On March 21, 2025, the Cyberspace Administration of China and the Ministry of Public Security jointly released the Security Management Measures for the Application of Facial Recognition Technology (the “Measures”), which will become effective on June 1, 2025. Below is a summary of the scope and certain of the key requirements of the Measures.

Scope of Application of the Measures

The Measures apply to activities using facial recognition technology to process facial information to identify an individual in China. However, the Measures do not apply to activities using facial recognition technology for research or algorithm training purposes in China.

Facial information refers to biometric information of facial features recorded electronically or by other means, relating to an identified or identifiable natural person, excluding information that has been anonymized.

Facial recognition technology refers to individual biometric recognition technology that uses facial information to identify an individual’s identity.

Specific Processing Requirements for Facial Recognition Technology

The Measures include specific processing requirements which must be complied with when activities are in scope of the Measures. These include:

• Storage: The facial information should be stored in the facial recognition device and prohibited from external transmission through the Internet, unless the data handler obtains separate consent from the data subject or is otherwise permitted by applicable laws and regulations.
• Privacy Impact Assessment (“PIA”): The data handler should conduct a PIA before processing the data.
• Public Places: Facial recognition devices can be installed in public places, subject to the data handler establishing the necessity for maintenance of public security. The data handler shall reasonably determine the facial information collection area and display prominent warning signs.
• Restriction: The data handler should not use facial recognition as the only verification method if there is any other technology that may accomplish the same purpose or meet the equivalent business requirements.
• Filing Requirement: If the data handler processes facial information of more than 100,000 individuals through facial recognition technology, it should conduct a filing with the competent Cyberspace authority at the provincial level or higher within 30 business days upon reaching that threshold. The filing documents should include, amongst other things, basic information of the data handler, the purpose and method of processing facial information, the security protection measures taken, and a copy of the PIA. In cases of any substantial changes of the filed information, the filing shall be amended within 30 business days from the date of change. If the use of facial recognition technology is terminated, the data handler shall cancel the filing within 30 business days from the date of termination, and the facial information involved shall be processed in accordance with the law.