What Privacy Impact Assessments Are Required for Foreign Companies Using Biometrics in China?
Foreign companies deploying biometric systems in China — whether for employee attendance tracking, customer identity verification, access control, surveillance, or payment authentication — must complete a formal Personal Information Protection Impact Assessment (PIPIA) before processing can begin. This requirement is not merely a best-practice recommendation; it is a legal obligation under the Personal Information Protection Law (PIPL) of China, which came into full effect on November 1, 2021.
This FAQ explains exactly what a PIPIA entails, when it is required specifically for biometric data processing, what the assessment must cover, how to conduct one, and what foreign companies commonly get wrong.
What Is a Personal Information Protection Impact Assessment (PIPIA)?
A PIPIA is a systematic process — analogous to a Data Protection Impact Assessment (DPIA) under the EU’s GDPR — designed to identify, evaluate, and mitigate privacy risks associated with personal information processing activities. Under Article 55 of the PIPL, a PIPIA is mandatory in the following scenarios:
- Processing of sensitive personal information (including biometric data)
- Automated decision-making that may significantly affect individual rights
- Entrusting processing of personal information to a third party
- Transferring personal information to a third party
- Disclosing personal information to the public
- Transferring personal information outside of China
- Other processing activities that may significantly affect the rights and interests of individuals
For foreign companies using biometric technologies in China, nearly every biometric use case triggers at least two — and often three or more — of these conditions simultaneously. A PIPIA is therefore mandatory in virtually every scenario.
When Exactly Is a PIPIA Required for Biometrics?
The following biometric processing activities by foreign companies in China definitely require a PIPIA:
| Biometric Use Case | PIPL Trigger(s) | PIPIA Required? |
|---|---|---|
| Employee fingerprint/face attendance tracking | Sensitive PI processing (Art. 28, 55) | Yes — always |
| Customer face recognition for payments | Sensitive PI + automated decision-making | Yes — always |
| Visitor biometric access control | Sensitive PI processing | Yes — always |
| Voiceprint authentication for call centers | Sensitive PI + entrustment | Yes — always |
| Cross-border transfer of biometric HR data | Sensitive PI + cross-border transfer | Yes — always (dual trigger) |
| Biometric data used for statistical analysis (anonymized) | May not trigger if truly anonymized | Usually no, but proof of anonymization is required |
| Biometric data stored only on local device, no network transmission | Sensitive PI processing still triggered | Yes — processing itself is the trigger |
The key point is that the threshold for triggering a PIPIA under PIPL is lower than under GDPR. Under GDPR, a DPIA is required only when processing is “likely to result in high risk.” Under PIPL, processing any category of sensitive personal information — including biometric data — creates a mandatory obligation to conduct a PIPIA, regardless of the risk level.
What Must a PIPIA Cover?
Article 56 of the PIPL specifies the minimum content of a PIPIA. For biometric processing activities, the assessment must include:
1. Necessity and Proportionality of the Processing
The assessor must demonstrate that the collection and processing of biometric data is necessary for the stated purpose and proportionate to the objective. For example: if an attendance system uses fingerprint scanning, the business must explain why a less invasive method (badge swiping, PIN entry) would not be sufficient. Chinese regulators increasingly expect foreign companies to adopt the principle of “data minimization” — collect the least amount of biometric data needed for the purpose.
2. Impact on Individual Rights and Interests
The assessment must evaluate how the biometric processing affects the data subjects. This includes not only privacy risks but also risks of identity theft, discrimination, social sorting, exclusion from services, and reputational harm. For foreign companies, this section should also consider the heightened concerns of Chinese citizens regarding foreign entities processing their biometric data.
3. Security Measures Implemented
The business must document the technical and organizational security measures in place to protect biometric data, including:
- Encryption standards for biometric data at rest and in transit (minimum: AES-256 for storage, TLS 1.3 for transmission)
- Access control mechanisms and role-based permissions
- Pseudonymization or anonymization techniques applied
- Incident response and breach notification procedures
- Data retention and secure deletion protocols
- Physical security for on-premises biometric databases
4. Cross-Border Transfer Conditions (if applicable)
If biometric data will be transferred outside China, the PIPIA must include an assessment of whether the overseas recipient provides adequate data protection. This requires a detailed analysis of the recipient country’s legal framework, the contractual protections in place, and any risks specific to biometric data leakage or misuse abroad.
5. Records of the Assessment
The PIPL requires that the PIPIA report be kept on file for at least three years from the completion of the processing activity. The report must be made available to the CAC or other regulatory authorities upon request. Failure to produce a PIPIA upon inspection carries the same penalties as failure to conduct one.
