following two categories of use cases:

  1. Verification of personal identity (1:1 matching between the collected face information and the specific face information stored in the system), and a typical example of use case is a visitor entrance system using FR technology
  2. Identification of specific individual (1:N matching between the collected face information against the face information stored in the system within a specific scope), and a typical example of use case is a CCTV used for criminal detection where collected face information is compared against the fugitive database maintained by MPS or its local counterparts.

The FR Measures do not apply to the use of FR technology to process face information for the purposes of (i) engaging in FR technology research and development or (ii) algorithm training activities. As that the FR Measures overlap with the relevant general requirements under the PIPL and other applicable data protection laws to a large extent, it is unclear whether the aforesaid exempted activities involving use of FR technology should still be subject to those relevant general requirements, but we tend to believe that those relevant general requirements should still be complied with.

Notification and separate consent requirements on the processing of face information

Since face information is one of the types of sensitive personal information, the FR Measures basically reiterate the relevant notification and separate consent requirements on the processing of sensitive personal information under the PIPL as follows:

  • Notification: Before use of FR technology to process face information, a personal information processor (PIP, i.e., data controller) should truthfully, accurately and completely inform individuals of the following information in an easily noticeable way, in clear and easily comprehensible language: (i) the name and contact details of the PIP; (ii) the purposes and means of processing of face information; (iii) the period for which face information will be stored; (iv) the necessity of processing face information and the impacts of processing on the rights and interests of individuals; (v) the methods and procedures for individuals' exercise of their rights; and (vi) other information required by laws and administrative regulations.
  • Separate consent: Where a PIP processes face information based on individuals' consent, it should obtain individuals' (voluntary and explicit) separate consent on the premise that such individuals are sufficiently informed of the PIP's processing of face information, and such consent must be in writing where laws and administrative regulations so provide. Where individuals are minors below the age of 14, consent from their legal guardians is required. Individuals are entitled to withdraw their consent (and the PIP must allow so), but the withdrawal does not have retrospective effect.

According to the Information Security Technology – Security Requirements of Face Recognition Data (GB/T 41819-2022), "separate consent" means individuals' active cooperation (e.g., by looking directly at a FR device and making eye contact, specific gesture or expression, passing through a dedicated collection passageway labelled with a reminder of the FR application (in a form of text, icon, symbol or others), etc.), while individuals' mere entrance into an image collection area may not be deemed as implying their "separate consent" to collection of their face information.

Specific requirements on face information processing with FR technology

  1. Further to the general requirements for conducting a personal information protection impact assessment (PIPIA) for processing of sensitive personal information under the PIPL, the FR Measures stipulate more detailed elements that are essential for a PIPIA concerning face information processing with FR technology:
    1. Whether the purposes and means of processing of face information are legal, legitimate and necessary
    2. The impacts of processing on the rights and interests of individuals and the effectiveness of measures to minimize the adverse impact
    3. The risks of leakage, tampering, loss, damage or illegal access, sale or use of face information and the potential harm that may be caused thereby
    4. Whether the protective measures taken are legal, effective and commensurate with the level of risks identified.
  2. Processing face information by use of FR technology must be conducted for lawful and specific purposes and has sufficient necessity. Generally speaking, the processing purposes can be deemed as "specific" if they are clear, and relevant to specific business needs, and the necessity can be deemed as "sufficient" if the use of FR technology has practical values, such as enhanced security or convenience of products or services provision to individuals.
  3. FR technology shall not be adopted as the only method of personal identity verification, if there are alternative (non-FR) methods that can realize the same purposes or achieve the same level of business needs. This requirement is less strict than the proposed requirement in the draft version, which required priority to be given to those non-FR methods under the same conditions. In the past few years, there have been judicial cases in China where the courts generally held that property managers' or service providers' use of FR technology as the sole method for property owners' entrance to their residential compounds constituted an infringement upon their rights and interests. This position was also recognized in the SPC Provisions. The same position is reiterated in the FR Measures, except that the requirement has now been extended to all face information processing activities in China with FR technology (other than the exempted activities as mentioned above), not only those relating to property management.
  4. A PIP shall not induce, defraud, or coerce individuals to accept FR technology to verify personal identity (for the reasons of business handling and service quality improvement, etc.). For example, it could be breach of this requirement if a PIP refuses to provide services to an individual because the individual refuses to provide his/her separate consent, where the face information processing with FR technology is unnecessary for the PIP's service provision.
  5. Face information should generally be stored within the FR device (i.e., the terminal device using FR technology to identify personal identify) and not be transmitted through the Internet, unless (i) otherwise provided in laws and administrative regulations or (ii) individuals' separate consent has been obtained.
  6. For protection of face information, security measures such as data encryption, security audit, access control, authorization management, intrusion detection and defense should be taken to enhance the security capabilities of the FR technology application system. Additional security obligations in relation to Multi-Level Cybersecurity Protection Scheme (MLPS) or Critical Information Infrastructure Operators (CIIOs) should be complied with, if applicable. In this regard, the recommended national standards (with no mandatory effect), the Information Technology – Biometrics – Face Recognition System Application Requirements (GB/T 44248-2024), states that where FR technology services are provided to the public, the relevant FR technology system should at least be identified as a MLPS level 3 system (which is subject to relatively high security standards). This general standard follows the initial proposal in the draft version in 2023, but has been removed from the final text of the FR Measures.

