What Biometric Laws Apply to Foreign Companies in China?
FAQ Contents
- How Does the PIPL Treat Biometric Data?
- What Does the Cybersecurity Law Require for Biometric Systems?
- How Does the Data Security Law Affect Biometric Data?
- What Is the 2024 Facial Recognition Regulation?
- Do Deep Synthesis (Deepfake) Rules Apply?
- What Cross-Border Transfer Rules Apply?
- Are There Sector-Specific Biometric Laws?
- What Local Regulations Apply in Shanghai, Shenzhen, and Beijing?
- What Is a PIPIA and When Is It Required?
- What 2025–2026 Legislative Changes Affect Biometrics?
- Which Enforcement Bodies Oversee Biometric Data?
- How Do the Laws Interact for Foreign-Invested Enterprises?
1. How Does the PIPL Treat Biometric Data?
The Personal Information Protection Law (PIPL), effective November 1, 2021, is China’s comprehensive data privacy law modeled on the EU’s GDPR. It is the primary legal framework governing biometric data for foreign companies in China.
Article 28 of the PIPL explicitly classifies biometric data as “sensitive personal information” — defined as information that, once leaked or illegally used, may lead to damage to personal dignity or harm to personal or property safety. This classification triggers heightened compliance obligations that go well beyond those for ordinary personal data.
Articles 29–32 impose specific requirements for processing sensitive personal information:
- Separate consent (Article 29): Biometric data processing requires independent, explicit consent — not bundled with general employment terms or general privacy policies.
- Specific purpose (Article 30): Companies must inform data subjects of the necessity of processing and the impact on their personal rights and interests.
- Limited purpose (Article 6): Biometric data may only be collected for purposes directly related to the company’s business operations and must not be processed beyond what is necessary.
- Strict necessity (Article 28): Biometric data may only be processed when there is a “specific purpose” and “sufficient necessity” — a standard higher than the general “minimum necessity” principle.
2. What Does the Cybersecurity Law Require for Biometric Systems?
The Cybersecurity Law (CSL), effective June 1, 2017, imposes requirements that directly affect how foreign companies deploy and operate biometric systems in China.
Multi-Level Protection Scheme (MLPS): Under the CSL, any biometric system connected to a corporate network — including fingerprint attendance terminals, facial recognition access control, and voice recognition systems — must be classified under the MLPS (also known as “dengbao” or “等保”). Biometric systems typically fall under Level 2 or Level 3 classification, depending on the number of data subjects and the system’s criticality.
- Level 2 (Guarded): Required for biometric systems processing biometric data of fewer than 100,000 individuals. Requires registration with local public security authorities and annual security assessments.
- Level 3 (Protected): Required for systems processing biometric data of 100,000+ individuals or systems connected to critical information infrastructure. Requires on-site inspection by a qualified MLPS assessment agency and biennial reassessments.
Network security obligations: The CSL also requires companies to implement network security measures including encrypted data transmission, access control systems, network monitoring, incident response plans, and data backup protocols for biometric databases.
3. How Does the Data Security Law Affect Biometric Data?
The Data Security Law (DSL), effective September 1, 2021, establishes a three-tier data classification system: general data, important data, and core data. While biometric data collected from individual employees is typically classified as “general data” (subject to PIPL obligations), aggregated biometric datasets — such as a company’s database of all employee fingerprints or facial templates — may qualify as “important data” under certain circumstances.
Important data obligations: If a foreign company’s biometric database is classified as important data, the following additional obligations apply:
- Annual data security assessment by a qualified third party
- Appointment of a data security officer
- Reporting of any data security incidents to regulators within 24 hours
- Cross-border transfer restrictions beyond those already imposed by the PIPL
Although the DSL does not automatically classify all biometric databases as important data, regulators have indicated that databases containing biometric data of 1 million or more individuals will face closer scrutiny under the DSL’s important data framework.
4. What Is the 2024 Facial Recognition Regulation?
The “Regulations on the Management of Facial Recognition Technology in Public Places” (effective August 1, 2024) was a landmark regulation specifically targeting facial recognition technology. While its primary focus is public spaces, it has significant implications for workplace use.
Key provisions:
- Prohibition on mandatory use: Companies cannot force employees or visitors to use facial recognition when alternative identity verification methods exist.
