China published draft regulations for facial recognition technologies

China published draft regulations for facial recognition technologies

Photo by Harvey Dong

By Donnie Hao DONG & Wenqiang Huang

The Cyberspace Administration of China (CAC) released draft regulations governing the use of facial recognition technology (FRT) on August 8, 2023, seeking public comments. Usually, CAC’s draft regulations will be finalized and formally published in 6-12 months.

Below are key terms to be noticed by multinational companies.

General rules

–      By default (see exceptions below), FRT users must obtain individual data subjects’ consent (for minors, guardian’s consent is required)

–      Where non-biological recognition technologies are available, they should be prioritized; however, the draft did not expressly require non-biological recognition options

–      FRT users must complete a data protection impact assessment (PIA) before activating the technology; the PIA report shall be retained for at least 3 years; PIA shall be remade when the purposes or manners of using FRT are changed,

–      Where an FRT (i) is applied in public spaces, or (ii) may store more than 10,000 people’s facial information, the FRT user shall go through a registration process by submitting the PIA report and certain documents required by the CAC

Rules for FRTs in public spaces 

Where a FRT is used for public security purposes:

–      No consent is needed

–      FRT cameras shall be installed only when it is necessary for public security

–      If FR is used for purposes other than public security, data subjects’ separate consents are required

–      Data security must be ensured

–      Prominent notice must be placed where surveillance cameras are installed

–      No camera shall be installed inside dwellings, hotel rooms, fitting rooms, restrooms, or bathhouses, even for public security purposes


Where a FRT is used for purposes other than public security:

–      Data subjects’ informed consent is required

–      Coercion or misleading (of accepting FR) are expressly prohibited, however, no general requirement to service providers to offer alternative options

*          *          *          *          *

Author: Donnie Hao DONG is a partner of Hylands Law Firm heading its practice for the data and the internet industry. A Certified Information Privacy Manager (IAPP/CIPM), and an Adjunct Professor at the University of Hong Kong’s Academy of Senior Executives, Dr. Dong regularly advises MNCs, unicorns, and start-ups on cross-border intellectual property, data privacy, related investment, and contentious matters.