How Should Foreign Companies Conduct a PIPIA for Biometrics?
While there is no single mandated format for a PIPIA under Chinese law, the national standard GB/T 39335-2020 (“Personal Information Security Impact Assessment Specification”) provides a detailed methodology. Here is a step-by-step approach recommended for foreign companies:
Step 1: Define the Processing Scope
Document precisely what biometric data is being collected (fingerprint templates, facial recognition vectors, iris scans, voiceprints, gait patterns), for what purpose, by whom, through what means, and where it is stored.
Step 2: Identify the Legal Basis
Determine which legal ground under PIPL supports the processing. For biometric data, typical legal bases include separate consent (Article 13(1)), human resources management necessity (Article 13(2)), or contract performance necessity (Article 13(2)). Document the basis clearly.
Step 3: Map the Data Flow
Create a complete data flow diagram showing how biometric data moves from collection through storage, processing, sharing, transfer, and deletion. Identify all third parties (cloud providers, software vendors, payroll processors) with access to biometric data.
Step 4: Identify and Assess Risks
For each processing activity, identify privacy risks specific to biometric data. Common risks include:
- Reidentification risk: Even anonymized biometric templates can potentially be matched back to individuals through cross-referencing with other databases
- Function creep: Biometric data collected for one purpose (e.g., access control) being reused for another (e.g., employee monitoring)
- Breach exposure: Unlike passwords, compromised biometric data cannot be replaced — the risk is permanent
- Discrimination risk: Biometric systems may have differing accuracy rates across demographic groups
Step 5: Identify Mitigation Measures
For each identified risk, document the specific measures taken to reduce or eliminate it. This may include technical controls (encryption, on-device processing, template protection techniques), organizational controls (policies, training, audits), and contractual controls (data processing agreements, cross-border transfer safeguards).
Step 6: Document and Approve
Formalize the PIPIA report, obtain sign-off from the company’s data protection officer (or equivalent) and senior management, and store the report in accordance with the three-year retention requirement. The report should be reviewed and updated whenever there is a material change to the processing activity.
Common Mistakes Foreign Companies Make
Foreign businesses conducting PIPIAs for biometric processing in China frequently fall into these traps:
- Treating PIPIA as a one-time exercise: The PIPL requires that PIPIAs be conducted before processing begins, but also that they be updated when circumstances change — such as adding a new biometric modality, expanding the number of data subjects, or introducing a new overseas data processor
- Copying GDPR DPIAs: While the methodology is similar, PIPL requirements differ in key areas. For example, PIPL places greater emphasis on the “necessity” analysis and expects more detailed documentation of security measures. A GDPR DPIA is not a substitute for a PIPL-compliant PIPIA
- Overlooking third-party processors: Many foreign companies use third-party biometric systems (e.g., cloud-based facial recognition APIs from Chinese or international vendors). The PIPIA must cover the entire processing chain, including the security measures of each third party
- Failing to involve local counsel: PIPL enforcement is still evolving in China. Assessments that would be acceptable in one jurisdiction may fail inspection in another. Local Chinese data privacy counsel should review every PIPIA before biometric processing begins
- Inadequate consent records: The PIPIA should cross-reference the consent management system to demonstrate that separate, specific consent was obtained for biometric processing as required under Article 28
What Are the Consequences of Not Conducting a PIPIA?
Failure to conduct a mandatory PIPIA before processing biometric data in China exposes foreign companies to the full range of PIPL penalties:
- Corrective orders: Regulators can order the immediate cessation of biometric processing and deletion of all collected data (Article 66)
- Fines of up to RMB 50 million or 5% of annual revenue: For serious violations involving sensitive personal information
- Suspension of business operations: In the most severe cases, Chinese authorities can order the suspension of the company’s China operations
- Personal liability for management: Fines of RMB 100,000 to RMB 1 million for responsible individuals, plus potential prohibition from holding data-related positions
- Civil damages: Individuals are entitled to claim compensation for PIPL violations, and class-action mechanisms are increasingly being used in China
Key Takeaway
Related Resources
- PIPL Articles 55–56: Mandatory PIPIA requirements and content specifications
- GB/T 39335-2020: National standard for Personal Information Security Impact Assessment methodology
- GB/T 35273-2020: National standard for Personal Information Security — the primary security specification
- Cybersecurity Administration of China (CAC): Regulatory guidance on impact assessments for sensitive data processing
