China toughens rules on private FRT while consolidating Beijing’s digital rule

Recipes for digital control vary by region. In China, the Beijing government is stirring in two directions, as it moves to crack down on the use of facial recognition by private companies, while preparing to roll out its state-issued national digital ID in a move to centralize identity verification under government purview.

The actions illustrate the manner in which Beijing continues to try and balance regulation with censorship, as it purports to address public concerns about widespread commercial use of facial recognition and the vulnerability of personal information, while further consolidating government control of the internet.

It also portends a potential stall in the Chinese face biometrics market, as the CPC expands its Great Firewall to encompass facial recognition tech that has seen a boom in China over the past five years.

Crackdown on facial recognition reportedly driven by public complaints

Under the new regulation, developed by the Cyberspace Administration of China (CAC) and the Ministry of Public Security (MPS) and revealed in May 2025, organizations that handle the face biometrics of at least 100,000 people must file with the Beijing Internet Information Office. MLex reports that 69 Beijing organizations have begun the online filing process. Their applications are now under review.

The regulation focuses on the illegal collection and use of facial recognition tech in public spaces for commercial use. It targets sectors including transportation, sports and leisure, education, logistics, commerce and culture, promising regular inspections of data collection, management procedures and informed consent for processes like hotel check-ins or gaining physical access to gated communities.

Beijing says the facial recognition rules are a response to complaints about the misuse of the technology. Some subjects reportedly were to remove their facial recognition data when deleting accounts from platforms.

‘Cyberspace ID’ framed as ‘bullet proof vest’ for PII

Beijing, however, is no champion of data privacy. Rather, it wants to remain its sole arbiter. Estimates put the number of domestic Chinese government surveillance cameras around 700 million. Yet a recent Forbes feature declares that “China’s Surveillance State is Losing its Grip,” citing a Wired investigation that found evidence of government employees selling personal information on the black market.

Beijing has no interest in ceding control of its 1.4 billion citizens’ digital lives, and the regulations may be part of a complex strategy that leverages data privacy concerns and digital identity to tighten its grip.

The government’s incoming federated digital ID scheme could be a key ingredient. The so-called “Cyberspace IDs” come in two forms: a series of letters and numbers, and an online credential, and can be used across government and private online services. It comes into effect on July 15, with a stated goal to minimize the amount of data individuals must share, in the interest of strengthening online privacy – a so-called “bullet proof vest for personal information.”

‘No accountability’: human rights groups decry national virtual ID

A statement from Chinese Human Rights Defenders (CHRD) and Article 19 calls this into question, claiming the system will “further constrict anonymity” in an already heavily policed digital environment. It takes particular issue with the policy requiring users to register through the National Online Identity Authentication App, developed by the MPS, using their national identification card and facial recognition.

Shane Yi, a researcher at CHRD, says “internet users across China already endure heavy censorship and control by the government. The new Internet ID regulations escalate Beijing’s attack on free speech, putting human rights defenders, journalists, lawyers, and anyone who questions authority at even greater risk.”

For now, the program and its facial authentication component are voluntary, although the regulation “encourages public services, private services, and general users to adopt it.” CHRD says more than 80 mobile applications began trialing the authentication system within days of its July 2024 release, including major names like WeChat, Taobao and Zhaopin.

“Real-name identity verification is already required for multiple web-based services – from social media, sim card to domain name registration – under the Cybersecurity Law enacted in 2017 and other regulations,” the statement says. CHRD and Article 19 believe the regulation “gives the Chinese government even greater opportunities to surveil and control online speech, expand censorship, and threaten reprisals against human rights defenders.”

“It provides no accountability to address numerous privacy concerns, and risks extraterritorial applications.”

In comments to CNN, Xiao Qiang, a research scientist studying internet freedom at the University of California, Berkeley, goes even further, calling it “a state-led, unified identity system capable of real-time monitoring and blocking of users.”

“It can directly erase voices it doesn’t like from the internet, so it’s more than just a surveillance tool – it is an infrastructure of digital totalitarianism.”

Two birds, two pots, one goal

A lengthy analysis of China’s new regulation from law firm Bird & Bird leads with this summary: “China continued to enhance its regulatory framework in key areas such as personal information protection, data and cyber security, cross-border data flows, and the development of basic systems for data by issuing a series of laws, regulations and national standards. At the same time, law enforcement actions related to cybersecurity and personal information protection are intensifying, requiring enterprises to strictly fulfil their primary responsibilities for safeguarding cybersecurity and protecting personal information.”

So it goes: one stick stirs the pot of data privacy, while the other keeps the curds of authoritarianism supple and solid.

Article Topics

China  |  Cyberspace Administration of China (CAC)  |  data privacy  |  digital ID  |  facial recognition  |  regulation