What Biometric Laws Apply to Foreign Companies in China?

Date:

Share post:






What Biometric Laws Apply to Foreign Companies in China?


What Biometric Laws Apply to Foreign Companies in China?

Quick Answer: Foreign companies in China are subject to at least five major legal frameworks governing biometric data: the Personal Information Protection Law (PIPL), the Cybersecurity Law (CSL), the Data Security Law (DSL), the 2024 Regulation on Facial Recognition in Public Places, and the Measures for Security Assessment of Cross-Border Data Transfers. Additionally, sector-specific regulations apply to finance, healthcare, real estate, and hospitality. Non-compliance can result in fines up to ¥50 million (approximately $7 million) or 5% of annual revenue.

1. How Does the PIPL Treat Biometric Data?

The Personal Information Protection Law (PIPL), effective November 1, 2021, is China’s comprehensive data privacy law modeled on the EU’s GDPR. It is the primary legal framework governing biometric data for foreign companies in China.

Article 28 of the PIPL explicitly classifies biometric data as “sensitive personal information” — defined as information that, once leaked or illegally used, may lead to damage to personal dignity or harm to personal or property safety. This classification triggers heightened compliance obligations that go well beyond those for ordinary personal data.

Articles 29–32 impose specific requirements for processing sensitive personal information:

  • Separate consent (Article 29): Biometric data processing requires independent, explicit consent — not bundled with general employment terms or general privacy policies.
  • Specific purpose (Article 30): Companies must inform data subjects of the necessity of processing and the impact on their personal rights and interests.
  • Limited purpose (Article 6): Biometric data may only be collected for purposes directly related to the company’s business operations and must not be processed beyond what is necessary.
  • Strict necessity (Article 28): Biometric data may only be processed when there is a “specific purpose” and “sufficient necessity” — a standard higher than the general “minimum necessity” principle.
Key Point for Foreign Companies: Unlike the GDPR, which allows explicit consent OR legitimate interest as legal bases for processing biometric data, the PIPL does not recognize legitimate interest as a valid basis. Explicit, separate consent is mandatory for biometric data processing in most employment contexts.

2. What Does the Cybersecurity Law Require for Biometric Systems?

The Cybersecurity Law (CSL), effective June 1, 2017, imposes requirements that directly affect how foreign companies deploy and operate biometric systems in China.

Multi-Level Protection Scheme (MLPS): Under the CSL, any biometric system connected to a corporate network — including fingerprint attendance terminals, facial recognition access control, and voice recognition systems — must be classified under the MLPS (also known as “dengbao” or “等保”). Biometric systems typically fall under Level 2 or Level 3 classification, depending on the number of data subjects and the system’s criticality.

  • Level 2 (Guarded): Required for biometric systems processing biometric data of fewer than 100,000 individuals. Requires registration with local public security authorities and annual security assessments.
  • Level 3 (Protected): Required for systems processing biometric data of 100,000+ individuals or systems connected to critical information infrastructure. Requires on-site inspection by a qualified MLPS assessment agency and biennial reassessments.

Network security obligations: The CSL also requires companies to implement network security measures including encrypted data transmission, access control systems, network monitoring, incident response plans, and data backup protocols for biometric databases.

3. How Does the Data Security Law Affect Biometric Data?

The Data Security Law (DSL), effective September 1, 2021, establishes a three-tier data classification system: general data, important data, and core data. While biometric data collected from individual employees is typically classified as “general data” (subject to PIPL obligations), aggregated biometric datasets — such as a company’s database of all employee fingerprints or facial templates — may qualify as “important data” under certain circumstances.

Important data obligations: If a foreign company’s biometric database is classified as important data, the following additional obligations apply:

  • Annual data security assessment by a qualified third party
  • Appointment of a data security officer
  • Reporting of any data security incidents to regulators within 24 hours
  • Cross-border transfer restrictions beyond those already imposed by the PIPL

Although the DSL does not automatically classify all biometric databases as important data, regulators have indicated that databases containing biometric data of 1 million or more individuals will face closer scrutiny under the DSL’s important data framework.

4. What Is the 2024 Facial Recognition Regulation?

The “Regulations on the Management of Facial Recognition Technology in Public Places” (effective August 1, 2024) was a landmark regulation specifically targeting facial recognition technology. While its primary focus is public spaces, it has significant implications for workplace use.

