CCTV News: According to the WeChat public account of "Internet Information China", recently, the State Internet Information Office and the Ministry of Public Security jointly announced the "Regulations on the Security Management of Face Recognition Technology Application" (hereinafter referred to as the "Measures"), which will come into effect on June 1, 2025.

A relevant person in charge of the National Internet Information Office said that the application of facial recognition technology is closely related to facial information security and has attracted high attention from all sectors of society. In order to standardize the use of facial recognition technology to process facial information and protect personal information rights, the State Internet Information Office and the Ministry of Public Security jointly issued the "Measures", which stipulate the basic requirements and processing rules for the use of facial recognition technology to process facial information, safety standards for the application of facial recognition technology, supervision and management responsibilities, etc.

The Measures clarify the basic requirements for the use of facial recognition technology to process facial information. When using facial recognition technology to handle facial information activities, we must abide by laws and regulations, respect social morality and ethics, abide by business ethics and professional ethics, be honest and trustworthy, fulfill personal information protection obligations, assume social responsibilities, and shall not endanger national security, damage public interests, or infringe on the legitimate rights and interests of individuals.

The Measures clarify the processing rules for the use of facial recognition technology to process facial information. First, it should have specific purposes and sufficient necessity, adopt methods with the least impact on personal rights and interests, and implement strict protection measures. Second, the obligation to inform should be fulfilled. Third, if the individual agrees to process facial information, the individual should obtain the individual's voluntary and explicit separate consent on the premise of full knowledge. If the facial information of minors under the age of fourteen is handled based on personal consent, the consent of the minor's parents or other guardians shall be obtained. Fourth, unless otherwise provided by laws and administrative regulations or obtained individual consent, facial information should be stored in facial recognition devices and must not be transmitted to the outside world over the Internet. Unless otherwise provided by laws and administrative regulations, the shelf life of facial information shall not exceed the shortest time necessary to achieve the processing purpose. Fifth, the impact assessment of personal information protection should be conducted in advance and the processing situation should be recorded.

The Measures clarify the safety standards for the application of facial recognition technology. First, if the same purpose is achieved or the same business requirements exist, and other non-face recognition technology methods are present, facial recognition technology shall not be used as the only verification method. If the state has other provisions, such provisions shall prevail. Second, if face recognition technology is used to verify individual identity and identify specific individuals, it is encouraged to give priority to the implementation of channels such as the national population basic information database and the national network identity authentication public services. Third, no organization or individual may mislead, fraud or coerce individuals to accept facial recognition technology to verify their personal identity on the grounds of handling business and improving service quality. Fourth, when installing facial recognition equipment in public places, it should be necessary to maintain public safety, and reasonably determine the face information collection area in accordance with the law and set up significant prompt marks. No organization or individual may install facial recognition equipment in private spaces in hotel rooms, public bathrooms, public locker rooms, public toilets and other public places. Fifth, the application system of facial recognition technology should adopt measures such as data encryption, security audit, access control, authorization management, intrusion detection and defense to protect the security of facial information.

The Measures clarify the supervision and management responsibilities. Personal information processors shall complete the filing procedures with the provincial and above Internet information departments in their location within 30 working days from the date when the number of facial information stored by using facial recognition technology reaches 100,000 people. The Internet Information Department, together with the public security organs and other departments that perform personal information protection responsibilities, establish and improve the information sharing and notification work mechanism, and coordinate the relevant work.

The Measures also stipulate legal responsibilities that violate the provisions of the Measures and the meaning of relevant terms.