In March 2025, China’s Cyberspace Administration (the “CAC”) and Ministry of Public Security jointly issued the Measures for the Security Management of the Application of Facial Recognition Technology (the “Measures”), which require personal information (“PI”) handlers to file within 30 working days once the amount of stored facial data reaches 100,000 individuals. In May 2025, the CAC followed up with the Announcement on the Filing for the Application of Facial Recognition Technology (the “Announcement”), which sets out further details on the scope, timeline, and procedures for filing.

Having assisted multiple companies with their initial filings and reviewed related regulatory feedback, we summarize below the key practical points for reference.

1.Who Needs to File

The filing applies to PI handlers that use facial recognition technology and store the facial data of 100,000 or more individuals.

Key considerations for this issue include:

(1)According to the Measures, the entities required to file should be the PI handlers (similar to “controllers” under the GDPR). It remains uncertain, based on current filing practices, whether enterprises that are merely entrusted to process the facial information of 100,000 individuals are also required to file.

(2)Scope of individuals: The headcount should include all applicable scenarios, aggregated across use cases, and calculated on a de-duplicated basis.

(3)Group-wide filing: A parent company may file on behalf of the entire group.

(4)Consolidated filing: Affiliated entities (e.g., subsidiaries, branches, office areas, chain stores, and third-party service providers) with the same processing purposes, necessities, methods, and scope may submit a joint filing.

2.Filing Scenarios

All use cases involving facial recognition technology shall be included—for example, identity verification via facial recognition in apps; face-based payment systems; and employees clocking in using facial recognition.

Whether scenarios that do not involve facial recognition processing, such as taking employee ID photos for badges, are subject to filing still remains to be clarified in practice.

3.Filing Requirements

The Filing process mainly covers basic company information, details of the facial recognition technology and systems in use, and information on how the technology is applied.

Many of the required disclosures—such as the purpose of processing, types of data processed, security measures, and operating procedures—will appear across different documents (e.g., a filing form, a PI protection impact assessment report, consent letters, and so on). It’s essential that descriptions on the same issue are consistent across all materials, as this is often a point of regulatory scrutiny.

4.How to File

Filing is completed online through the CAC’s PI Protection Business System athttps://grxxbh.cacdtsc.cn.Please note that this platform is also used for filing PI protection officers, but it is separate from the systems used for algorithm filing and cross-border data transfer filings. Companies should take care not to confuse the platforms.

5.Notes on PI Protection Impact Assessments (PIA)

Facial data is classified as sensitive PI under the PRC Personal Information Protection Law (the “PIPL”). Processing such data requires a separate consent from individuals involved; and a prior PIA.

When conducting a PIA, companies should review their overall data processing activities and identify whether they fall into any special categories, such as critical Information Infrastructure Operators, important data handlers; or entities processing PI of over 1 million or 10 million individuals. For example, PI handlers that process PI of more than 1 million people need to appoint a PI protection officer (the “PIPO”) and conduct filing for the appointment of a PIPO.

6.Use of Surveillance and Facial Recognition in Public Spaces

Under the Regulations on the Management of Public Security Video Image Information Systems (the “Regulations”) and the Provisions on the Supervision and Administration of Public Security Video Image Information Systems, image capture devices in public spaces may only be installed when necessary for public security—not for other purposes. 

Where companies install only image capture devices, visible signage shall be posted where such devices are in use. If devices are installed in locations listed under Article 7 of the Regulations, filing with the local public security is also required. Furthermore, if the installed devices support and apply facial recognition technology, companies shall, in addition to the above obligations, complete the required facial recognition technology filing.

7.Tips for Filing Practice

Review of the submitted filing materials and regulator feedback highlights the following practical points:

(1)Quantitative Records – Maintain counts of facial data stored, the number of individuals concerned, and the number of facial feature vectors.

(2)System Mapping – Identify system access points, interconnections, data interfaces, and data center details; diagrams of system interconnections are recommended.

(3)Legal Basis Documentation – Prepare evidence demonstrating lawful processing, including proof of notice and separate consent (e.g., signed consent letters).

(4)Consistency Across Documents – Ensure that descriptions of the same matters are consistent across all submitted documents.

8.Key Takeaways

Companies engaging in facial recognition activities shall:

(1)Initiate immediate data mapping for all facial recognition activities.

(2)File promptly once stored records involve ≥100,000 individuals.

(3)If an entity is entrusted to process facial recognition information of more than 100,000 individuals and the PI handler has difficulties in completing the filing, it is recommended to consult the local cyberspace administration to confirm whether the entrusted entity may submit the filing instead.

(4)Even below the threshold of 100,000 individuals, take actions to comply with the Measures, such actions may include:
Preparing privacy notice for facial recognition activities

Obtaining separate consent

Taking technical security measures (including encryption, audits, access control, and intrusion detection and prevention)

Fulfilling multi-level protection obligations

Conducting PI protection impact assessments

Other actions required by appliable laws and regulations

For further information on filing procedures, documentation, or impact assessments, feel free to contact us.

特别声明：本文仅代表作者个人观点，不代表大成律师事务所或其律师出具的任何形式的法律意见或建议。如需转载或引用该文章的任何内容，请与我们取得联络，未经同意不得转载或使用。转载或引用时须注明出处。