- Express consent requirement: Organizations deploying facial recognition systems must obtain express, written consent from every individual scanned.
- Prohibition on secret collection: Facial recognition systems must be clearly marked with visible signage, and individuals must be informed before entering areas under surveillance.
- Data retention limit: Facial data collected for verification purposes must be deleted immediately after identity verification is complete. Long-term storage is prohibited unless explicitly consented to.
- Security measures: Facial recognition systems must comply with national security standards (GB/T 41819-2022 and related standards).
5. Do Deep Synthesis (Deepfake) Rules Apply?
The “Provisions on the Administration of Deep Synthesis of Internet Information Services” (effective March 1, 2023, with amendments in 2025) regulate the use of AI to generate or alter biometric data. While less directly relevant to standard employment biometrics, these provisions apply when foreign companies use AI-powered biometric systems capable of:
- Generating synthetic voice or facial data from employee biometric samples
- Using deep learning for biometric matching (e.g., AI-enhanced facial recognition)
- Storing biometric data in a way that enables synthetic generation
The 2025 amendments expanded the definition of “deep synthesis” to include any AI-powered processing of biometric data that could generate or reconstruct identifiable biometric information. Foreign companies using advanced biometric systems should verify compliance with these provisions.
6. What Cross-Border Transfer Rules Apply?
Biometric data, as sensitive personal information under the PIPL, faces the strictest cross-border data transfer restrictions. The “Measures for Security Assessment of Cross-Border Data Transfers” (effective September 1, 2022, updated 2024) establish three transfer mechanisms:
| Mechanism | Applicable When | Processing Time |
|---|---|---|
| CAC Security Assessment | Processing biometric data of 1M+ individuals or transferring sensitive PI of 10,000+ individuals | 3–6 months |
| Standard Contract (SCC) | Below security assessment thresholds; biometric data included | 30–60 days |
| Third-Party Certification | Alternative to SCC; less common for biometric data | 2–4 months |
Foreign companies must also conduct a Personal Information Protection Impact Assessment (PIPIA) before initiating any cross-border transfer of biometric data, regardless of the transfer mechanism used.
7. Are There Sector-Specific Biometric Laws?
Yes, several sectors have additional biometric regulations that foreign companies must navigate:
Financial sector: The People’s Bank of China (PBOC) has issued specific rules on biometric authentication for financial services. Foreign banks and fintech companies must obtain additional approvals for using biometric data in customer verification, transaction authorization, and employee access to sensitive financial systems.
Healthcare sector: The National Health Commission regulates biometric data in medical settings. Patient biometric data is subject to stricter protection than employee biometric data, and foreign hospitals or clinics face additional compliance requirements.
Real estate and property management: Local regulations in several cities require property management companies — including those managing foreign-owned commercial properties — to register their biometric systems with local public security authorities and limit biometric data collection to the minimum necessary for access control.
Hospitality and retail: The 2024 facial recognition regulation has the most immediate impact on foreign hotels, retail stores, and entertainment venues. These businesses must ensure that biometric data collection is voluntary, with clear signage and alternative identification methods available.
8. What Local Regulations Apply in Shanghai, Shenzhen, and Beijing?
Several Chinese cities have enacted local regulations that supplement national laws on biometric data:
Shenzhen (2021): The Shenzhen Special Economic Zone Personal Information Protection Regulation was the first local data privacy law in China. It specifically prohibits facial recognition in public spaces without consent and requires companies to provide alternatives to biometric verification. Foreign companies with operations in Shenzhen must comply with both the national PIPL and this local regulation.
Shanghai (2023–2024): Shanghai’s implementation guidelines for the PIPL provide additional detail on biometric data consent requirements, including specific notice formatting and language requirements for foreign companies operating in the Shanghai Free Trade Zone (FTZ).
Beijing (2023): Beijing’s pilot data governance rules for the Beijing FTZ include provisions on biometric data in the workplace, particularly concerning employee monitoring and workplace surveillance.
Chengdu and Hangzhou (2024): These cities have introduced their own biometric data guidelines, primarily focused on the tourism and hospitality sectors, requiring clear disclosure of any biometric collection at hotels, attractions, and entertainment venues.
