Regulates facial recognition technology use in China, including through informed consent requirements, assessment requirements, storage and processing conditions, and certain outright prohibitions. Requires impact assessments and local filing for large volumes of facial recognition data. Delegates oversight and enforcement to cyberspace and public security authorities.
Analysis summaries, actor details, and coverage mappings were LLM-classified and may contain errors.
This is a binding regulatory measure issued by the Chinese central government with mandatory language, explicit enforcement mechanisms, penalties for violations, and designated enforcement authorities (cyberspace administrations and public security authorities).
The document has good coverage of approximately 8-10 subdomains, with strong focus on privacy compromise (2.1), security vulnerabilities (2.2), disinformation and surveillance (4.1), fraud and manipulation (4.3), overreliance and unsafe use (5.1), loss of agency (5.2), governance failure (6.5), and lack of robustness (7.3). Coverage is concentrated in privacy, security, misuse prevention, and human-computer interaction domains.
This regulation applies broadly across all sectors that use facial recognition technology in China, with explicit coverage of public administration, accommodation and food services (hotels), health care (public baths), and arts/entertainment/recreation (public changing facilities). The cross-sectoral nature is evidenced by general applicability to any 'personal information processor' using facial recognition technology.
The document primarily focuses on the Deploy and Operate and Monitor stages of the AI lifecycle, with comprehensive requirements for deployment procedures, ongoing monitoring, impact assessments, and operational security measures. It also addresses aspects of Plan and Design through requirements for purpose specification and necessity assessments.
The document explicitly focuses on facial recognition technology and facial information processing. It does not mention AI models, AI systems, frontier AI, general purpose AI, foundation models, generative AI, or compute thresholds. The scope is specifically limited to biometric facial recognition technology applications.
Chinese central government (specific agency not named in document summary, but implied to be cyberspace and public security authorities)
The document is described as being issued by the 'Chinese central government' and references multiple existing Chinese laws as its legal basis. The enforcement is delegated to cyberspace administrations and public security authorities.
Cyberspace administrations (网信部门) at provincial level or above, public security authorities, and other departments responsible for personal information protection
The document explicitly designates cyberspace administrations and public security authorities as the enforcement bodies with authority to conduct supervision, inspection, receive filings, and handle complaints. They have the power to enforce compliance and pursue violations.
Cyberspace administrations, public security authorities, and other departments responsible for personal information protection
The same authorities responsible for enforcement also conduct ongoing monitoring through supervision and inspection activities, filing reviews, and complaint handling mechanisms. They establish information sharing mechanisms to coordinate monitoring activities.
Personal information processors (organizations or individuals) that use facial recognition technology to process facial information within the PRC
The document explicitly defines and regulates 'personal information processors' as entities that independently determine the purpose and method of personal information processing activities using facial recognition technology. These entities must comply with consent requirements, impact assessments, filing procedures, and security measures.
9 subdomains (7 Good, 2 Minimal)