China: New Definition and Guidelines on Sensitive Personal Information Now Finalised

Carolyn Bigg, Venus Cheung, Amanda Ge
DLA Piper
Contact
LinkedIn
Facebook
X
Send
Embed

DLA Piper

[co-author: Qiuyang Zhao]

We previously wrote about proposed changes to the definition of sensitive personal information under a June 2024 draft of the Guide for Sensitive Personal Information Identification (“Guide“). The Guide has now (September 2024) been finalized and issued by the National Information Security Standardization Technical Committee (TC260). Helpfully, it gives organisations greater scope to self-assess whether or not data qualifies as sensitive personal information based on risk of harm rather than just a prescriptive list.

The final Guide largely aligns with the June draft, incorporating only a few changes in wording. However, it introduces several business-friendly clarifications to the list of common examples of sensitive personal information therein (“Examples List“) that help limit the scope of sensitive personal information, including:

  • Location Access Methods: The issued Guide differentiates between location access methods used by mobile applications. It specifies that approximate location data derived from IP addresses is not classified as sensitive personal information, whereas precise mobile positioning data is considered sensitive.
  • Whereabouts/Tracking Information: The “whereabouts/tracking information” category of sensitive personal information has been clarified to encompass only data that indicates a “continuous track” of movements over a period of time, rather than including any data pertaining to locations of a person as in the June draft. Along the same line of reasoning, flight and high-speed train travel records have been removed from examples of this category.
  • Medical Device Data: According to the final Guide, not all data produced by medical devices during healthcare services will be classified as sensitive personal information; only examination and testing data during healthcare services risks falling under such classification.

Notably, the final Guide, in line with existing laws and standards, includes a new explanatory note highlighting the primacy of the “risk of harm” test over the Examples List. The note stipulates that data covered by the Examples List may not qualify as sensitive personal information if there is substantial evidence and justification showing that it fails to pass the “risk of harm” test as outlined in the Guide. This gives organisations greater scope to self-assess whether or not data qualifies as sensitive personal information based on risk of harm rather than just a prescriptive list.

The extent to which the Guide will be relied on by the regulator or courts remains to be seen. However, organizations are encouraged to refer to the Guide alongside existing laws and standards when identifying the sensitive personal information. In particular, as noted above and in our previous article, it is crucial for organizations to focus on the “risk of harm” test when identifying Mainland China sensitive personal information.

Skip to content

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations. Attorney Advertising.

© DLA Piper

Written by:

DLA Piper
DLA Piper
Contact
more
less

PUBLISH YOUR CONTENT ON JD SUPRA NOW

  • Increased visibility
  • Actionable analytics
  • Ongoing guidance

DLA Piper on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide