China: Important New Guidance on Defining Sensitive Personal Information

Carolyn Bigg, Amanda Ge
DLA Piper
Contact
LinkedIn
Facebook
X
Send
Embed

DLA Piper

[co-author: Qinyan Jiang]

While the definition of sensitive personal information in China has always been different to other jurisdictions, with a focus on risk of harm at its heart, new draft guidance should make it easier for organisations to map their processing of China sensitive personal information, which is increasingly important in light of new cross-border data transfer and data audit obligations.

Under China’s data protection law, if a data controller processes any sensitive personal information, it will be subject to stricter obligations. For example, it must obtain the individuals’ separate consent. It must take enhanced technical and organizational measures. More importantly, under the new Chinese regulation governing the cross-border transfer of personal information (see our article here for details), if it transfers even one individual’s sensitive personal information outside China, it will need to file the transfer with the Chinese data regulator. Thus, the accurate identification of sensitive personal information has become increasingly important, and will become more so under proposed new data audit regulations.

The China Personal Information Protection Law (“PIPL“) defines sensitive personal information as any personal information that, once leaked or misused used, may easily lead to the infringement of an individual’s personal dignity or harm to personal or property safety.

The PIPL offers a few samples of sensitive personal information (e.g. biometrics, religious beliefs, medical health, financial accounts, whereabouts, and any personal information relating to minors under the age of fourteen). Recommended national standards such as GB/T 35273-2020 Personal Information Security Specifications (“Specifications“) and GB/T 43697-2024 Rules for Data Classification and Grading (“Rules“) also include non-exhaustive sample lists. During the past years, the identification of sensitive personal information in the market has relied heavily on such samples and lists.

In June 2024, a new Draft Guide for Sensitive Personal Information Identification (“Draft Guide“) was issued for public consultation, which proposes a different approach to identifying sensitive personal information. For example:

  • Facial recognition data: Under the Specifications and the Rules, only facial feature extraction or faceprint constitutes sensitive personal information. The Draft Guide now proposes to expand the scope to cover face images also, based on the rationale that facial feature extraction or faceprint may be generated from face images.
  • Health data: Under the Specifications and the Rules, food allergy related data is specifically identified as sensitive personal information, which (unreasonably) subject many restaurants and catering companies to stricter data protection obligations. The Draft Guide now proposes to limit the scope of health data to disease, illness, disabilities and diagnosis- and treatment-related data.
  • Finance data: Under the Specification and the Rules, transaction and expense records are identified as sensitive personal information, which may lead to an extreme conclusion that all the shops and malls keeping consumers’ purchase records process sensitive personal information. Under the Draft Guide, transaction and expense records would be removed from the list. Instead, sensitive personal finance information would be limited to bank, securities and fund account or card numbers and passwords, as well as token information and income details related to each specific account or card.
  • Other data: The Draft Guide proposes removing communications records and web browsing records from the sensitive personal list, which is helpful especially for companies that monitor and record employees’ work-related emails and messages. The Draft Guide also clarifies that flight and high-speed train travel records fall into the scope of “whereabouts” data and thus constitutes sensitive personal information, whether in a consumer or potentially even employee-travel context.

It is uncertain when the Draft Guide will be finalized, and indeed how much it would be relied upon by the Chinese data regulator considering it would only constitute non-binding recommended guidance. Nonetheless, it is clear that identifying sensitive personal information is no longer a straightforward question, and the context under which personal information is processed will be critical to the assessment. To be fair, the focus on “risk of harm” has always been a key component of defining sensitive personal information in China. Therefore, going forward organisations looking to identify its sensitive personal information should place more focus on the consequences and potential harm to the data subjects if the data in question is breached or misused. A case by case and context-specific analysis will likely be required.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© DLA Piper

Written by:

DLA Piper
DLA Piper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

DLA Piper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide