China recently introduced a new set of regulations that arguably could change the way surveillance technologies are used across the country. Set to take effect on 1st April 2025, the Regulations on the Administration of Public Security Video and Image Information Systems aims to enhance the protection of personal privacy while ensuring public security. With only a few months left until the regulations come into effect, we look at the key provisions in the regulation and what it could mean for businesses and privacy teams.
Three core pillars of the new regulations
The new regulations appear to fill crucial gaps left by China’s Cybersecurity Law and Personal Information Protection Law. While these existing laws addressed general data protection and cybersecurity, they lacked specific provisions on surveillance practices that have become more prevalent in public and private spaces. In recent years, the widespread use of surveillance cameras and video imaging systems has raised concerns about privacy breaches, particularly in areas where individuals expect privacy, such as hidden cameras in homestays and illicit recordings in gym locker rooms. To respond to these growing concerns, the new regulations introduce a comprehensive framework through three targeted pillars:
- Geographic restrictions
Cameras are banned in private spaces such as hotel rooms, private restaurant compartments, student dormitories, and public bathrooms, extending to any area where privacy intrusions may occur.
- Data governance
Where permitted to record, organisations must retain video data for a minimum of 30 days (extendable under national security laws) with secure deletion protocols, while unauthorised data sharing or system breaches face strict penalties.
- Compliance enforcement
Mandatory signage in Mandarin (e.g., “视频图像采集区域 – Video Image Acquisition Area, in English”) at surveillance sites and fines up to CNY 20,000 (≈£2,100) for unit violators, alongside criminal liability for individual violators.
Together, these pillars strengthen existing privacy laws. By defining prohibited zones, standardising data management processes, and empowering enforcement agencies, the regulations address the fragmented governance that allowed covert surveillance scandals to persist. For businesses, this means the start of a new phase of accountability, requiring proactive compliance strategies.
What privacy teams must do now
To effectively navigate the new regulations and ensure compliance, privacy teams must take immediate and strategic actions in clear stages.
Stage 1: Immediate actions
Organisations must register all surveillance systems with local authorities within 30 days of activation for new systems and within 90 days for systems already in use. Surveillance systems are also required to ensure cameras are not placed in prohibited zones such as hotel rooms and student dormitories.
Stage 2: Preparation for ongoing compliance
Privacy teams should adjust data retention protocols to ensure video footage is retained for the required 30 days and deleted securely, while proper signage must be displayed at all times. They should also be prepared for unannounced inspections by public security authorities.
Stage 3: Ongoing monitoring and third-party management
Ongoing training for staff in handling data access requests from individuals and state entities under Articles 20–21 is essential to empower the team for regulatory changes. Additionally, privacy teams must ensure third-party vendors comply with the new data protection and cybersecurity standards to avoid external compliance risks.
Using CCTV to safeguard property and people can inadvertently pose different personal data safeguarding challenges. HewardMills’ team of global data protection experts can support businesses in managing the complexities of emerging surveillance regulations, particularly where local nuances need careful interpretation.
To discuss this topic or anything else related to data protection and privacy, please contact us at dpo@hewardmills.com