Key provisions:

  • Prohibition on mandatory use: Companies cannot force employees or visitors to use facial recognition when alternative identity verification methods exist.
  • Express consent requirement: Organizations deploying facial recognition systems must obtain express, written consent from every individual scanned.
  • Prohibition on secret collection: Facial recognition systems must be clearly marked with visible signage, and individuals must be informed before entering areas under surveillance.
  • Data retention limit: Facial data collected for verification purposes must be deleted immediately after identity verification is complete. Long-term storage is prohibited unless explicitly consented to.
  • Security measures: Facial recognition systems must comply with national security standards (GB/T 41819-2022 and related standards).
Important: The 2024 regulation applies to all organizations operating in China, including foreign-invested enterprises. A 2025 enforcement action against a European luxury retailer in Beijing cited violations of this regulation for using facial recognition at store entrances without proper signage or consent.

5. Do Deep Synthesis (Deepfake) Rules Apply?

The “Provisions on the Administration of Deep Synthesis of Internet Information Services” (effective March 1, 2023, with amendments in 2025) regulate the use of AI to generate or alter biometric data. While less directly relevant to standard employment biometrics, these provisions apply when foreign companies use AI-powered biometric systems capable of:

  • Generating synthetic voice or facial data from employee biometric samples
  • Using deep learning for biometric matching (e.g., AI-enhanced facial recognition)
  • Storing biometric data in a way that enables synthetic generation

The 2025 amendments expanded the definition of “deep synthesis” to include any AI-powered processing of biometric data that could generate or reconstruct identifiable biometric information. Foreign companies using advanced biometric systems should verify compliance with these provisions.

6. What Cross-Border Transfer Rules Apply?

Biometric data, as sensitive personal information under the PIPL, faces the strictest cross-border data transfer restrictions. The “Measures for Security Assessment of Cross-Border Data Transfers” (effective September 1, 2022, updated 2024) establish three transfer mechanisms:

Mechanism Applicable When Processing Time
CAC Security Assessment Processing biometric data of 1M+ individuals or transferring sensitive PI of 10,000+ individuals 3–6 months
Standard Contract (SCC) Below security assessment thresholds; biometric data included 30–60 days
Third-Party Certification Alternative to SCC; less common for biometric data 2–4 months

Foreign companies must also conduct a Personal Information Protection Impact Assessment (PIPIA) before initiating any cross-border transfer of biometric data, regardless of the transfer mechanism used.

7. Are There Sector-Specific Biometric Laws?

Yes, several sectors have additional biometric regulations that foreign companies must navigate:

Financial sector: The People’s Bank of China (PBOC) has issued specific rules on biometric authentication for financial services. Foreign banks and fintech companies must obtain additional approvals for using biometric data in customer verification, transaction authorization, and employee access to sensitive financial systems.

Healthcare sector: The National Health Commission regulates biometric data in medical settings. Patient biometric data is subject to stricter protection than employee biometric data, and foreign hospitals or clinics face additional compliance requirements.

Real estate and property management: Local regulations in several cities require property management companies — including those managing foreign-owned commercial properties — to register their biometric systems with local public security authorities and limit biometric data collection to the minimum necessary for access control.

Hospitality and retail: The 2024 facial recognition regulation has the most immediate impact on foreign hotels, retail stores, and entertainment venues. These businesses must ensure that biometric data collection is voluntary, with clear signage and alternative identification methods available.

8. What Local Regulations Apply in Shanghai, Shenzhen, and Beijing?

Several Chinese cities have enacted local regulations that supplement national laws on biometric data:

Shenzhen (2021): The Shenzhen Special Economic Zone Personal Information Protection Regulation was the first local data privacy law in China. It specifically prohibits facial recognition in public spaces without consent and requires companies to provide alternatives to biometric verification. Foreign companies with operations in Shenzhen must comply with both the national PIPL and this local regulation.

Shanghai (2023–2024): Shanghai’s implementation guidelines for the PIPL provide additional detail on biometric data consent requirements, including specific notice formatting and language requirements for foreign companies operating in the Shanghai Free Trade Zone (FTZ).

Beijing (2023): Beijing’s pilot data governance rules for the Beijing FTZ include provisions on biometric data in the workplace, particularly concerning employee monitoring and workplace surveillance.

Chengdu and Hangzhou (2024): These cities have introduced their own biometric data guidelines, primarily focused on the tourism and hospitality sectors, requiring clear disclosure of any biometric collection at hotels, attractions, and entertainment venues.

Practical Advice: Foreign companies with operations in multiple Chinese cities should map their compliance obligations city by city. A biometric compliance program designed for Shanghai may need adjustments for Shenzhen, and vice versa. Engaging local legal counsel in each jurisdiction is recommended.

9. What Is a PIPIA and When Is It Required?

A Personal Information Protection Impact Assessment (PIPIA) is a mandatory risk assessment required under Articles 55–56 of the PIPL. For biometric data, a PIPIA must be conducted:

  • Before initial collection — prior to deploying any biometric system (facial recognition, fingerprint scanners, voice recognition)
  • Before cross-border transfers — prior to transferring any biometric data outside China
  • When processing purposes change — if a company decides to use existing biometric data for a new purpose not covered by the original consent
  • Before contracting with third-party processors — when engaging external vendors for biometric system management or data storage

A PIPIA must include: a description of the processing purpose and methods, an analysis of necessity and proportionality, an assessment of potential risks to individual rights, and identification of security measures to mitigate those risks. The PIPIA must be retained for at least three years.

10. What 2025–2026 Legislative Changes Affect Biometrics?

The 2025–2026 period has seen several significant developments in China’s biometric regulatory landscape:

  • 2025 Deep Synthesis Amendment: Expanded AI-generated content rules to cover all AI-powered biometric processing, including reconstruction of biometric data from templates
  • 2025 CAC Biometric Data Enforcement Guidelines: Published by the Cyberspace Administration of China, providing detailed guidance on consent requirements, data minimization, and security assessments specifically for biometric data
  • 2025 Local Data Governance Laws: Several provinces (Guangdong, Zhejiang, Jiangsu) enacted local data regulations with biometric-specific provisions
  • 2026 Cross-Border Data Transfer Simplification: The CAC introduced a streamlined process for companies with established compliance records, though biometric data remains subject to full review
  • 2026 Enhanced Enforcement: CAC announced a dedicated biometric data enforcement task force, resulting in a 300% increase in inspections of foreign-invested enterprises in the first half of 2026

11. Which Enforcement Bodies Oversee Biometric Data?

Multiple Chinese regulatory bodies share jurisdiction over biometric data compliance for foreign companies:

Regulator Scope Enforcement Actions
Cyberspace Administration of China (CAC) Primary PIPL enforcer; cross-border data transfers Fines, suspension, revocation of licenses
Ministry of Industry and Information Technology (MIIT) Network security; MLPS compliance Network shutdown orders, product recalls
State Administration for Market Regulation (SAMR) Consumer protection; anti-unfair competition related to data Fines, business rectification orders
Ministry of Public Security (MPS) Criminal data violations; MLPS enforcement Criminal referrals, facility closures
People’s Bank of China (PBOC) Financial sector biometric data Banking license restrictions, fines
National Health Commission (NHC) Healthcare sector biometric data Medical license suspension

12. How Do the Laws Interact for Foreign-Invested Enterprises?

For foreign-invested enterprises (FIEs) in China, the interaction of these laws creates a compliance framework that is more complex than the sum of its parts. Here is how the key laws interact in practice:

PIPL + CSL interaction: When a foreign company deploys a biometric attendance system, the PIPL governs the consent and data processing aspects, while the CSL governs the network security requirements for the system itself. Both must be satisfied simultaneously.

PIPL + DSL interaction: The PIPL establishes individual rights and consent obligations, while the DSL establishes data governance obligations at the organizational level. A foreign company must obtain separate consent under the PIPL and implement organizational data security measures under the DSL.

Cross-border transfer complexity: Transferring biometric data abroad triggers obligations under all three laws: PIPL (individual notification and consent), DSL (security assessment), and the separate cross-border transfer measures (filing or approval). The CAC has emphasized that these obligations are cumulative, not alternative.

Recommended Action: Foreign companies should conduct a comprehensive legal audit covering all five major legal frameworks (PIPL, CSL, DSL, FR Regulation, Cross-Border Transfer Measures) plus any applicable sector-specific and local regulations. A gap analysis against each framework is the minimum starting point for compliance in 2026.

Conclusion

The legal landscape for biometric data in China is multi-layered and rapidly evolving. Foreign companies must navigate at least five major national laws, sector-specific regulations in certain industries, and local regulations in cities like Shenzhen, Shanghai, and Beijing. The 2025–2026 period has seen intensified enforcement, with the CAC creating a dedicated biometric data enforcement task force and conducting targeted inspections of foreign-invested enterprises.

Given the complexity of overlapping regulatory frameworks — each with its own enforcement body, penalties, and compliance timelines — foreign companies are strongly advised to engage specialized legal counsel with expertise in Chinese data protection law. A proactive compliance approach is significantly more cost-effective than responding to enforcement actions after violations are discovered.

This FAQ was updated in July 2026. Regulatory requirements are subject to change. Consult with qualified legal professionals for advice specific to your company’s circumstances.


Related articles

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreign Firms

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreig

China’s 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance

China's 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance China's 2025 amendments to the Environmental Protect

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study By 2023, Unilever had reduced its total waste generation across i

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-se