Installing FR devices in public places

The FR Measures provide that the installation of any FR device in public places shall be necessary to protect public security, the face information collection area should be reasonably determined in accordance with the law, and the public shall be warned by means of conspicuous signs. This echoes Article 26 of the PIPL and Articles 9 and 13 of the Regulations on the Administration of Public Security Video Image Information Systems issued by the State Council (effective from April 1, 2025). Furthermore, according to the PIPL, individuals' separate consent is not required if the collected face information is only used for the purpose of maintaining public security and not for any other purposes.

We wish to clarify that (a) normal video cameras that do not capture and process personal biometric information are not FR devices and thus not subject to the FR Measures, and (b) arguably, a company's office areas that are not generally accessible to the public should not be deemed as "public places" and thus not subject to the restrictions mentioned in the preceding paragraph. However, if a company installs a FR device or a normal video camera in its office areas for various reasons, it still needs to comply with the applicable obligations.

Filing requirements on the processing of face information

The FR Measures require a PIP to complete a filing with the relevant provincial counterpart of CAC within 30 working days once the number of individuals whose face information is stored by the PIP reaches 100,000. Statements on the PIP's face information processing details, rules, procedures and the PIPIA report should all be submitted. Should there be any substantial change to the filed information or a termination of FR technology application, a corresponding filing should be made within 30 working days. It is worth noting that the current threshold of 100,000 is higher than the threshold of 10,000 originally proposed in the draft of the FR Measures. It is likely that CAC will issue detailed guidelines for such filing on or around the effective date of the FR Measures.

1 See CAC's statement on the press release for the FR Measures at https://www.cac.gov.cn/2025-03/21/c_1744259774719484.htm.

2 Ibid.

* * * * *

LOGO BM-FenXun bold-RGB (003)

© 2025 Baker & McKenzie FenXun (FTZ) Joint Operation Office. All rights reserved. Baker & McKenzie FenXun (FTZ) Joint Operation Office is a joint operation between Baker & McKenzie LLP, and FenXun Partners, approved by the Shanghai Justice Bureau. In accordance with the common terminology used in professional service organisations, reference to a "partner" means a person who is a partner, or equivalent, in such a law firm.  This may qualify as "Attorney Advertising" requiring notice in some jurisdictions.  Prior results do not guarantee a similar outcome.

Contact Information
Zhenyu Ruan
Partner
FenXun Shanghai
Read my Bio
zhenyu.ruan@bakermckenziefenxun.com
Chris Jiang
Counsel
FenXun Shanghai
chris.jiang@bakermckenziefenxun.com
Xi Chen
Associate
FenXun Shanghai
xi.chen@bakermckenziefenxun.com
Michael Wang
Associate
FenXun Shanghai
michael.wang@bakermckenziefenxun.com

Copyright © 2025 Baker & McKenzie. All rights reserved. Ownership: This documentation and content (Content) is a proprietary resource owned exclusively by Baker McKenzie (meaning Baker & McKenzie International and its member firms). The Content is protected under international copyright conventions. Use of this Content does not of itself create a contractual relationship, nor any attorney/client relationship, between Baker McKenzie and any person. Non-reliance and exclusion: All Content is for informational purposes only and may not reflect the most current legal and regulatory developments. All summaries of the laws, regulations and practice are subject to change. The Content is not offered as legal or professional advice for any specific matter. It is not intended to be a substitute for reference to (and compliance with) the detailed provisions of applicable laws, rules, regulations or forms. Legal advice should always be sought before taking any action or refraining from taking any action based on any Content. Baker McKenzie and the editors and the contributing authors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The Content may contain links to external websites and external websites may link to the Content. Baker McKenzie is not responsible for the content or operation of any such external sites and disclaims all liability, howsoever occurring, in respect of the content or operation of any such external websites. Attorney Advertising: This Content may qualify as “Attorney Advertising” requiring notice in some jurisdictions. To the extent that this Content may qualify as Attorney Advertising, PRIOR RESULTS DO NOT GUARANTEE A SIMILAR OUTCOME. Reproduction: Reproduction of reasonable portions of the Content is permitted provided that (i) such reproductions are made available free of charge and for non-commercial purposes, (ii) such reproductions are properly attributed to Baker McKenzie, (iii) the portion of the Content being reproduced is not altered or made available in a manner that modifies the Content or presents the Content being reproduced in a false light and (iv) notice is made to the disclaimers included on the Content. The permission to re-copy does not allow for incorporation of any substantial portion of the Content in any work or publication, whether in hard copy, electronic or any other form or for commercial purposes.