國家互聯網信息辦公室、公安部近日聯合公佈《人臉識別技術應用安全管理辦法》（下稱《辦法》），自2025年6月1日起施行。

The relevant person in charge of the Cyberspace Administration of China said that the application of face recognition technology is closely related to the security of face information and has received great attention from all parties in society. In order to regulate the use of facial recognition technology to process facial information and protect the rights and interests of personal information, the Cyberspace Administration of China and the Ministry of Public Security jointly issued the Measures, which stipulate the basic requirements and processing rules for the application of facial recognition technology to process facial information, security specifications for the application of facial recognition technology, and supervision and management responsibilities.

The Measures clarify the basic requirements for the application of facial recognition technology to process facial information. Activities that use facial recognition technology to handle facial information shall comply with laws and regulations, respect social mores and ethics, abide by commercial ethics and professional ethics, be honest and trustworthy, perform personal information protection obligations, bear social responsibility, and must not endanger national security, harm the public interest, or infringe upon individuals' lawful rights and interests.

The Measures clarify the processing rules for the application of facial recognition technology to process facial information. First, it should have a specific purpose and sufficient necessity, adopt a method that has the least impact on the rights and interests of individuals, and implement strict protection measures. Second, the obligation to inform shall be fulfilled. Third, where the processing of facial information is based on the individual's consent, the individual's separate consent shall be obtained voluntarily and explicitly on the premise of full knowledge. Where the handling of facial information of minors under the age of 14 is based on the individual's consent, the consent of the minor's parents or other guardians shall be obtained. Fourth, except as otherwise provided by laws and administrative regulations or with the individual's separate consent, facial information shall be stored in facial recognition devices and must not be transmitted externally through the Internet. Except as otherwise provided by laws and administrative regulations, the retention period for facial information must not exceed the minimum time necessary to achieve the purpose of processing. Fifth, an impact assessment of personal information protection shall be conducted in advance, and the handling shall be recorded.

The Measures clarify the security specifications for the application of facial recognition technology. First, where the same purpose is achieved or the same business requirements are achieved, and there are other methods that are not facial recognition technology, facial recognition technology must not be used as the only verification method. Where the state has other provisions, follow those provisions. Second, where facial recognition technology is used to verify personal identities and identify specific individuals, priority is encouraged to be given to the use of channels such as the National Basic Population Information Database and the National Network Identity Authentication Public Service. Third, no organization or individual may mislead, defraud, or coerce individuals to accept facial recognition technology to verify their identities on the grounds of handling business or improving service quality. Fourth, the installation of facial recognition equipment in public places shall be necessary to preserve public safety, reasonably determine the area for collecting facial information in accordance with law, and set up conspicuous reminder signs. Facial recognition devices must not be installed in private spaces in hotel guest rooms, public baths, public locker rooms, public restrooms, or other public places. Fifth, facial recognition technology application systems shall employ measures such as data encryption, security auditing, access control, authorization management, intrusion detection and defense, etc., to protect the security of facial information.

　　《辦法》明確了監督管理職責。個人信息處理者應當在應用人臉識別技術處理的人臉資訊存儲數量達到10萬人之日起30個工作日內向所在地省級以上網信部門履行備案手續。網信部門會同公安機關和其他履行個人信息保護職責的部門，建立健全資訊共用和通報工作機制，協同開展相關工作。

At the same time, the Measures also stipulate the legal liability for violating the provisions of the Measures and the meaning of relevant terms.