Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRM
Email: zhu.yingying@mdlaw.cn
Date: October 12, 2024
Introduction
Under the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), “sensitive personal information” (the “SPI”) is defined as “the kind of ‘personal information’ (the “PI”) that the leakage or illegal use of which could easily lead to the violation of personal dignity of data subject or harm to the data subject’s personal or property safety, including, but not limited to, information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, etc., and the PI of minors under the age of fourteen1.” Only PI handlers2 with a specific purpose and sufficient necessity may process SPI, and strict protection measures should be taken to safeguard the SPI. The PIPL also requires that a data subject’s “independent consent” shall be obtained where processing SPI is required to have the data subject’s consent as the legal basis and the data subject shall also be informed of the necessity of processing SPI and the possible impact on the data subject.
The above risk-based approach definition of SPI is, inevitably, making the identification of SPI a challenging job. As the theft, misuse or mishandling of SPI can cause greater harm and damage to the image, reputation, personal or property security of the data subject, it is of critical importance to ensure that SPI can be clearly defined and therefore properly processed and protected.
To address the public’s concern over the somehow incomprehensible definition of SPI, on September 18, 2024, the National Network Security Standardization Technical Committee of the People’s Republic of China issued the "Identification Guide for Sensitive Personal Information" (hereinafter referred to as the "SPI Guide").3 The SPI Guide intends to set forth, with clarity, the identification rules for SPI and to provide common categories and examples for SPI , so as to serve as a practical reference for the processing and protection of SPI.
What's new?
1) “Circumstances that may easily lead to violation of personal dignity” identified
According to the SPI Guide, “circumstances that may easily lead to the violation of the personal dignity of a data subject”- a terminology in the legal definition of SPI-may be including, but not limited to, “cyber manhunt, illegal intrusion into others’ network accounts, telecom fraud, damage to personal reputation, and differential treatment with a discriminatory nature, resulting from the disclosure of information about the data subject's specific identity, religious beliefs, sexual orientation, specific diseases or health status”.
Here, “cyber manhunt” is addressing a certain type of SPI breach circumstances-a person’s private or secret life that in many SPI breach cases became the subject of public online shaming. If an individual’s personal private life, usually unpleasant or otherwise considered eccentric or immoral according to the prevailing orthodoxies, was being posted on some popular online social media platforms due to theft, misuse or mishandling of that individual’s SPI, and the news went viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. The SPI Guide’s inclusion of this type of harm caused to an individual’s personal emotional and psychological health, which, in many cases, could be the only resulting harm in the abuse of SPI, adds rational explanation into the somehow obscure legal term under the PIPL- “violation of personal dignity”, thus making it more comprehensible to the public.
2) “Specific Identity” further explained
As set forth in the SPI Guide, “specific Identity”-a term in the legal definition of SPI-refers to identity information that would have a significant impact on personal dignity and social evaluation or other identity information that would be inappropriate for disclosure, especially those that may lead to social discrimination, for example, “identity information of persons with disabilities”, and “occupational identity information that is not suitable or disclosure”.
Specifically, with respect to “occupational identity information that is not suitable for disclosure”, it is interesting to note that the two examples previously given in the draft SPI Guide were, “police” and “army”, respectively, but these two have both been crossed out in this formally released SPI Guide. It can be inferred that the formally released SPI Guide purposefully uses a broad definition without providing any specific examples so the definition can encompass other types of “occupational identity information that is not suitable for disclosure” not currently listed.
3) “Aggregation of many pieces of PI in regular categories” may become SPI
The SPI Guide provides that it is necessary to consider both the identification of the stand-alone SPI and the overall attributes of a number of PI in the regular categories after aggregation and analyze the impact that may be caused by the disclosure or illegal use on the data subject’s rights and interests. If the conditions described in the legal definition of SPI under the PIPL are met, the aggregated PI shall be identified and protected as a whole with reference to the rules concerning the processing of SPI (the “Aggregation Rule”).
As opposed to PI in the regular categories, SPI is a special category of data, and the PI handlers must handle it with additional and enhanced safeguards. Because data subjects have different rights over their SPI compared to the regular categories of PI, it is important for the PI handlers to be aware of and understand this “Aggregation Rule” when handling what they believe to be the regular categories of PI and make sure their relevant privacy policy reflect such changes in the processing rules under the newly released SPI Guide.
4) Data for “personal whereabouts” clarified
In the SPI Guide, data for “personal whereabouts”-a term in the legal definition of SPI- is defined as “the formation of continuous location tracking information for data subjects in a certain period of time, because of the changes in the specific geographical location, activity location and activity movement”. The exception being listed in the SPI Guide is “when a specific occupation (delivery worker, courier, etc.) is using such data to achieve service performance” hence the data used are not to be processed and protected as SPI.
It is worth noting that according to the SPI Guide, the location information collected by invoking the precise locating permission of the data subject’s personal mobile phone is “accurate location information”, while the “rough location information” calculated by one’s IP address is not considered “accurate location information”, because the “accurate location information” collected continuously can be used to generate the tracking data for “personal whereabouts” and therefore would be capable of endangering the data subject’s personal safety. In a nutshell, both the “accurate location information” and the “tracking data for personal whereabouts” are falling into the special category of SPI, while the “rough location information” calculated by the data subject’s IP address is not SPI.
5) Examples for “other types of SPI” provided
Apart from those examples specifically raised in the legal definition of SPI under the PIPL, the SPI Guide also provides the following examples for “other types of SPI”, which include “accurate location information, ID card photos, sexual orientation, sexual life, credit information, criminal record information, photos or video information showing private parts of the individual’s body and other personal information”.
Reading from the lines, it is interesting to note that one’s ID card photo is falling into the special category of SPI while the ID number, which in China would reveal a data subject’s place of birth, gender and date of birth, is not SPI.
Conclusion
As previously advised in my earlier article4, the story of Little Red Riding Hood teaches many of us a lifetime lesson that SPI security is of critical importance because identity theft could result in double murder and other horrible things. Today we are in a highly digitalized world and almost every netizen is dealing with internet hackers and identity thieves on a daily basis with new threats targeting SPI on the rise.
Safeguarding SPI against data theft, data misuse or mishandling is of vital importance because of the delicacy of the data, as it is intrinsically linked to the personal dignity, safety and well-being of everyone. If SPI falls into the hands of the wicked, it could lead to defamation, reputational damage, fraud, identity theft, death or other types of harm, with a price too high to bear.
With the newly released SPI Guide in place, if they have not already done so, businesses collecting any data from data subjects that fall under the special category of SPI or a number of PI in the regular categories that would fit into the “Aggregation Rule” shall immediately take actions to 1) comprehend the SPI Guide and understand the changes in the identification and protection rules; 2) determine whether any existing technical and organizational practices would be impacted; and 3) review, re-negotiate, draft, and update agreements, protocols, policies and procedures where and if necessary.
1.See Article 28 of the PIPL.
2.Personal information handlers determine the purpose and means of processing of personal information and operate in a way similar to “data controllers” under other privacy and data protection laws (e.g., the European Union’s General Data Protection Regulation (2016/679) (“GDPR”).
3.Source: National Network Security Standardization Technical Committee Secretariat; for further details of the SPI Guide, see https://www.tc260.org.cn/front/postDetail.html?id=20240918084858.
4.See https://www.dechert.com/knowledge/onpoint/2020/7/first-civil-code-in-china-to-bolster-data-privacy-protection.html.