What Biometric Security Standards Apply to Foreign Firms in China?

Date:

Share post:






What Biometric Security Standards Apply to Foreign Firms in China?


What Biometric Security Standards Apply to Foreign Firms in China?

Foreign companies deploying biometric technologies in China must comply with a layered system of security standards — some legally binding, others voluntary but essential for regulatory good standing. These standards govern every aspect of biometric data protection: encryption requirements, template storage security, access control, transmission protocols, system certification, and incident response. Understanding which standards are mandatory and which are merely recommended is critical for compliance planning and budget allocation.

This FAQ provides a practical overview of the biometric security standards landscape in China, organized by the type of requirement and its legal force.

The Three Tiers of Standards

China’s approach to biometric security is structured around three tiers of standards, each with different legal force:

Tier Type Examples Legal Force
1 Mandatory National Standards (GB) GB 17859-1999, GB/T 22239-2019 (MLPS 2.0) Legally binding — non-compliance can result in fines, suspension, or criminal liability
2 Recommended National Standards (GB/T) GB/T 35273-2020, GB/T 39335-2020, GB/T 40660-2021 Not directly binding, but regulators use them as benchmarks for compliance. Strongly recommended for foreign firms
3 Industry Standards (GA, JR, YD, etc.) GA/T 893-2010 (public security facial recognition), JR/T 0197-2020 (financial biometric security) Binding within their respective sectors — enforced by sector regulators

For foreign companies, the practical reality is that Tier 2 standards — the GB/T recommendations — are effectively mandatory. Chinese regulators use these standards as the baseline for evaluating compliance during inspections and investigations. A company that fails to meet GB/T guidelines may be found in violation of the broader “security measures” obligations under Article 51 of the PIPL, even if no specific GB standard was violated.

Core Security Standards for Biometric Systems

1. MLPS 2.0 (GB/T 22239-2019) — Multi-Level Protection Scheme

The Multi-Level Protection Scheme (MLPS 2.0) is the foundational cybersecurity standard in China. It applies to all information systems, including biometric databases and processing systems. Systems are classified into protection levels 1 through 5 based on the potential damage from a breach.

For foreign company biometric systems, MLPS 2.0 typically requires:

  • Level 2 (Guarded) or Level 3 (Enhanced): Most enterprise biometric systems (attendance, access control, customer verification) fall under Level 2 or 3. Level 3 applies if the biometric system is part of a larger system serving a defined group (e.g., an office building or factory with 500+ employees) or if it connects to the internet
  • Mandatory MLPS filing: Systems must be registered with the local public security bureau, and a third-party Level 3 assessment must be completed annually
  • Technical requirements at Level 3 include: Identity authentication at login, data encryption (both at rest and in transit), security audit logs (retained 6+ months), intrusion detection, and disaster recovery capabilities

2. GB/T 35273-2020 — Personal Information Security Specification

This is the most important recommended standard for biometric data processing. Issued by the TC260, it provides detailed technical and organizational requirements including:

  • Separate storage: Biometric data must be stored separately from identity information. The recommendation is to store biometric templates and identity verification information (name, ID number, phone number) in physically or logically separate databases
  • Encryption standards: Biometric data at rest must be encrypted using cryptographic algorithms meeting China’s national standards (SM2, SM3, SM4). AES-256 is acceptable as a supplementary measure but should be complemented with SM-series encryption for regulatory alignment
  • Access control: Only specifically authorized personnel should have access to biometric databases, and all access must be logged
  • Template protection: Raw biometric images (e.g., full fingerprint images, unprocessed facial photographs) should not be stored. Only feature-extracted templates should be retained, and these should be generated using one-way algorithms that prevent reconstruction of the original biometric image
  • Security baseline: The standard specifies 9 security control categories and 30 specific control measures for sensitive personal information processing

3. GB/T 40660-2021 — Information Security Technology — Biometric Information Protection Requirements

This is the most specific standard for biometric data security in China. Published in 2021 and effective March 1, 2022, it defines protection requirements specifically for biometric information throughout its lifecycle. Key provisions include:

  • Biometric template protection: Requires that biometric templates be stored using techniques such as cancelable biometrics, fuzzy commitment, or secure sketch — cryptographic techniques that allow template matching without exposing the underlying biometric data
  • Anti-spoofing requirements: Biometric systems must include liveness detection to prevent spoofing using photographs, videos, silicone masks, or recorded voice samples
  • Transmission security: Biometric data transmitted between sensors (cameras, fingerprint readers) and backend servers must be encrypted using approved cryptographic protocols. Plaintext biometric data must never traverse a network
  • Audit logging: All biometric data access, modification, and deletion must be logged with timestamps, user identification, and access details. Logs must be retained for at least 6 months
  • Secure deletion: Biometric data deletion must follow secure deletion algorithms that prevent forensic recovery

4. GB/T 39335-2020 — Personal Information Security Impact Assessment Specification

While primarily a process standard for conducting PIA, GB/T 39335-2020 also defines security benchmarks against which biometric processing must be evaluated. It cross-references GB/T 35273-2020 and GB/T 40660-2021, creating an integrated compliance framework.

Sector-Specific Biometric Security Standards

Financial Services (PBOC Standards)

Financial institutions using biometrics must comply with JR/T 0197-2020 (Financial Biometric Data Security Requirements), which mandates:

  • Biometric data must be stored within China’s borders
  • Biometric data must be encrypted using SM-series national cryptographic algorithms
  • Cross-border transfer of biometric data used for financial services is prohibited except under specific regulatory approvals
  • Biometric systems must achieve a false acceptance rate (FAR) of ≤ 0.001% and a false rejection rate (FRR) that does not unduly burden legitimate customers
  • Annual security audits of biometric systems by qualified third parties are mandatory

Public Security (Ministry of Public Security Standards)

For biometric systems used in public security contexts — or even in commercial settings where the data is accessible to public security authorities (e.g., hotel check-in systems, transport hubs) — the GA/T 893-2010 (General Specifications for Facial Recognition Systems) and related standards apply. These standards focus on:

  • Interoperability between systems used by different authorities
  • Data quality standards (image resolution, lighting conditions, capture angles)
  • Real-time transmission requirements to public security database systems
  • Access controls limiting biometric data use to authorized law enforcement purposes only

Commercial Buildings and Access Control

Property management and commercial access control systems using biometrics are increasingly governed by local municipal regulations. For example, the Shanghai Municipal Regulation on Facial Recognition in Residential Communities (2022) and similar regulations in Shenzhen, Beijing, and Hangzhou impose specific security standards including on-device processing requirements and prohibitions on cloud-based facial recognition databases for community access. Foreign companies operating commercial facilities should check local municipal regulations in their specific city of operation.

Encryption and Cryptographic Requirements

A critical area where foreign companies often struggle is China’s cryptography requirements. The Cryptography Law of China (effective January 1, 2020) establishes a framework for commercial cryptography use. While foreign cryptographic algorithms (AES, RSA, ECC) are not prohibited, there is a strong regulatory preference for China’s national cryptographic algorithms (SM series):

Algorithm Type Application for Biometric Data
SM2 Elliptic curve public-key cryptography Authentication and digital signatures for biometric system access
SM3 Cryptographic hash function Hash-based integrity verification of biometric databases
SM4 Block cipher symmetric encryption Encryption of biometric data at rest and in transit
SM9 Identity-based cryptography Alternative to certificate-based PKI for biometric system authentication

While foreign companies can technically use AES-256 for biometric data encryption, the choice may be questioned during regulatory audits. Many MLPS assessors and sector regulators specifically look for SM-series compliance. For new biometric system deployments, implementing SM4 encryption alongside AES-256 is strongly recommended.

