Abstract
This article analyses the definition, regulatory framework, and compliance challenges surrounding Sensitive Personal Information (SPI) under China’s Personal Information Protection Law (PIPL) and related standards. For enterprises, accurately identifying SPI within their data ecosystems is critical to the PIPL compliance efforts. Organisations must continually assess risks tied to data practices, particularly amid challenges posed by big data and algorithmic profiling.
The definition of SPI
Sensitive personal information (SPI) in China is defined by Article 28 of the Personal Information Protection Law (PIPL) as:
Sensitive personal information refers to personal information that, once leaked or illegally used, will easily lead to infringement of the human dignity or harm to the personal or property safety of a natural person, including biometric recognition, religious belief, specific identity, medical and health, financial account, personal location tracking and other information of a natural person, as well as any personal information of a minor under the age of 14.
It can be observed from this definition that the core definition of SPI is risk-based and involves assessing whether a hypothetical leak or the illegal use of such information will “easily lead to the infringement of human dignity or harm” to a person or property.
The definition also contains some very high-level examples of categories of personal information (PI) that legislators believe are included within the scope of SPI. Such examples do not appear to function as a limitation on the scope of SPI and seem to merely serve an illustrative function.
The implications of processing SPI
The intended or actual processing of SPI creates various compliance obligations that a PI processor must fulfil to comply with the PIPL. Those compliance obligations include:
- Being transparent (PIPL, Article 7).
- Implementing strict protection measures (PIPL, Article 28).
- Seeking separate consent (PIPL, Article 29).
- Explaining the necessity of processing (PIPL, Article 30).
- Explaining the impact of processing (PIPL, Article 30).
- Providing adequate notices (PIPL, Articles 17 and 30).
- Making regulatory filings (PIPL, Article 38; Provisions on Promoting and Regulating Cross-border Data Flows)
- Conducting Personal Information Protection Impact Assessments (PIPL, Article 55).
Please note that any failure to comply with the PIPL can result in regulators demanding a third-party audit of processing activities or issuing penalties.
In an age of big data and algorithms that can identify whether someone is pregnant from their online browsing activities, the definition of SPI creates major practical problems with significant knock-on effects.
GB/T 35273-2020
Since SPI entails stricter processing obligations, identifying SPI has long been a key concern for enterprises.
Even before the release of the PIPL, GB/T 35273-2020 “Information security technology— Personal information security specification” had already provided definitions for PI and SPI, along with examples of relevant scenarios.
It is commonly considered that the PIPL is supplemented by the recommended national standard GB/T 35273-2020, which provides a classification table in Annex B that identifies data elements that are considered SPI as follows:
Category | Typical Examples |
Personal property information | Bank account, authentication information (password), bank deposit information (including amount of funds, payment and collection records), real estate information, credit records, credit information, transaction and consumption records, bank statements, etc., and virtual property information such as virtual currency, virtual transaction and game CD Keys. |
Physiological and health information | The records generated in connection with medical treatment, including pathological information, hospitalisation records, physician’s instructions, test reports, surgical and anaesthesia records, nursing records, medicine administration records, drug and food allergy, fertility information, medical history, diagnosis and treatment, family illness history, history of present illness, history of infection. |
Personal biometric information | Personal genes, fingerprint, voice print, palm print, auricle, iris, facial recognition features, etc. |
Personal identity information | ID card, military officer certificate, passport, driver’s license, employee ID, social security card, resident certificate, etc. |
Other information | Sexual orientation, marriage history, religious preference, undisclosed criminal records, communications records and content, contacts, friends list, list of chat groups, records of whereabouts, web browsing history, precise location information, accommodation information, etc. |
While GB/T 35273-2020 is merely a recommended national standard without legal force, it is highly respected and referred to in the Standard Contract for Outbound Transfer of Personal Information issued by the Cyberspace Administration of China (CAC) in Schedule 1 as follows:
“(V) Types of exported sensitive personal information (refer to the Information Security Technology — Personal Information Security Specification of GB/T 35273 and relevant standards, if applicable)…”
While the Annex B table can be considered more comprehensive than Article 28 of the PIPL, it is certainly not exhaustive.
