DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 015 · FACIAL-RECOGNITION

When Is Facial Recognition in a Public Place 'Necessary for Public Security'? Hong Yanqing's Four-Element Framework

Hong Yanqing on how to operationalize PIPL Article 26's 'necessary for public security' principle for public-place video surveillance and facial recognition. His framework: a four-step necessity test, tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism — drawing on EU AI Act and US state-level practice.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

Hong Yanqing is one of the most influential voices on Chinese data-protection law. This piece is a republication on his WeChat channel 网安寻路人 of a 2025 paper he originally published in 《公安学研究》 (Public Security Studies), the journal of the Ministry of Public Security’s People’s Public Security University. It is academic in form but practitioner in stakes.

The stakes: PIPL Article 26 sets the foundational rule for public-place video surveillance and facial recognition in China — “necessary for public security.” The 2024 Video Image Information System Regulations and the 2025 FRT Measures have built the implementing rulebook around it. But the operational question — when is a deployment “necessary for public security”? — has remained underspecified. Hong’s paper proposes a four-element framework to operationalize it: a four-step necessity test, a tiered risk regime with a published prohibited list, three-fold technical controls, and a lifecycle closure mechanism.

We rewrote rather than literally translated the paper because the practical question for overseas compliance teams — what do regulators expect from a public-place FRT deployment in China? — is exactly what Hong’s framework answers in concrete detail. The brief reframes his argument for an audience that needs to know what to build, not why the underlying jurisprudence is what it is.

PIPL Article 26 sets the foundational rule for public-place surveillance in China. Equipment installed in public places that captures images or identifies individuals must be “necessary for public security” (维护公共安全所必需), accompanied by conspicuous notice, and the data collected may only be used for that public-security purpose. Use for other purposes requires the individual’s separate consent.

In September 2024 the State Council issued the Regulations on the Administration of Public Safety Video Image Information Systems (公共安全视频图像信息系统管理条例). In 2025 the Cyberspace Administration of China issued the Measures on the Security Management of Facial Recognition Technology Applications (人脸识别技术应用安全管理办法). Together they form the operating rulebook for Article 26.

But, Hong Yanqing argues in an April 2026 essay drawn from his paper in 《公安学研究》, the operating rulebook still does not answer the core question. Both implementing regulations restate the “necessary for public security” principle. Neither tells a compliance team — or a regulator — how to determine when a deployment is necessary. That gap is where Hong’s paper does its work.

Hong’s diagnostic is that the necessity principle has remained a gestural concept. There is no conceptual unpacking — is “necessary” about the importance of the security objective, the indispensability of the technical means, or the minimality of the deployment scope? There is no procedural standard — no requirement to produce a structured necessity demonstration. There is no accountability mechanism — no standardized assessment template, no public verifiability. The result, he writes, is that the principle “spins in place” — invoked as authority but not actually doing the discriminating work a legal principle is meant to do.

His proposal is structural: take the proportionality test that the European regime has spent two decades operationalizing and the patchwork of state-level biometric laws that the US has developed, extract their working architecture, and operationalize “necessary for public security” through a four-element framework. The framework is the kind of thing overseas compliance teams will recognize from GDPR practice — but cast specifically in PIPL Article 26 terms.

The four-step necessity test

Hong’s first element is a structured proportionality-and-necessity test, conducted on every individual project, with four sequential layers.

  1. Purpose legitimacy. The deployment must serve a definite and significant public-security objective with present urgency. Administrative convenience, commercial benefit, and image-building are not sufficient. The applicant must produce a risk assessment, historical incident data, or threat analysis demonstrating that the foreseeable harm without the measure justifies the measure.

  2. Means effectiveness. The applicant must show a verifiable causal connection between the chosen technology and the security objective. If the technology cannot be shown to meaningfully advance the objective, the deployment is not necessary — it is symbolic. Required documentation: effectiveness data, technical performance metrics, expected false-positive and false-negative rates.

