Can Biometric Data Be Transferred Outside China by Foreign Businesses?

Date:

Share post:






Can Biometric Data Be Transferred Outside China by Foreign Businesses?


Can Biometric Data Be Transferred Outside China by Foreign Businesses?

Foreign businesses operating in China frequently ask whether biometric data — fingerprints, facial recognition templates, iris scans, voiceprints, palm geometry, and other physiological or behavioral identifiers — can be transferred outside of China’s borders. The short answer is: yes, but with significant legal and regulatory hurdles that make it one of the most tightly controlled categories of data transfer under Chinese law.

China’s comprehensive data protection regime treats biometric data as “sensitive personal information” under the Personal Information Protection Law (PIPL), and cross-border transfers are further restricted by the Data Security Law (DSL), the Cybersecurity Law (CSL), and sector-specific regulations. This FAQ outlines exactly what the rules are, what conditions must be met, and what practical steps foreign businesses must take before any biometric data leaves China.

Why Is Biometric Data So Heavily Regulated for Cross-Border Transfer?

China classifies biometric data as sensitive personal information for a straightforward reason: it is inherently immutable and uniquely identifying. Unlike a password or an email address, a fingerprint template or facial geometry cannot be changed if compromised. The consequences of a breach or unauthorized transfer are permanent for the individual affected.

Article 28 of the PIPL defines sensitive personal information as including biometric data, and imposes stricter rules on its collection, processing, storage, and transfer. When data crosses borders, the stakes rise further because Chinese regulators cannot enforce privacy protections outside their jurisdiction.

Beyond privacy concerns, the Chinese government views biometric data — particularly high-resolution facial imagery, population-scale fingerprint databases, and voice recognition training data — as a matter of national security. The Data Security Law (effective September 1, 2021) introduces the concept of “important data” and “core national data,” and biometric datasets of sufficient scale can fall into these categories, triggering additional government approval requirements beyond standard personal information protection.

What Legal Frameworks Govern Cross-Border Biometric Data Transfers?

Foreign businesses must navigate at least four layers of regulation when transferring biometric data out of China:

1. Personal Information Protection Law (PIPL) — August 2021

The PIPL is the primary framework. Articles 38 through 43 establish the conditions under which personal information (including sensitive data) may be transferred abroad. For biometric data specifically, Article 28 requires separate explicit consent for processing, and this heightened consent standard applies equally to cross-border transfers.

Under Article 38, a personal information processor (the foreign business or its Chinese entity) may transfer personal information outside China only if it satisfies one of the following:

  • Pass a security assessment organized by the Cyberspace Administration of China (CAC) — required when processing data above certain thresholds
  • Obtain certification from a CAC-recognized professional institution (e.g., through the newly established personal information protection certification system)
  • Sign a standard contract with the overseas recipient using the CAC’s Standard Contract for Cross-Border Transfer of Personal Information
  • Other measures as prescribed by laws and regulations (a catch-all that is rarely invoked)

For biometric data, Option 1 (CAC security assessment) is often the default requirement because the volume triggers, or the sensitivity alone may push regulators to demand the highest level of scrutiny.

2. Data Security Law (DSL) — September 2021

The DSL classifies data into three tiers: general, important, and core. Biometric data processed at scale (e.g., a company collecting facial recognition data from thousands of employees or customers) may be classified as important data. If so, cross-border transfer requires a separate security assessment by designated government bodies — not just the PIPL-based assessment, but an additional DSL review.

3. Cybersecurity Law (CSL) — June 2017

The CSL requires “Critical Information Infrastructure” (CII) operators to store personal information and important data within China. If a foreign business’s Chinese operations are classified as a CII operator — which can happen in sectors like finance, energy, healthcare, and transportation — biometric data transfer abroad demands a CAC security assessment as a mandatory first step, with no alternative pathways available.

4. Sector-Specific Regulations

Certain industries impose even stricter rules:

  • Financial sector: The People’s Bank of China (PBOC) requires biometric data used for identity verification (e.g., facial recognition for bank account opening) to remain within China’s borders
  • Healthcare: Patient biometric data is subject to additional restrictions under China’s Medical Records Management regulations
  • Human resources: Employee biometric data (fingerprint attendance systems, facial recognition for access control) is governed by labor law and PIPL jointly, with cross-border transfer requiring explicit consent from each employee
  • Public security: Any biometric data collected for public security purposes (e.g., from hotel check-in systems, airport security) is categorically prohibited from cross-border transfer

What Specific Conditions Must Be Met Before a Transfer?

Before biometric data can legally leave China, a foreign business must satisfy the following cumulative conditions:

Condition 1: Obtain Separate Explicit Consent

Biometric data requires “separate consent” under Article 23 of the PIPL. This means the data subject must be informed specifically that their biometric data will be transferred abroad, the identity of the overseas recipient, the purpose and scope of the transfer, and the data storage period. Consent cannot be bundled into a general terms-of-service agreement. It must be an opt-in, affirmative action by the individual.

Condition 2: Conduct a Personal Information Protection Impact Assessment (PIPIA)

Article 55 of the PIPL mandates a PIA before any transfer of sensitive personal information abroad. The assessment must cover:

  • The necessity and proportionality of the processing purpose
  • The impact on individual rights and interests
  • The security measures in place at both the sending and receiving ends
  • Whether the overseas recipient’s legal framework provides adequate protection (the “adequacy” determination)

Condition 3: Choose and Implement a Lawful Transfer Mechanism

The business must adopt one of the following mechanisms (listed in order of regulatory stringency):

Mechanism Best For Timeframe
CAC Security Assessment Large-scale transfers, CII operators, important data 3–9 months
Standard Contractual Clauses (SCC) Moderate-scale, lower-risk transfers 1–3 months
Certification (ISO 27701 / CNCA) Multinational groups with global compliance programs 3–6 months

Important: For biometric data specifically, the CAC has indicated in guidance that data processors who have processed the personal information of more than 1 million individuals cumulatively, or who have transferred sensitive personal information of more than 10,000 individuals abroad since January 1 of the previous year, must file for a CAC security assessment — the SCC pathway is not available to them.