Liveness Detection and Anti-Spoofing Standards

Under GB/T 40660-2021 and sector-specific standards, foreign companies must implement liveness detection that meets the following benchmarks:

  • Presentation Attack Detection (PAD): Biometric systems must detect at minimum the following attack types: printed photographs, digital display replay, video replay, silicone masks, and 3D-printed facial replicas
  • Liveness detection modalities: At least two independent liveness detection mechanisms should be combined (e.g., blink detection + texture analysis, or thermal imaging + movement analysis)
  • FAR for liveness detection: The system’s liveness detection false acceptance rate (classifying a spoof as genuine) should be ≤ 0.5% for Level 2 applications and ≤ 0.1% for Level 3 applications
  • Documentation: The system’s anti-spoofing capabilities and their tested accuracy rates must be documented as part of the PIPIA

Third-Party Certification and Testing

China offers voluntary certification programs that foreign companies may find valuable for demonstrating compliance:

  • IT Security Certification (CCRC): China Cybersecurity Review and Certification Center issues product-level certifications for biometric systems. Certified systems have been independently tested against GB/T standards
  • MLPS Assessment: Third-party MLPS assessments conducted by authorized testing laboratories can serve as comprehensive compliance evidence
  • GB/T 35273 Conformity Assessment: The TC260 has established a conformity assessment framework for personal information protection, including biometric data processing

Foreign companies using imported biometric hardware (e.g., European or American fingerprint readers, facial recognition cameras) should verify that the equipment meets Chinese national standards and has been tested by a Chinese-accredited laboratory. Some imported biometric devices may not support SM-series encryption or may not pass Chinese anti-spoofing testing requirements — these devices must be supplemented or replaced with locally compliant alternatives.

Documentation and Record-Keeping Requirements

Foreign companies must maintain the following documentation for biometric security standard compliance:

  • Security management policies specific to biometric data, approved by senior management
  • Data classification and grading register showing the MLPS level assigned to each biometric system
  • Security audit logs covering all access to biometric databases, retained for at least 6 months
  • Incident response plan specifically for biometric data breaches, tested at least annually
  • Third-party assessment reports from MLPS evaluations, penetration tests, and vulnerability scans
  • Vendor compliance documentation for any third-party biometric system components
  • Training records for personnel handling biometric data

Key Takeaway

Bottom line: Foreign firms in China must comply with a multi-tiered biometric security standards framework. MLPS 2.0 (GB/T 22239-2019) provides the foundational cybersecurity requirements. GB/T 35273-2020 and GB/T 40660-2021 set the specific rules for biometric data protection — especially template encryption, separate storage, anti-spoofing, and secure deletion. Sector-specific standards from PBOC (financial services) and MPS (public security) add additional layers depending on the industry. SM-series cryptographic algorithms (SM2, SM3, SM4) are increasingly expected. Foreign companies should engage Chinese-certified testing laboratories for MLPS assessments and ensure all imported biometric hardware meets Chinese national standards before deployment.

Related Resources

  • GB/T 22239-2019: MLPS 2.0 baseline for information security protection
  • GB/T 35273-2020: Personal Information Security Specification
  • GB/T 40660-2021: Biometric Information Protection Requirements
  • JR/T 0197-2020: Financial Biometric Data Security Requirements (PBOC)
  • Cryptography Law of China (2020): Legal framework for SM-series cryptographic algorithms
© 2026 China Gateway 360 — CG360-BIOMETRICS-FAQ-018


Related articles

Can I sell directly to Chinese consumers without a distributor?

Can I Sell Directly to Chinese Consumers Without a Distributor? Table of Contents Introduction: The Direct-to-Consumer Question in China Direct Sales

How to Protect Your Brand While Scaling Distribution in China: 2026 Guide

How to Protect Your Brand While Scaling Distribution in China: 2026 Guide Brand protection in China is not an afterthought—it is a prerequisite for sc

How to Handle Channel Conflict in China: Resolution Strategies for Foreign Brands

How to Handle Channel Conflict in China: Resolution Strategies for Foreign Brands Channel conflict in China—known as 渠道冲突 (channel conflict, qúdào chō

China Overtime Pay Estimator: Calculate Your Monthly Labor Cost Exposure

China Overtime Pay Estimator: Calculate Your Monthly Labor Cost Exposure China Overtime Pay Estimator: Calculate Your Monthly Labor Cost Exposure Over