  3. Alternatives. The applicant must show that no equally effective but less intrusive alternative exists. Patrol intensification, time-limited control, non-identifying cameras, document inspection — all are in the field of comparison. Where a less-intrusive alternative would suffice, the more intrusive technology cannot be deployed.

  4. Minimum harm. Even after the first three are satisfied, the deployment must be minimized along several dimensions: capture scope, resolution, duration, retention period, and audience for the captured data. A human-in-the-loop mechanism and a grievance-correction channel must be available for any automated identification.

Hong’s procedural proposal is that the four-step analysis be institutionalized as a “necessity evidence packet” (必要性证据包). The applicant submitting a project should produce, in one package: risk baseline and threat assessment, objective and performance metrics, alternative-comparison and rejection rationale, capture-minimization plan, algorithm evaluation report, watchlist governance procedure, retention and destruction schedule, and a grievance mechanism. For facial-recognition projects, a separate Personal Information Protection Impact Assessment (PIPIA) and independent algorithm audit are mandatory additions. The burden of demonstration rests on the applicant — a “raise it, prove it” rule — and the regulator’s role is to assess that demonstration and issue a conditioned approval or denial.

This first element is the gate. Everything downstream is conditioned on it.

Risk tiering and a prohibited / exception list

The second element splits the projects that have cleared the gate into a tiered scheme, with a prohibited list at the edge.

  • High risk. Examples: post-hoc large-scale FRT analysis, real-time FRT monitoring in priority security zones, broad FRT deployment at large events or major transit hubs. Compliance obligations: mandatory PIPIA, monitoring, recording and audit mechanisms, certified algorithms with high performance and low false-positive rates, minimum retention with transparent destruction.

  • Medium risk. Examples: 1:1 identity verification within a limited zone (employee gate, library access, campus entry), ordinary security monitoring without identification. Compliance obligations: scoped purpose and scope, defined watchlist source and size, algorithm accuracy verification, periodic spot checks.

  • Low risk. Examples: anonymous analytics or situational sensing that does not identify individuals. Compliance obligations: basic transparency notice, data minimization.

  • Prohibited list. Examples: real-time 1:N FRT in open public space, routine identification of sensitive populations. These are structurally incapable of clearing the necessity test and should be explicitly listed. A narrow exception procedure — high-level authorization, defined applicability conditions, audit standards, post-use accountability — would govern the genuinely extraordinary edge cases.

Hong’s design point: the prohibited list and the tiering arise from the same source, the necessity test. A project that cannot clear the four-step test is automatically prohibited. A project that clears it is tiered by what the necessity analysis itself yielded. The two halves interlock.

This is the part of Hong’s framework that lifts most directly from EU practice. The AI Act’s explicit prohibition on real-time 1:N FRT in open public space is the model. Hong wants the Chinese regime to publish an equivalent list — codified, public, and uniformly applied across provinces, so that the necessity-test edge cases do not get re-litigated in each local enforcement action.

Three-fold operational controls — scene, watchlist, algorithm

The third element translates tier into runtime parameters. Hong proposes three control surfaces.

  • Scene control (“where”). Define an allowed-scenes whitelist in the regulations, fix geographic boundaries with geofencing, and impose time windows. A camera that can only operate inside a defined polygon during a defined window is structurally incapable of “purpose drift” into routine social management.

  • Watchlist control (“who”). The matching database must be (i) bounded to the specific public-security objective — suspects in major criminal investigations, fugitives, high-risk missing persons; (ii) capped in size, with mandatory pre-deployment refresh and verification; and (iii) source-legitimate — no scraping from social media or commercial databases. Minors are default-excluded. An appeal-and-removal mechanism is mandatory.

  • Algorithm control (“what”). Accuracy and false-positive thresholds (Hong suggests false-positive rate ≤ 1‰ as a reference), bias evaluation across gender, age, and skin-tone subgroups, explainability (the system must produce a decision-path artifact suitable for external audit), and a human-in-the-loop step — all identification results must be human-verified before being used for enforcement decisions.

Together, these three controls limit the deployment along three axes simultaneously. A scene-whitelisted camera in a geofenced perimeter operating during a posted window, matching against a small audited watchlist via a certified algorithm with mandatory human review — Hong’s argument is that this is what “necessary for public security” looks like once it has been operationalized.

