Language

New Guidance Released to Clarify Identification Rules for SPI

Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRM

Email: zhu.yingying@mdlaw.cn

Date: October 12, 2024

 

Introduction

Under the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), “sensitive personal information” (the “SPI”)  is defined as “the kind of ‘personal information’ (the “PI”)  that the leakage or illegal use of which could easily lead to the violation of personal dignity of data subject or harm to the data subjects personal or property safety, including, but not limited to, information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, etc., and the PI of minors under the age of fourteen1.” Only PI handlers2 with a specific purpose and sufficient necessity may process SPI, and strict protection measures should be taken to safeguard the SPI. The PIPL also requires that a data subject’s “independent consent” shall be obtained where processing SPI is required to have the data subjects consent as the legal basis and the data subject shall also be informed of the necessity of processing SPI and the possible impact on the data subject.

The above risk-based approach definition of SPI is, inevitably, making the identification of SPI a challenging job. As the theft, misuse or mishandling of SPI can cause greater harm and damage to the image, reputation, personal or property security of the data subject, it is of critical importance to ensure that SPI can be clearly defined and therefore properly processed and protected.

To address the publics concern over the somehow incomprehensible definition of SPI, on September 18, 2024, the National Network Security Standardization Technical Committee of the People’s Republic of China issued the "Identification Guide for Sensitive Personal Information" (hereinafter referred to as the "SPI Guide").3 The SPI Guide intends to set forth, with clarity, the identification rules for SPI and to provide common categories and examples for SPI , so as to serve as a practical reference for the processing and protection of SPI.

 

What's new?

 

1) Circumstances that may easily lead to violation of personal dignity” identified

 

According to the SPI Guide, circumstances that may easily lead to the violation of the personal dignity of a data subject- a terminology in the legal definition of SPI-may be including, but not limited to, “cyber manhunt, illegal intrusion into others network accounts, telecom fraud, damage to personal reputation, and differential treatment with a discriminatory nature, resulting from the disclosure of information about the data subject's specific identity, religious beliefs, sexual orientation, specific diseases or health status”.

Here, “cyber manhunt” is addressing a certain type of SPI breach circumstances-a person’s private or secret life that in many SPI breach cases became the subject of public online shaming. If an individual’s personal private life, usually unpleasant or otherwise considered eccentric or immoral according to the prevailing orthodoxies, was being posted on some popular online social media platforms due to theft, misuse or mishandling of that individual’s SPI, and the news went viral, the victim in many cases would suffer spiritually from attacks of cyber-mobs and internet violence. The suffering can be nothing financial but only emotional. The SPI Guides inclusion of this type of harm caused to an individual’s personal emotional and psychological health, which, in many cases, could be the only resulting harm in the abuse of SPI, adds rational explanation into the somehow obscure legal term under the PIPL- “violation of personal dignity”, thus making it more comprehensible to the public.

 

2) Specific Identity” further explained

 

As set forth in the SPI Guide, specific Identity”-a term in the legal definition of SPI-refers to identity information that would have a significant impact on personal dignity and social evaluation or other identity information that would be inappropriate for disclosure, especially those that may lead to social discrimination, for example, identity information of persons with disabilities”, and “occupational identity information that is not suitable or disclosure”.

Specifically, with respect to “occupational identity information that is not suitable for disclosure”, it is interesting to note that the two examples previously given in the draft SPI Guide were, police and army”, respectively, but these two have both been crossed out in this formally released SPI Guide. It can be inferred that the formally released SPI Guide purposefully uses a broad definition without providing any specific examples so the definition can encompass other types of “occupational identity information that is not suitable for disclosure” not currently listed.

 

3) Aggregation of many pieces of PI in regular categories” may become SPI

 

The SPI Guide provides that it is necessary to consider both the identification of the stand-alone SPI and the overall attributes of a number of PI in the regular categories after aggregation and analyze the impact that may be caused by the disclosure or illegal use on the data subjects rights and interests. If the conditions described in the legal definition of SPI under the PIPL are met, the aggregated PI shall be identified and protected as a whole with reference to the rules concerning the processing of SPI (the Aggregation Rule).

As opposed to PI in the regular categories, SPI is a special category of data, and the PI handlers must handle it with additional and enhanced safeguards. Because data subjects have different rights over their SPI compared to the regular categories of PI, it is important for the PI handlers to be aware of and understand this Aggregation Rule when handling what they believe to be the regular categories of PI and make sure their relevant privacy policy reflect such changes in the processing rules under the newly released SPI Guide.

 

4) Data for personal whereabouts” clarified

In the SPI Guide, data for “personal whereabouts”-a term in the legal definition of SPI- is defined as “the formation of continuous location tracking information for data subjects in a certain period of time, because of the changes in the specific geographical location, activity location and activity movement”. The exception being listed in the SPI Guide is “when a specific occupation (delivery worker, courier, etc.) is using such data to achieve service performance” hence the data used are not to be processed and protected as SPI.

 

It is worth noting that according to the SPI Guide, the location information collected by invoking the precise locating permission of the data subjects personal mobile phone is “accurate location information”, while the “rough location information” calculated by ones IP address is not considered “accurate location information”, because the “accurate location information” collected continuously can be used to generate the tracking data for “personal whereabouts” and therefore would be capable of endangering the data subjects personal safety. In a nutshell, both the “accurate location information” and the tracking data for personal whereabouts” are falling into the special category of SPI, while the “rough location information” calculated by the data subjects IP address is not SPI.

