China introduces new rules for facial recognition to protect privacy and public safety
These new rules are grounded in China’s broader legal framework for data protection and cybersecurity and aim to limit the risks of overuse or abuse of facial recognition. Authorities will supervise compliance, and violations could result in legal penalties or even criminal charges.
On 1 June 2025, China’s new regulation on the safe use of facial recognition technology officially entered into force. Issued by the Cyberspace Administration of China and the Ministry of Public Security, the regulation sets out strict requirements for how companies and organisations can use facial recognition technology when processing people’s facial information within the country.
The regulation does not apply to the use of facial recognition for research or algorithm development, but it covers all other uses, especially in business or public services. Its main goal is to strengthen personal data protection, improve transparency, and reduce risks associated with the misuse of facial data.
Organisations must now obtain clear and informed consent before collecting or using facial information. They are also required to explain why the data is needed, how it will be used, how long it will be stored, and what rights individuals have in the process. People must be able to easily withdraw their consent at any time. Special protections are required when handling data of children under 14, including getting permission from a parent or guardian.
One of the key provisions of the regulation is that facial recognition cannot be the only way to verify someone’s identity if other options are available. Individuals must be offered alternative methods if they do not want to use facial recognition.
The use of facial recognition in public spaces is tightly restricted. It is allowed only when necessary for public safety, and equipment must not be installed in private areas such as hotel rooms, bathrooms, or changing rooms. Signs must clearly indicate where facial recognition is in use.
Companies using the technology are required to conduct privacy impact assessments, keep detailed records for at least three years, and implement strong cybersecurity measures like encryption and access control. Once an organisation stores more than 100,000 facial data records, it must register with the relevant government authorities and submit documentation showing how it handles and protects the data.