Practice Guide to Identifying SPI
In September 2024, the National Technical Committee 260 on Cybersecurity of Standardisation Administration of China (TC260) issued the normative standards document TC260-PG-20244A, “Cyber Security Standards Practice Guide – A Guide to Identifying Sensitive Personal Information” (SPI Guide). The SPI Guide provides additional guidance concerning SPI and common examples of SPI.
Key criteria for identifying SPI under the SPI Guide
The SPI Guide elaborates on the risk assessment criteria that should be considered to identify SPI. According to Article 3 a) of the SPI Guide, if any of the following criteria can be met in the event PI is leaked or illegally used, such PI should be considered SPI:
- PI is likely to cause a natural person’s human dignity to be infringed;
- PI is likely to cause a natural person’s personal safety to be jeopardised; and
- PI is likely to cause a natural person’s property safety to be jeopardised.
PI is likely to cause a natural person’s human dignity to be infringed
It seems that an infringement of human dignity needs to be probable (as opposed to possible), as indicated by the word “likely”, for this criterion to apply.
Human dignity is a very high-level concept not defined within the PIPL. The notes within the SPI Guide suggest that:
Note 1: Situations that likely lead to the infringement of an individual’s personal dignity include “doxxing,” illegal intrusion into online accounts, telecom fraud, damage to personal reputation, and discriminatory differential treatment. Discriminatory differential treatment may result from the leakage of information related to an individual’s specific identity, religious beliefs, sexual orientation, particular diseases, or health conditions.
It is worth noting that human dignity appears to be an umbrella concept within the SPI Guide that includes other rights with their own characteristics. For instance, the right to privacy is protected within Chapter 6 of the Civil Code and is described within Article 1032 as follows:
Privacy is the undisturbed private life of a natural person and his private space, private activities, and private information that he does not want to be known to others.
Given the use of cross-references within the SPI Guide’s concept of human dignity, the scope of SPI may be more uncertain and wider than many previously thought.
PI is likely to cause a natural person’s personal safety to be jeopardised
The word “likely” is used once more for this criterion. It seems that an infringement of personal safety needs to be probable (as opposed to possible), as indicated by the word “likely”, for this criterion to apply.
Given that human dignity includes “the right to life, body, [and] health”, it seems that this criterion overlaps somewhat with “PI is likely to cause a natural persons’ human dignity to be infringed”.
The note within the SPI Guide suggests that:
Note 2: For example, the leakage or illegal use of personal whereabouts and track information may pose a threat to their personal safety.
The note within the SPI Guide is somewhat limited in scope and may be of limited practical use.
In practice, PI processors will need to identify all possible risks arising from the leakage or illegal use of PI. If any of those risks likely lead to an individual being physically harmed, then the PI should be classified as SPI.
PI is likely to cause a natural person’s property safety to be jeopardised
The word “likely” is used for this criterion as well. As such, the probability of harm to property appears to be all that is required for this criterion to apply.
The note within the SPI Guide suggests that:
Note 3: For example, disclosure or illegal use of financial account information may cause property losses to the personal information subject.
While clear, this example is rather narrow. In such circumstances, we believe that assessing this criterion would, in practice, require an understanding of property and the connection between such property and PI.
Highest protection standard for data combinations
The SPI Guide suggests that it is necessary to consider whether PI is SPI on both an item-by-item basis and as a whole after combination. It then states that if a combination of PI is identified as SPI, that combination of data should be protected as SPI.
Article 3 c): It is necessary to consider both the identification of individual sensitive personal information and the overall attributes of multiple general personal information elements when aggregated or combined. An analysis should be conducted to assess the potential impact on personal rights if such information is leaked or misused. If the conditions described in 3 a) are met, the aggregated or combined personal information should be identified and protected as sensitive personal information.