Lifecycle closure — exit, rectify, destroy

The fourth element is post-deployment. Necessity is not a moment-in-time judgment. It is conditional on the conditions that justified the deployment continuing to hold. When they cease to hold, the deployment must wind down. Hong proposes three closure mechanisms.

  • Exit. When a project no longer meets the necessity standard — because the security situation has changed, because the privacy cost outweighs the benefit on reassessment, or because a less-intrusive alternative has matured — the authority must be able to revoke the prior approval, order shutdown of the equipment, and halt the data collection. Hong notes the EU AI Act’s parallel provision empowering member-state authorities to require providers to withdraw or recall AI systems.

  • Rectify. When problems emerge during operation — sudden spikes in false-positive rates, evidence of misuse, deficient privacy protection — the operator must self-audit and rectify rather than wait to be ordered. The regulator, in inspections or in response to complaints, can issue a rectification order with a deadline; for serious violations, the system can be suspended during rectification.

  • Destroy. Personal image data cannot be retained indefinitely. Hong’s model: deletion or irreversible anonymization on the earlier of (i) the deployment purpose being achieved, (ii) the lawful retention window expiring, or (iii) the project being decommissioned. The reference he cites is the Illinois Biometric Information Privacy Act’s requirement that biometric identifiers be deleted within three years of the last contact with the data subject, and the UK Surveillance Camera Code of Practice’s requirement that footage be retained no longer than necessary. Destruction receipts and audit trails should be required so that operators cannot quietly retain data after a project has been wound down.

Why this matters for overseas compliance

For overseas teams operating in or vendoring to China, Hong’s framework is several practical things at once.

  • Article 26 is now operating regulation, not just principle. With the Video Image Information System Regulations (State Council, 2024) and the FRT Measures (CAC, 2025), Article 26 has moved from statutory aspiration to operating rule. Filing obligations attach at concrete thresholds — for example, FRT systems storing facial data of more than 100,000 persons must file with provincial CAC within 30 working days under the FRT Measures.

  • Build a “necessity evidence packet” before you deploy. Hong’s procedural proposal — a unified set of documents that operationalize the four-step test — is likely to influence regulator-facing documentation expectations going forward. Compliance teams that anticipate this and build the documentation pre-deployment will land in a stronger position when reviewed.

  • The prohibited-list shape is becoming legible. Real-time 1:N FRT in open public space is the EU’s bright line; Hong’s reading is that China is converging toward a similar list, narrower in scope and articulated through the Chinese implementing regulations. Vendors and operators should not assume that the most aggressive deployments are sustainable, even where the current statute permits them.

  • The technical-controls layer is enforceable. Geofencing, time windows, watchlist caps, algorithm certification, human-in-the-loop, audit logs — these are technical controls that can be verified by an inspector, and they are the surface most likely to be tested in enforcement. If they are not built into the architecture from procurement, retrofitting them later is expensive.

  • Plan for lifecycle, not just launch. The exit-rectify-destroy closure is where many existing deployments will discover gaps. Retention schedules, destruction receipts, and decommissioning audits have not always been built into the original procurement and architecture. Under Hong’s framework, they need to be.

The deeper point in Hong’s paper — and the reason it is worth a careful read — is that necessary for public security is a principle that does its work only when it has been operationalized. Until it is, the principle protects nothing in particular; it just sits at the top of the regulation as a placeholder for a more concrete rule that has not yet been drafted. Hong’s four-element framework is one way to draft that rule. For overseas compliance teams operating in China, it is also the most credible guide to what the regulator is converging toward.

— Hong Yanqing, 公共场所视频监控与人脸识别的治理路径:国际经验与中国方案 (Governance Pathways for Public-Place Video Surveillance and Facial Recognition: International Experience and the Chinese Approach), originally published in Public Security Studies (《公安学研究》), 2025; republished on 网安寻路人 WeChat Official Account, April 4, 2026. Original article.

Not legal advice.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.