摘要:In March 2025, China’s Cyberspace Administration (the “CAC”) and Ministry of Public Security jointly issued the Measures for the S
In March 2025, China’s Cyberspace Administration (the “CAC”) and Ministry of Public Security jointly issued the Measures for the Security Management of the Application of Facial Recognition Technology (the “Measures”), which require personal information (“PI”) handlers to file within 30 working days once the amount of stored facial data reaches 100,000 individuals. In May 2025, the CAC followed up with the Announcement on the Filing for the Application of Facial Recognition Technology (the “Announcement”), which sets out further details on the scope, timeline, and procedures for filing.
Having assisted multiple companies with their initial filings and reviewed related regulatory feedback, we summarize below the key practical points for reference.
01 Who Needs to File
The filing applies to PI handlers that use facial recognition technology and store the facial data of 100,000 or more individuals.
Key considerations for this issue include:
(1)According to the Measures, the entities required to file should be the PI handlers (similar to “controllers” under the GDPR). It remains uncertain, based on current filing practices, whether enterprises that are merely entrusted to process the facial information of 100,000 individuals are also required to file.
(2)Scope of individuals: The headcount should include all applicable scenarios, aggregated across use cases, and calculated on a de-duplicated basis.
(3)Group-wide filing: A parent company may file on behalf of the entire group.
(4)Consolidated filing: Affiliated entities (e.g., subsidiaries, branches, office areas, chain stores, and third-party service providers) with the same processing purposes, necessities, methods, and scope may submit a joint filing.
02 Filing Scenarios
All use cases involving facial recognition technology shall be included—for example, identity verification via facial recognition in apps; face-based payment systems; and employees clocking in using facial recognition.
Whether scenarios that do not involve facial recognition processing, such as taking employee ID photos for badges, are subject to filing still remains to be clarified in practice.
03 Filing Requirements
The Filing process mainly covers basic company information, details of the facial recognition technology and systems in use, and information on how the technology is applied.
Many of the required disclosures—such as the purpose of processing, types of data processed, security measures, and operating procedures—will appear across different documents (e.g., a filing form, a PI protection impact assessment report, consent letters, and so on). It’s essential that descriptions on the same issue are consistent across all materials, as this is often a point of regulatory scrutiny.
04 How to File
Filing is completed online through the CAC’s PI Protection Business System at
Please note that this platform is also used for filing PI protection officers, but it is separate from the systems used for algorithm filing and cross-border data transfer filings. Companies should take care not to confuse the platforms.
05 Notes on PI Protection Impact Assessments (PIA)
Facial data is classified as sensitive PI under the PRC Personal Information Protection Law (the “PIPL”). Processing such data requires a separate consent from individuals involved; and a prior PIA.
When conducting a PIA, companies should review their overall data processing activities and identify whether they fall into any special categories, such as critical Information Infrastructure Operators, important data handlers; or entities processing PI of over 1 million or 10 million individuals. For example, PI handlers that process PI of more than 1 million people need to appoint a PI protection officer (the “PIPO”) and conduct filing for the appointment of a PIPO.
06 Use of Surveillance and Facial Recognition in Public Spaces
Under the Regulations on the Management of Public Security Video Image Information Systems (the “Regulations”) and the Provisions on the Supervision and Administration of Public Security Video Image Information Systems, image capture devices in public spaces may only be installed when necessary for public security—not for other purposes.
Where companies install only image capture devices, visible signage shall be posted where such devices are in use. If devices are installed in locations listed under Article 7 of the Regulations, filing with the local public security is also required. Furthermore, if the installed devices support and apply facial recognition technology, companies shall, in addition to the above obligations, complete the required facial recognition technology filing.
07 Tips for Filing Practice
Review of the submitted filing materials and regulator feedback highlights the following practical points:
(1)Quantitative Records – Maintain counts of facial data stored, the number of individuals concerned, and the number of facial feature vectors.