Condition 4: Ensure Adequate Protection at the Destination

The overseas recipient must provide a level of protection at least equivalent to that required under Chinese law. This is often the most challenging condition because most countries do not have laws that mirror PIPL’s strict data localization and consent requirements. The foreign business and its overseas recipient must contractually bind themselves to Chinese-level protections, and the contract must be enforceable.

Condition 5: Maintain a Cross-Border Transfer Record

Article 52 of the PIPL requires businesses to maintain records of cross-border transfers, including the date, scope, purpose, the recipient’s name and contact details, and the retention period. For sensitive data like biometrics, these records should be comprehensive and readily available for regulatory inspection.

What Are the Consequences of Non-Compliance?

The penalties for illegally transferring biometric data out of China are severe:

  • Administrative fines: Up to RMB 50 million (approximately USD 7 million) or 5% of annual revenue for serious violations (Article 66 of PIPL)
  • Suspension of business: Regulators can order the cessation of data processing activities, confiscation of illegal gains, and revocation of business licenses
  • Personal liability: Senior management and directly responsible personnel face fines of RMB 100,000 to RMB 1 million and potential employment bans
  • Civil liability: Class action or representative lawsuits by individuals whose biometric data was transferred without consent
  • Reputational damage: Inclusion in public “blacklists” for data security violations, affecting future business in China

Are There Any Exceptions or Exemptions?

The PIPL does provide limited exceptions to the consent requirement that are relevant to biometric data transfer:

  • Necessary for contract performance: If biometric data must be transferred abroad to fulfill a contract to which the data subject is a party (e.g., an international employment contract requiring global HR system access), consent may not be required — provided the transfer is truly necessary for that contract
  • Vital interests: Cross-border transfer necessary to protect an individual’s life or health in an emergency (very narrow in practice)
  • Labor management: Processing (not necessarily cross-border transfer) necessary for human resource management under applicable labor laws and collective agreements — but regulators take a strict view on whether this extends to overseas HR system access

Important caveat: Even where a consent exemption applies, the security assessment or SCC requirement may still be triggered by the volume or sensitivity of the data transferred. Exemptions from consent are not exemptions from the transfer mechanism requirements.

Practical Steps for Foreign Businesses

For foreign businesses that need to transfer biometric data out of China, here is a recommended action plan:

  1. Data mapping: Document exactly what biometric data is collected, where it is stored, who accesses it from outside China, and for what purposes
  2. Volume assessment: Determine whether the volume triggers the mandatory CAC security assessment threshold (1 million cumulative individuals or 10,000 individuals’ sensitive data transferred)
  3. Classification check: Verify whether the biometric dataset qualifies as “important data” under the DSL — seek external legal advice for this determination
  4. PIPIA completion: Complete a formal Personal Information Protection Impact Assessment
  5. Mechanism selection: Choose the appropriate transfer mechanism and begin the application or contracting process
  6. Consent refresh: Update privacy notices and consent forms to include specific, separate language about cross-border biometric data transfer
  7. Contract review: Review contracts with overseas recipients to ensure they include data protection obligations equivalent to China’s legal standards
  8. Local storage option: Evaluate whether biometric data can be stored and processed within China to avoid cross-border transfer complexity entirely — this is often the simplest path for foreign businesses with China-based operations

Key Takeaway

Bottom line: Biometric data can be transferred outside China by foreign businesses, but only after meeting a rigorous set of conditions — separate explicit consent, a completed PIPIA, a valid transfer mechanism (CAC assessment, SCC, or certification), and adequate destination-country protections. Most foreign businesses find that the compliance burden is substantial enough to justify investing in China-based biometric data storage and processing infrastructure instead. For businesses that must proceed with cross-border transfer, engaging specialized China data privacy counsel is not optional — it is a prerequisite for compliance.

Related Resources

  • PIPL Articles 28, 38–43: Definitions and conditions for sensitive data cross-border transfer
  • Measures for Security Assessment of Cross-Border Data Transfer (CAC, 2022): Detailed assessment procedures and thresholds
  • Standard Contract for Cross-Border Transfer of Personal Information (CAC, 2023): Template and implementation rules
  • Guide to China’s Personal Information Protection Impact Assessment (TC260, 2023): National standard for conducting PIA
© 2026 China Gateway 360 — CG360-BIOMETRICS-FAQ-015


Related articles

Can I sell directly to Chinese consumers without a distributor?

Can I Sell Directly to Chinese Consumers Without a Distributor? Table of Contents Introduction: The Direct-to-Consumer Question in China Direct Sales

How to Protect Your Brand While Scaling Distribution in China: 2026 Guide

How to Protect Your Brand While Scaling Distribution in China: 2026 Guide Brand protection in China is not an afterthought—it is a prerequisite for sc

How to Handle Channel Conflict in China: Resolution Strategies for Foreign Brands

How to Handle Channel Conflict in China: Resolution Strategies for Foreign Brands Channel conflict in China—known as 渠道冲突 (channel conflict, qúdào chō

China Overtime Pay Estimator: Calculate Your Monthly Labor Cost Exposure

China Overtime Pay Estimator: Calculate Your Monthly Labor Cost Exposure China Overtime Pay Estimator: Calculate Your Monthly Labor Cost Exposure Over