Home ServicesLaw What Are China’s New Facial Recognition Regulations?
LawTechnology

What Are China’s New Facial Recognition Regulations?

by Elinor Greenhouse
0 comments
Facial recognition

China’s latest rules on facial recognition technology introduce mandatory registration for companies handling significant volumes of personal data, alongside a practical guide to compliance

In an era where facial recognition technology is increasingly embedded in daily life, from unlocking smartphones to streamlining payments, China has introduced robust regulations to ensure its responsible use. On March 21, 2025, the Cyberspace Administration of China (CAC) and the Ministry of Public Security (MPS) released the Security Management Measures for the Application of Facial Recognition Technology, effective from June 1, 2025. These measures, supplemented by a clarifying notice from the CAC on March 30, 2025, mandate registration for companies processing facial data of over 100,000 individuals and provide a clear framework for compliance. For British businesses operating in or entering the Chinese market, understanding and adhering to these rules is essential to safeguard operations and protect personal data.

launchpad gateway

The New Regulatory Landscape

China’s facial recognition regulations are part of a broader effort to strengthen data protection under the Personal Information Protection Law (PIPL), enacted in 2021. The Security Management Measures aim to balance innovation with the protection of individual privacy, addressing concerns about the misuse of sensitive biometric data. The rules apply to any organisation, domestic or foreign, processing facial recognition data in China, with a particular focus on those handling large datasets. According to the CAC, companies storing facial data of more than 100,000 individuals must register with their provincial-level cyberspace administration within 30 working days of reaching this threshold.

Recognising the compliance burden, the CAC introduced a grace period for companies that hit this threshold before June 1, 2025, allowing them until July 14, 2025, to complete registration. This transitional measure reflects China’s pragmatic approach to implementation, ensuring businesses have time to adapt without immediate disruption. Additionally, the CAC issued detailed ‘Instructions for Filling in the Facial Recognition Technology Application Filing System (First Edition)’, accessible via the Personal Information Protection Business System or the National Cyberspace Administration Government Affairs Hall on the CAC’s website. These guidelines outline the registration process, required documentation, and compliance expectations, making it easier for companies to navigate the system.

Read Also  Investing in cybersecurity is crucial for UK businesses in China – here's why

Why Compliance Matters

Facial recognition technology is widely used in China across sectors like retail, finance and security, but its rapid adoption has raised concerns about privacy and data security. China’s facial recognition market is projected to reach £7.2 billion by 2027, driven by applications in smart cities and public safety. However, high-profile cases, such as the 2021 fine imposed on a Hangzhou zoo for collecting facial data without consent, underscore the risks of non-compliance. The zoo was ordered to delete the data and issue a public apology, highlighting China’s growing emphasis on enforcement.

For British businesses, compliance is not just about avoiding penalties; it’s about building trust in a market where data protection is increasingly scrutinised. Robust cybersecurity measures, including compliance with data laws, are critical for protecting investments in China. Failure to register or properly handle facial data could result in fines, operational restrictions, or reputational damage, particularly for companies in sectors like technology, retail, or hospitality that rely on facial recognition for customer engagement.

How to Register: A Step-by-Step Guide

The registration process is designed to be straightforward, with all steps completed online via the Personal Information Protection Business System. Companies must first create an account on the platform before uploading the required documents, which include:

  • A Basic Information Form of Personal Information Processor, detailing the company’s operations and data processing activities.
  • A Facial Recognition Technology Application Record Form, outlining the scope and purpose of facial data use.
  • A Personal Information Protection Impact Assessment (PIPIA), assessing the legality, necessity, and risks of data processing.
  • Scanned copies of the Unified Social Credit Code Certificate, legal representative’s ID, agent’s ID, Power of Attorney, and Letter of Commitment, all stamped with the company’s official seal.

The CAC reviews submissions within 15 working days, updating the application status to “Filing Completed,” “Returned for Improvement,” or “Review Failed.” If supplementary materials are required, companies have 10 working days to provide them, or the process is terminated. The CBBC advises seeking professional support, such as from its Information Systems team, to ensure compliance with China’s data laws and to localise global systems effectively.

Read Also  Facial recognition software is used across China's retail sector but what about privacy laws?

Conducting a Personal Information Protection Impact Assessment (PIPIA)

A cornerstone of the new regulations is the requirement to conduct a PIPIA, as mandated by the PIPL. This assessment evaluates the legality, legitimacy, and necessity of facial data processing, alongside the potential impact on individual rights and the effectiveness of protective measures. The Filing Instructions provide a tailored template for facial recognition, requiring companies to disclose technical specifications, data collection and storage methods, standard operating procedures, and the ethical basis for data use. For example, companies must clarify whether facial data is used for automated decision-making, such as targeted advertising, and detail the infrastructure and technology providers involved.

The PIPIA process encourages transparency and accountability, aligning with international best practices. The PIPIA requirement has driven companies to adopt more robust data governance frameworks, enhancing trust among consumers and regulators alike.

Easing the Transition

The CAC’s notice reflects a pragmatic approach to regulation, balancing enforcement with flexibility. The grace period for pre-June 2025 data processors and the detailed Filing Instructions demonstrate China’s commitment to supporting businesses during this transition. For British companies, this is an opportunity to align with China’s evolving data protection regime while leveraging tools like the CBBC’s Business Guides, which offer insights into regulatory compliance and market navigation.

Launchpad membership 2

Avatar photo

Elinor Greenhouse is CBBC's sector lead for tech & innovation, healthcare & life sciences. For more information and to discuss your strategy in China’s knowledge economy contact Elinor at Elinor.Greenhouse@cbbc.org.

Related Articles

How to Protect Intellectual Property in...

Understanding China’s Anti-Foreign Sanctions Law

2024: A Stellar Year for Intellectual...

Exporting to China: Protecting your trademark

Lego wins major copyright infringement case...

2023 China IP overview: A UK-China...

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Accept Read More