(2)System Mapping – Identify system access points, interconnections, data interfaces, and data center details; diagrams of system interconnections are recommended.
(3)Legal Basis Documentation – Prepare evidence demonstrating lawful processing, including proof of notice and separate consent (e.g., signed consent letters).
(4)Consistency Across Documents – Ensure that descriptions of the same matters are consistent across all submitted documents.
08 Key Takeaways
Companies engaging in facial recognition activities shall:
(1)Initiate immediate data mapping for all facial recognition activities.
(2)File promptly once stored records involve ≥100,000 individuals.
(3)If an entity is entrusted to process facial recognition information of more than 100,000 individuals and the PI handler has difficulties in completing the filing, it is recommended to consult the local cyberspace administration to confirm whether the entrusted entity may submit the filing instead.
(4)Even below the threshold of 100,000 individuals, take actions to comply with the Measures, such actions may include:
Preparing privacy notice for facial recognition activitiesObtaining separate consentTaking technical security measures (including encryption, audits, access control, and intrusion detection and prevention)Fulfilling multi-level protection obligationsConducting PI protection impact assessmentsOther actions required by appliable laws and regulationsFor further information on filing procedures, documentation, or impact assessments, feel free to contact us.
特别声明:
大成律师事务所严格遵守对客户的信息保护义务,本篇所涉客户项目内容均取自公开信息或取得客户同意。全文内容、观点仅供参考,不代表大成律师事务所任何立场,亦不应当被视为出具任何形式的法律意见或建议。如需转载或引用该文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源。未经授权,不得转载或使用该等文章中的任何内容。
— 往期推荐 —
中美关税战下跨境供应链原产地合规思路(下篇):中美预裁定机制差异对比
郭玉兰等:中美关税战下跨境供应链原产地合规思路(上篇):中美原产地判定标准差异解析
郭玉兰:中国企业出海热点地区数据保护指南——马来西亚篇
郭玉兰:中国企业出海热点地区数据保护指南——印度篇
郭玉兰:New Rules Boost Foreign Strategic Investment in China
郭玉兰:中国企业出海热点地区数据保护指南——越南篇
郭玉兰等:中国企业出海热点地区数据保护指南——美国加州篇
郭玉兰等:中国企业出海热点地区数据保护指南——英国篇
郭玉兰等:简评《个人信息保护合规审计管理办法(征求意见稿)》
郭玉兰等:轻知识:除签订标准合同外,数据出境还有哪些路径?
Insights丨Q&A on the Standard Contract for Transferring PI Abroad
郭玉兰等:《个人信息出境标准合同办法》的十问十答
郭玉兰:企业并购过程中的数据安全考量 - 走在“合规”之前(三)并购交易文件起草中的数据安全规划
郭玉兰等:开放续扩大,清单再瘦身 - 新版外商投资准入负面清单亮点解析
郭玉兰:从新《民办教育促进法实施条例》第十三条看协议控制何去何从
郭玉兰:企业并购过程中的数据安全考量 - 走在“合规”之前(二)并购交易中数据合规尽职调查的关键问题
郭玉兰等:“健康医疗数据合规”那些事儿系列之四 - 互联网医疗企业如何合规地对个人健康医疗数据进行跨境传输
郭玉兰:企业并购过程中的数据安全考量 - 走在“合规”之前并购交易前的数据安全规划
郭玉兰等:“健康医疗数据合规”那些事儿系列之二 - 互联网医疗企业如何合规存储和境内共享个人健康医疗数据
郭玉兰等:“健康医疗数据合规”那些事儿:疫情当前,企业如何合规收集并处理员工防疫相关的个人数据
郭玉兰等:“健康医疗数据合规”那些事儿 - 系列之一:互联网医疗企业如何合规收集健康医疗数据
本文作者
By Amanda Guo, Fiona Guo, Pengcheng Sun, and Calvin Chiu
来源:大成律动