Commonly used SPI
The SPI Guide describes and provides examples of the following categories of SPI:
Category | Description | Typical examples |
Biometric Information | This refers to PI about biometric identification information and PI about the physical, biological or behavioural characteristics of a natural person obtained through technical processing, which can identify a natural person alone or in combination with other PI. | Personal gene, face, voice print, gait, fingerprint, palmprint, eye print, auricle, iris and other biometric information. |
Information on Religious Beliefs | This refers to PI about an individual’s religion, religious organisation and religious activities. | PI about the religion you believe in, the religious organisations you join, your position in the religious organisations, the religious activities you participate in, and special religious practices. |
Specific Identifying Information | This refers to PI that significantly impacts the human dignity or social evaluation of an individual or PI that is otherwise inappropriate to disclose, especially PI that may lead to social discrimination. | PI such as the identity of persons with disabilities, occupational identity information unsuitable for disclosure, etc. |
Medical and Health Information | This refers to PI about an individual’s medical visits and physical or mental health status. | Health status information related to personal physical or psychological injury, illness, disability, disease risk or privacy, such as symptoms, past medical history, family history, infectious disease history, medical examination reports, fertility information, etc. PI collected and generated during medical services such as disease prevention, diagnosis, treatment, nursing, and rehabilitation, such as medical visit records (such as medical opinions, hospitalisation records, medical orders, surgical and anaesthesia records, nursing records, medication records), inspection data (such as inspection reports, examination reports), etc. |
Financial Account Information | This refers to PI about personal bank, securities, and other accounts, as well as account capital transactions. | Personal account number and password of a bank, securities, fund, insurance, provident fund and other accounts, joint provident fund account, payment account, bank card track data (or chip equivalent information), payment marking information based on account information, personal income details and other PI. |
Whereabouts and Tracking Information | This refers to continuous trajectory information formed by an individual’s changes in geographic location, activity locations, and movement patterns over a specific period. (Except for specific professions (such as food delivery workers and couriers) where such information is necessary for fulfilling service obligations.) | Continuous accurate location trajectory data, vehicle driving trajectory data, and individual activity trajectory data. |
PI of Minors under the Age of 14 | PI of minors under 14 years of age. | PI of minors under the age of 14 |
Other Sensitive PI | In addition to the above, other common PI that meet the above criteria should be treated as SPI. | Precise positioning information, ID photos, sexual orientation, sexual life, credit information, criminal record information, photos or video information showing private parts of the individual’s body, etc. |
The descriptions and examples of SPI in the SPI Guide provide some additional guidance that should help PI processors better understand the nature of SPI. However, the SPI Guide also emphasises that if there is sufficient justification and evidence demonstrating that the processed PI does not meet the conditions outlined in 3 a) (See above.), it may not be classified as SPI.
Special Lists Issued by Free Trade Zones and Industry Regulators
The Beijing Free Trade Zone, Shanghai Free Trade Zone, and Hainan Free Trade Zone have issued negative lists applicable to data export activities, which include some examples of PI and SPI. These negative lists reflect the official stance of the relevant regulatory authorities, particularly the local CAC in each free trade zone.
We believe these examples can serve as useful references for enterprises in determining what qualifies as SPI.
Conclusion
As mentioned above, various regulations provide examples of SPI, including GB/T 35273-2020, the SPI Guide, and other lists issued by Free Trade Zones and industry regulators. However, since these regulations are issued by different authorities, discrepancies in the samples of SPI sometimes occur. For example, GB/T 35273-2020 classifies an ‘ID card’ as SPI, whereas the SPI Guide only considers ‘ID card photos’ as SPI; GB/T 35273-2020 includes ‘web browsing history’ as SPI, while the SPI Guide does not.
To minimise the impact of such discrepancies on the identification of SPI, enterprises need to systematically analyse their PI business context and processing methods to accurately analyse the risk associated with human dignity, personal safety, and property safety.
The identification of SPI is a basic PIPL compliance activity that all organisations must undertake on an ongoing basis to better understand their PIPL obligations. A failure to identify SPI may suggest the compliance framework of an organisation is inadequate and can result in an organisation failing to comply with its obligations under the PIPL, which generally include:
- Being transparent.
- Implementing strict protection measures.
- Seeking separate consent.
- Explaining the necessity of processing.
- Explaining the impact of processing.
- Providing adequate notices.
- Making regulatory filings.
- Conducting Personal Information Protection Impact Assessments.
A failure to implement any of the above compliance obligations can result in the regulator taking enforcement action or demanding a third-party audit of all PI processing activities.