摘要:In March 2025, China’s Cyberspace Administration (the “CAC”) and Ministry of Public Security jointly issued the Measures for the S
In March 2025, China’s Cyberspace Administration (the “CAC”) and Ministry of Public Security jointly issued the Measures for the Security Management of the Application of Facial Recognition Technology (the “Measures”), which require personal information (“PI”) handlers to File within 30 working days once the amount of stored facial data reaches 100,000 individuals. In May 2025, the CAC followed up with the Announcement on the Filing for the Application of Facial Recognition Technology (the “Announcement”), which sets out further details on the scope, timeline, and procedures for filing.
Having assisted multiple companies with their initial filings and reviewed related regulatory feedback, we summarize below the key practical points for reference.
1.
Who Needs to File
The filing applies to PI handlers that use facial recognition technology and store the facial data of 100,000 or more individuals.
Key considerations for this issue include:
(1)According to the Measures, the entities required to file should be the PI handlers (similar to “controllers” under the GDPR). It remains uncertain, based on current filing practices, whether enterprises that are merely entrusted to process the facial information of 100,000 individuals are also required to file.
(2)Scope of individuals: The headcount should include all applicable scenarios, aggregated across use cases, and calculated on a de-duplicated basis.
(3)Group-wide filing: A parent company may file on behalf of the entire group.
(4)Consolidated filing: Affiliated entities (e.g., subsidiaries, branches, office areas, chain stores, and third-party service providers) with the same processing purposes, necessities, methods, and scope may submit a joint filing.
2.
Filing Scenarios
All use cases involving facial recognition technology shall be included—for example, identity verification via facial recognition in apps; face-based payment systems; and employees clocking in using facial recognition.
Whether scenarios that do not involve facial recognition processing, such as taking employee ID photos for badges, are subject to filing still remains to be clarified in practice.
3.
Filing Requirements
The Filing process mainly covers basic company information, details of the facial recognition technology and systems in use, and information on how the technology is applied.
Many of the required disclosures—such as the purpose of processing, types of data processed, security measures, and operating procedures—will appear across different documents (e.g., a filing form, a PI protection impact assessment report, consent letters, and so on). It’s essential that descriptions on the same issue are consistent across all materials, as this is often a point of regulatory scrutiny.
4.
How to File
Filing is completed online through the CAC’s PI Protection Business System at
Please note that this platform is also used for filing PI protection officers, but it is separate from the systems used for algorithm filing and cross-border data transfer filings. Companies should take care not to confuse the platforms.
5.
Notes on PI Protection Impact Assessments (PIA)
Facial data is classified as sensitive PI under the PRC Personal Information Protection Law (the “PIPL”). Processing such data requires a separate consent from individuals involved; and a prior PIA.
When conducting a PIA, companies should review their overall data processing activities and identify whether they fall into any special categories, such as critical Information Infrastructure Operators, important data handlers; or entities processing PI of over 1 million or 10 million individuals. For example, PI handlers that process PI of more than 1 million people need to appoint a PI protection officer (the “PIPO”) and conduct filing for the appointment of a PIPO.
6.
Use of Surveillance and Facial Recognition in Public Spaces
Under the Regulations on the Management of public security Video Image Information Systems (the “Regulations”) and the Provisions on the Supervision and Administration of Public Security Video Image Information Systems, image capture devices in public spaces may only be installed when necessary for public security—not for other purposes.
Where companies install only image capture devices, visible signage shall be posted where such devices are in use. If devices are installed in locations listed under Article 7 of the Regulations, filing with the local public security is also required. Furthermore, if the installed devices support and apply facial recognition technology, companies shall, in addition to the above obligations, complete the required facial recognition technology filing.
7.
Tips for Filing Practice
Review of the submitted filing materials and regulator feedback highlights the following practical points:
(1)Quantitative Records – Maintain counts of facial data stored, the number of individuals concerned, and the number of facial feature vectors.
(2)System Mapping – Identify system access points, interconnections, data interfaces, and data center details; diagrams of system interconnections are recommended.
(3)Legal Basis Documentation – Prepare evidence demonstrating lawful processing, including proof of notice and separate consent (e.g., signed consent letters).
(4)Consistency Across Documents – Ensure that descriptions of the same matters are consistent across all submitted documents.
8.
Key Takeaways
Companies engaging in facial recognition activities shall:
(1)Initiate immediate data mapping for all facial recognition activities.
(2)File promptly once stored records involve ≥100,000 individuals.
(3)If an entity is entrusted to process facial recognition information of more than 100,000 individuals and the PI handler has difficulties in completing the filing, it is recommended to consult the local cyberspace administration to confirm whether the entrusted entity may submit the filing instead.
(4)Even below the threshold of 100,000 individuals, take actions to comply with the Measures, such actions may include:
Preparing privacy notice for facial recognition activitiesObtaining separate consent
Taking technical security measures (including encryption, audits, access control, and intrusion detection and prevention)
Fulfilling multi-level protection obligations
Conducting PI protection impact assessments
Other actions required by appliable laws and regulations
For further information on filing procedures, documentation, or impact assessments, feel free to contact us.
律师简介
郭玉兰
大成上海合伙人
amanda.guo@dentons.cn
郭玉兰律师是北京大成(上海)律师事务所的合伙人,现任大成上海跨境投资与贸易专业组副秘书长、大成中国 “一带一路 ”建设研究中心理事。凭借深厚的专业知识和超过20年的实务经验,郭律师擅长处理复杂的跨境投融资、并购、数据和供应链合规等法律事宜。郭律师本人及参与的项目多次荣登权威法律榜单,包括《国际金融法律评论1000》(IFLR 1000)、GRCD、《法律500强》(The Legal 500)、《亚洲法律杂志》(ALB)、《商法杂志》(Business Law Journal)等。
郭雪菲
大成上海律师
xuefei.guo@dentons.cn
大成杭州律师
pengcheng.sun@dentons.cn
赵中星
大成北京合伙人
zhongxing.zhao@dentons.cn
特别声明:
来源:大成上海4