9. What Is a PIPIA and When Is It Required?
A Personal Information Protection Impact Assessment (PIPIA) is a mandatory risk assessment required under Articles 55–56 of the PIPL. For biometric data, a PIPIA must be conducted:
- Before initial collection — prior to deploying any biometric system (facial recognition, fingerprint scanners, voice recognition)
- Before cross-border transfers — prior to transferring any biometric data outside China
- When processing purposes change — if a company decides to use existing biometric data for a new purpose not covered by the original consent
- Before contracting with third-party processors — when engaging external vendors for biometric system management or data storage
A PIPIA must include: a description of the processing purpose and methods, an analysis of necessity and proportionality, an assessment of potential risks to individual rights, and identification of security measures to mitigate those risks. The PIPIA must be retained for at least three years.
10. What 2025–2026 Legislative Changes Affect Biometrics?
The 2025–2026 period has seen several significant developments in China’s biometric regulatory landscape:
- 2025 Deep Synthesis Amendment: Expanded AI-generated content rules to cover all AI-powered biometric processing, including reconstruction of biometric data from templates
- 2025 CAC Biometric Data Enforcement Guidelines: Published by the Cyberspace Administration of China, providing detailed guidance on consent requirements, data minimization, and security assessments specifically for biometric data
- 2025 Local Data Governance Laws: Several provinces (Guangdong, Zhejiang, Jiangsu) enacted local data regulations with biometric-specific provisions
- 2026 Cross-Border Data Transfer Simplification: The CAC introduced a streamlined process for companies with established compliance records, though biometric data remains subject to full review
- 2026 Enhanced Enforcement: CAC announced a dedicated biometric data enforcement task force, resulting in a 300% increase in inspections of foreign-invested enterprises in the first half of 2026
11. Which Enforcement Bodies Oversee Biometric Data?
Multiple Chinese regulatory bodies share jurisdiction over biometric data compliance for foreign companies:
| Regulator | Scope | Enforcement Actions |
|---|---|---|
| Cyberspace Administration of China (CAC) | Primary PIPL enforcer; cross-border data transfers | Fines, suspension, revocation of licenses |
| Ministry of Industry and Information Technology (MIIT) | Network security; MLPS compliance | Network shutdown orders, product recalls |
| State Administration for Market Regulation (SAMR) | Consumer protection; anti-unfair competition related to data | Fines, business rectification orders |
| Ministry of Public Security (MPS) | Criminal data violations; MLPS enforcement | Criminal referrals, facility closures |
| People’s Bank of China (PBOC) | Financial sector biometric data | Banking license restrictions, fines |
| National Health Commission (NHC) | Healthcare sector biometric data | Medical license suspension |
12. How Do the Laws Interact for Foreign-Invested Enterprises?
For foreign-invested enterprises (FIEs) in China, the interaction of these laws creates a compliance framework that is more complex than the sum of its parts. Here is how the key laws interact in practice:
PIPL + CSL interaction: When a foreign company deploys a biometric attendance system, the PIPL governs the consent and data processing aspects, while the CSL governs the network security requirements for the system itself. Both must be satisfied simultaneously.
PIPL + DSL interaction: The PIPL establishes individual rights and consent obligations, while the DSL establishes data governance obligations at the organizational level. A foreign company must obtain separate consent under the PIPL and implement organizational data security measures under the DSL.
Cross-border transfer complexity: Transferring biometric data abroad triggers obligations under all three laws: PIPL (individual notification and consent), DSL (security assessment), and the separate cross-border transfer measures (filing or approval). The CAC has emphasized that these obligations are cumulative, not alternative.
Conclusion
The legal landscape for biometric data in China is multi-layered and rapidly evolving. Foreign companies must navigate at least five major national laws, sector-specific regulations in certain industries, and local regulations in cities like Shenzhen, Shanghai, and Beijing. The 2025–2026 period has seen intensified enforcement, with the CAC creating a dedicated biometric data enforcement task force and conducting targeted inspections of foreign-invested enterprises.
Given the complexity of overlapping regulatory frameworks — each with its own enforcement body, penalties, and compliance timelines — foreign companies are strongly advised to engage specialized legal counsel with expertise in Chinese data protection law. A proactive compliance approach is significantly more cost-effective than responding to enforcement actions after violations are discovered.
This FAQ was updated in July 2026. Regulatory requirements are subject to change. Consult with qualified legal professionals for advice specific to your company’s circumstances.