 

5) Examples for other types of SPI provided

Apart from those examples specifically raised in the legal definition of SPI under the PIPL, the SPI Guide also provides the following examples for other types of SPI”, which include “accurate location information, ID card photos, sexual orientation, sexual life, credit information, criminal record information, photos or video information showing private parts of the individual’s body and other personal information”.

Reading from the lines, it is interesting to note that ones ID card photo is falling into the special category of SPI while the ID number, which in China would reveal a data subjects place of birth, gender and date of birth, is not SPI.

 

Conclusion

 

As previously advised in my earlier article4, the story of Little Red Riding Hood teaches many of us a lifetime lesson that SPI security is of critical importance because identity theft could result in double murder and other horrible things. Today we are in a highly digitalized world and almost every netizen is dealing with internet hackers and identity thieves on a daily basis with new threats targeting SPI on the rise.

Safeguarding SPI against data theft, data misuse or mishandling is of vital importance because of the delicacy of the data, as it is intrinsically linked to the personal dignity, safety and well-being of everyone. If SPI falls into the hands of the wicked, it could lead to defamation, reputational damage, fraud, identity theft, death or other types of harm, with a price too high to bear.

With the newly released SPI Guide in place, if they have not already done so, businesses collecting any data from data subjects that fall under the special category of SPI or a number of PI in the regular categories that would fit into the Aggregation Rule shall immediately take actions to 1) comprehend the SPI Guide and understand the changes in the identification and protection rules; 2) determine whether any existing technical and organizational practices would be impacted; and 3) review, re-negotiate, draft, and update agreements, protocols, policies and procedures where and if necessary.



1.See Article 28 of the PIPL.

2.Personal information handlers determine the purpose and means of processing of personal information and operate in a way similar to “data controllers” under other privacy and data protection laws (e.g., the European Union’s General Data Protection Regulation (2016/679) (“GDPR”).

3.Source: National Network Security Standardization Technical Committee Secretariat; for further details of the SPI Guide, see https://www.tc260.org.cn/front/postDetail.html?id=20240918084858.

4.See https://www.dechert.com/knowledge/onpoint/2020/7/first-civil-code-in-china-to-bolster-data-privacy-protection.html.




  • Related information More
  • 点击次数: 1000003
    2024 - 10 - 11
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: October 12, 2024 IntroductionUnder the Personal Information Protection Law of the People’s Republic of China (the “PIPL”), “sensitive personal information” (the “SPI”)  is defined as “the kind of ‘personal information’ (the “PI”)  that the leakage or illegal use of which could easily lead to the violation of personal dignity of data subject or harm to the data subject’s personal or property safety, including, but not limited to, information on biometric identification, religious beliefs, specific identity, health care, financial accounts, and personal whereabouts, etc., and the PI of minors under the age of fourteen1.” Only PI hand...
  • 点击次数: 1000006
    2024 - 07 - 26
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: July 24, 2024With the flourishing of AI technology, works created by AI could outpace and exceed those done by humans in many aspects, as AI is being trained using deep learning algorithms to analyze vast amounts of data and to learn patterns, styles, and structures, while human brains normally cannot compete in that depth of training. While people around the world are enthusiastic about the continued pushing-back of boundaries for literary and artistic creations by AI, in the copyright realm, some fundamental questions remain to be answered-Who is the author of the works generated by AI? Who owns the copyright to the AI generated content? Currently, those ques...
  • 点击次数: 1000017
    2024 - 02 - 23
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnDate: February 21, 2024Introduction There is a motto that you might be told as a kid: no one is born a winner; everyone is born a chooser-making choices as to who you want to be. However, when you grow up, you find that, sometimes with great frustration, this motto might not be true because some people are born with a sliver spoon in mouth while others are not as lucky. In the commercial world, there are products who are born winners-those with a Geographical Indication (hereinafter, the “GI”) which is a sign that identifies products that originate from a specific geographic location and possess certain qualities or reputation due to their origin. Some examples of domestic GIs in China are Kweichow Mo...
  • 点击次数: 1000021
    2024 - 01 - 18
    Author: Yingying Zhu, Partner at BEIJING MINGDUN LAW FIRMEmail: zhu.yingying@mdlaw.cnPublished: January 17, 2024China has a multiagency system for protecting geographical indication (GI) products. GIs can be registered as collective or certification trademarks before the China National Intellectual Property Administration (CNIPA). GI products can also gain protection from the former General Administration of Quality Supervision, Inspection and Quarantine. Primary products produced through farming can be protected as GIs of agricultural products before the Ministry of Agriculture and Rural Affairs. This multiagency system has proven to be burdensome, inconvenient, and sometimes confusing, especially to foreign GIs.To address resounding calls for reform, on September 18, 2023, CNIPA released...
× WeChat official account
Beijing Mingdun www.mdlaw.cn
Copyright 2008 - 2024 MingdunRhino Cloud Provides Enterprise Cloud Services
X
1

QQ设置

3

SKYPE 设置

4

阿里旺旺设置

5

电话号码管理

6

二维码管理

展开