What Biometric Security Standards Apply to Foreign Firms in China?
Foreign companies deploying biometric technologies in China must comply with a layered system of security standards — some legally binding, others voluntary but essential for regulatory good standing. These standards govern every aspect of biometric data protection: encryption requirements, template storage security, access control, transmission protocols, system certification, and incident response. Understanding which standards are mandatory and which are merely recommended is critical for compliance planning and budget allocation.
This FAQ provides a practical overview of the biometric security standards landscape in China, organized by the type of requirement and its legal force.
The Three Tiers of Standards
China’s approach to biometric security is structured around three tiers of standards, each with different legal force:
| Tier | Type | Examples | Legal Force |
|---|---|---|---|
| 1 | Mandatory National Standards (GB) | GB 17859-1999, GB/T 22239-2019 (MLPS 2.0) | Legally binding — non-compliance can result in fines, suspension, or criminal liability |
| 2 | Recommended National Standards (GB/T) | GB/T 35273-2020, GB/T 39335-2020, GB/T 40660-2021 | Not directly binding, but regulators use them as benchmarks for compliance. Strongly recommended for foreign firms |
| 3 | Industry Standards (GA, JR, YD, etc.) | GA/T 893-2010 (public security facial recognition), JR/T 0197-2020 (financial biometric security) | Binding within their respective sectors — enforced by sector regulators |
For foreign companies, the practical reality is that Tier 2 standards — the GB/T recommendations — are effectively mandatory. Chinese regulators use these standards as the baseline for evaluating compliance during inspections and investigations. A company that fails to meet GB/T guidelines may be found in violation of the broader “security measures” obligations under Article 51 of the PIPL, even if no specific GB standard was violated.
Core Security Standards for Biometric Systems
1. MLPS 2.0 (GB/T 22239-2019) — Multi-Level Protection Scheme
The Multi-Level Protection Scheme (MLPS 2.0) is the foundational cybersecurity standard in China. It applies to all information systems, including biometric databases and processing systems. Systems are classified into protection levels 1 through 5 based on the potential damage from a breach.
For foreign company biometric systems, MLPS 2.0 typically requires:
- Level 2 (Guarded) or Level 3 (Enhanced): Most enterprise biometric systems (attendance, access control, customer verification) fall under Level 2 or 3. Level 3 applies if the biometric system is part of a larger system serving a defined group (e.g., an office building or factory with 500+ employees) or if it connects to the internet
- Mandatory MLPS filing: Systems must be registered with the local public security bureau, and a third-party Level 3 assessment must be completed annually
- Technical requirements at Level 3 include: Identity authentication at login, data encryption (both at rest and in transit), security audit logs (retained 6+ months), intrusion detection, and disaster recovery capabilities
2. GB/T 35273-2020 — Personal Information Security Specification
This is the most important recommended standard for biometric data processing. Issued by the TC260, it provides detailed technical and organizational requirements including:
- Separate storage: Biometric data must be stored separately from identity information. The recommendation is to store biometric templates and identity verification information (name, ID number, phone number) in physically or logically separate databases
- Encryption standards: Biometric data at rest must be encrypted using cryptographic algorithms meeting China’s national standards (SM2, SM3, SM4). AES-256 is acceptable as a supplementary measure but should be complemented with SM-series encryption for regulatory alignment
- Access control: Only specifically authorized personnel should have access to biometric databases, and all access must be logged
- Template protection: Raw biometric images (e.g., full fingerprint images, unprocessed facial photographs) should not be stored. Only feature-extracted templates should be retained, and these should be generated using one-way algorithms that prevent reconstruction of the original biometric image
- Security baseline: The standard specifies 9 security control categories and 30 specific control measures for sensitive personal information processing
3. GB/T 40660-2021 — Information Security Technology — Biometric Information Protection Requirements
This is the most specific standard for biometric data security in China. Published in 2021 and effective March 1, 2022, it defines protection requirements specifically for biometric information throughout its lifecycle. Key provisions include:
- Biometric template protection: Requires that biometric templates be stored using techniques such as cancelable biometrics, fuzzy commitment, or secure sketch — cryptographic techniques that allow template matching without exposing the underlying biometric data
- Anti-spoofing requirements: Biometric systems must include liveness detection to prevent spoofing using photographs, videos, silicone masks, or recorded voice samples
- Transmission security: Biometric data transmitted between sensors (cameras, fingerprint readers) and backend servers must be encrypted using approved cryptographic protocols. Plaintext biometric data must never traverse a network
- Audit logging: All biometric data access, modification, and deletion must be logged with timestamps, user identification, and access details. Logs must be retained for at least 6 months
- Secure deletion: Biometric data deletion must follow secure deletion algorithms that prevent forensic recovery
4. GB/T 39335-2020 — Personal Information Security Impact Assessment Specification
While primarily a process standard for conducting PIA, GB/T 39335-2020 also defines security benchmarks against which biometric processing must be evaluated. It cross-references GB/T 35273-2020 and GB/T 40660-2021, creating an integrated compliance framework.
Sector-Specific Biometric Security Standards
Financial Services (PBOC Standards)
Financial institutions using biometrics must comply with JR/T 0197-2020 (Financial Biometric Data Security Requirements), which mandates:
- Biometric data must be stored within China’s borders
- Biometric data must be encrypted using SM-series national cryptographic algorithms
- Cross-border transfer of biometric data used for financial services is prohibited except under specific regulatory approvals
- Biometric systems must achieve a false acceptance rate (FAR) of ≤ 0.001% and a false rejection rate (FRR) that does not unduly burden legitimate customers
- Annual security audits of biometric systems by qualified third parties are mandatory
Public Security (Ministry of Public Security Standards)
For biometric systems used in public security contexts — or even in commercial settings where the data is accessible to public security authorities (e.g., hotel check-in systems, transport hubs) — the GA/T 893-2010 (General Specifications for Facial Recognition Systems) and related standards apply. These standards focus on:
- Interoperability between systems used by different authorities
- Data quality standards (image resolution, lighting conditions, capture angles)
- Real-time transmission requirements to public security database systems
- Access controls limiting biometric data use to authorized law enforcement purposes only
Commercial Buildings and Access Control
Property management and commercial access control systems using biometrics are increasingly governed by local municipal regulations. For example, the Shanghai Municipal Regulation on Facial Recognition in Residential Communities (2022) and similar regulations in Shenzhen, Beijing, and Hangzhou impose specific security standards including on-device processing requirements and prohibitions on cloud-based facial recognition databases for community access. Foreign companies operating commercial facilities should check local municipal regulations in their specific city of operation.
Encryption and Cryptographic Requirements
A critical area where foreign companies often struggle is China’s cryptography requirements. The Cryptography Law of China (effective January 1, 2020) establishes a framework for commercial cryptography use. While foreign cryptographic algorithms (AES, RSA, ECC) are not prohibited, there is a strong regulatory preference for China’s national cryptographic algorithms (SM series):
| Algorithm | Type | Application for Biometric Data |
|---|---|---|
| SM2 | Elliptic curve public-key cryptography | Authentication and digital signatures for biometric system access |
| SM3 | Cryptographic hash function | Hash-based integrity verification of biometric databases |
| SM4 | Block cipher symmetric encryption | Encryption of biometric data at rest and in transit |
| SM9 | Identity-based cryptography | Alternative to certificate-based PKI for biometric system authentication |
While foreign companies can technically use AES-256 for biometric data encryption, the choice may be questioned during regulatory audits. Many MLPS assessors and sector regulators specifically look for SM-series compliance. For new biometric system deployments, implementing SM4 encryption alongside AES-256 is strongly recommended.
Liveness Detection and Anti-Spoofing Standards
Under GB/T 40660-2021 and sector-specific standards, foreign companies must implement liveness detection that meets the following benchmarks:
- Presentation Attack Detection (PAD): Biometric systems must detect at minimum the following attack types: printed photographs, digital display replay, video replay, silicone masks, and 3D-printed facial replicas
- Liveness detection modalities: At least two independent liveness detection mechanisms should be combined (e.g., blink detection + texture analysis, or thermal imaging + movement analysis)
- FAR for liveness detection: The system’s liveness detection false acceptance rate (classifying a spoof as genuine) should be ≤ 0.5% for Level 2 applications and ≤ 0.1% for Level 3 applications
- Documentation: The system’s anti-spoofing capabilities and their tested accuracy rates must be documented as part of the PIPIA
Third-Party Certification and Testing
China offers voluntary certification programs that foreign companies may find valuable for demonstrating compliance:
- IT Security Certification (CCRC): China Cybersecurity Review and Certification Center issues product-level certifications for biometric systems. Certified systems have been independently tested against GB/T standards
- MLPS Assessment: Third-party MLPS assessments conducted by authorized testing laboratories can serve as comprehensive compliance evidence
- GB/T 35273 Conformity Assessment: The TC260 has established a conformity assessment framework for personal information protection, including biometric data processing
Foreign companies using imported biometric hardware (e.g., European or American fingerprint readers, facial recognition cameras) should verify that the equipment meets Chinese national standards and has been tested by a Chinese-accredited laboratory. Some imported biometric devices may not support SM-series encryption or may not pass Chinese anti-spoofing testing requirements — these devices must be supplemented or replaced with locally compliant alternatives.
Documentation and Record-Keeping Requirements
Foreign companies must maintain the following documentation for biometric security standard compliance:
- Security management policies specific to biometric data, approved by senior management
- Data classification and grading register showing the MLPS level assigned to each biometric system
- Security audit logs covering all access to biometric databases, retained for at least 6 months
- Incident response plan specifically for biometric data breaches, tested at least annually
- Third-party assessment reports from MLPS evaluations, penetration tests, and vulnerability scans
- Vendor compliance documentation for any third-party biometric system components
- Training records for personnel handling biometric data
Key Takeaway
Related Resources
- GB/T 22239-2019: MLPS 2.0 baseline for information security protection
- GB/T 35273-2020: Personal Information Security Specification
- GB/T 40660-2021: Biometric Information Protection Requirements
- JR/T 0197-2020: Financial Biometric Data Security Requirements (PBOC)
- Cryptography Law of China (2020): Legal framework for SM-series cryptographic algorithms
