Other BriefingsHow to Legally Handle Sensitive Personal Information in China
Under China’s personal information protection regulations, sensitive personal information is subject to a higher standard of protection requirements than those imposed for general data. Companies collecting, storing, processing, and transferring sensitive personal data must comply with strict requirements on informed consent, data protection mechanisms, and clearance mechanisms for cross-border data transfer. We explain the scope of sensitive personal information in China and discuss the core compliance requirements in current and upcoming regulations.
Under China’s Personal Information Protection Law (PIPL), sensitive personal information is subject to much stricter processing rules than general personal information. Sensitive personal information includes personal data such as biometrics or geographical location, which, if leaked, has the risk of harming the safety and dignity of the owner of the personal information.
In this article, we summarize the requirements for protecting, processing, and exporting sensitive personal information in China. As current in-force regulations do not yet provide a comprehensive framework for the requirements for handling sensitive personal information, we also look at draft standards that may be adopted in the near future.
What is sensitive personal information?
The PIPL defines sensitive personal information as “personal information that, once leaked or illegally used, may easily lead to infringement of a natural person’s personal dignity or endanger a personal safety or the property of a person”. The personal information includes:
- Biometrics
- Information on religious beliefs
- Information on specific identities
- Medical information
- Financial accounts
- A person’s whereabouts
- Any personal information of minors under the age of 14
In August 2023, the National Information Security Standardization Technical Committee Secretariat released a set of draft standards on the security requirements for processing sensitive personal information for public comment until October 8, 2023.
While these standards have not yet been adopted, they provide a comprehensive explanation of how to identify sensitive personal information in China. They also provide specific examples of types of personal information that fall under the categories stipulated in the PIPL. It also adds two additional categories: ‘identity verification information’ and ‘other sensitive personal information’.
|
Categories of Sensitive Personal Information (Draft) |
||
| Category | Definition | Examples |
| Biometric information | Personal information obtained through technical processing of a natural person’s physical, biological, or behavioral characteristics, which can be used alone or in combination with other information to identify the natural person’s identity. | Personal genes, fingerprints, voiceprints, palm prints, eye prints, ear prints, iris, facial recognition features, gait, etc. |
| Religious beliefs | Information related to the religion, religious organizations, and religious activities one believes in. | Religious faith, membership in religious organizations, positions in religious organizations, participation in religious activities, specific religious customs, etc. |
| Information on specific identities | Identity information that significantly affects personal dignity and social evaluation, especially those specific identity information that may lead to social discrimination. | Identity information of criminals, disabled persons, job information (such as for military personnel and police), identity document numbers, etc. |
| Medical information | Information related to the health status and medical treatment of natural persons. | Symptoms, hospitalization records, medical orders, test reports, examination reports, surgery and anesthesia records, nursing records, medication records, reproductive information, family medical history, infectious disease history, etc. |
| Financial account information | Information related to bank, securities, and other account and transaction information | Account numbers and passwords for bank accounts, securities, funds, insurance, provident fund accounts, joint provident fund accounts, payment accounts, bank card magnetic stripe data (or chip equivalent information), and payment trace information generated based on account information, etc. |
| Information on whereabouts | Information related to the geographic location, activity location, and activity trajectory of individuals. | Real-time accurate location information, GPS vehicle trajectory information, flight ticket information, specific accommodation information, etc. |
| Personal information of individuals under the age of 14. | Any personal information of individuals under the age of 14. | Any personal information of individuals under the age of 14. |
| Identity verification information | Information used to verify whether a subject has access or usage permissions. | Login passwords, payment passwords, account inquiry passwords, transaction passwords, dynamic passwords, password protection answers, etc. |
| Other sensitive personal information | Information other than the above that should be protected as sensitive personal information. | Web browsing information, marital history, sexual orientation, communication content, credit information, undisclosed criminal records, etc. |
The draft standards also provide a two-step guide for companies to identify sensitive personal information, which is as follows:
First, companies should classify any information that meets any of the following attributes as sensitive personal information:
- If personal information is leaked or illegally used, it can easily infringe upon the personal dignity of natural persons.
Example: Where a user may be subjected to discriminatory treatment following the disclosure of information such as information on specific identities, criminal records, religious beliefs, sexual orientation, specific diseases and health status, etc.
- If personal information is leaked or illegally used, it can easily endanger the personal safety of natural persons.
- If personal information is leaked or illegally used, it can easily endanger the security of the property of natural persons.
Example: Where a leak or illegal use of financial account information and related identification information (such as payment passwords) causes losses to the property of users.
Second, companies must consider the overall attributes of the personal information after aggregation and fusion. If aggregated or fused personal information is leaked or illegally used and can easily have a relatively large impact on the personal rights and interests of users, the personal information as a whole should be judged to contain sensitive attributes.
Regulations on handling sensitive personal information in China
Informed consent to collect and process sensitive personal information
Under the PIPL, companies can only process sensitive personal information when there is “a specific purpose and sufficient necessity”, and strict protective measures are taken.
The processing of personal information is defined in the PIPL as the collection, storage, use, processing, transmission, provision, disclosure, and deletion of personal information, among other activities.
The PIPL provides differentiated consent management rules based on the kind of personal information and the processing activity of the personal information.
| Consent Management Under the PIPL | |
| Circumstances | Consent requirement |
| Processing general personal information | Yes, with exceptional circumstances |
| Processing sensitive personal information | Yes, separate consent is required |
| Providing personal information to a third party | Yes, separate consent is required |
| Providing personal information overseas | Yes, separate consent is required |
Companies that wish to process any personal information (not just sensitive personal information) must receive individual and informed consent from the subject before they can proceed with the processing. Specifically, the company must “truly, accurately and completely” inform the subject of the following matters “in a conspicuous manner and clear and understandable language”:
- The name or name and contact information of the company;
- The purpose and method of processing the personal information, the types of personal information being processed, and the retention period;
- The methods and procedures for individuals to exercise their rights as stipulated in the PIPL; and
- Other matters that should be notified as stipulated by laws and administrative regulations.
Companies must also inform the subjects of any changes that occur to the above information.
To handle sensitive personal information, companies must also inform individuals of the necessity of processing the information and the potential impact on their rights and interests.
Note that companies that process the personal information of minors under the age of 14 must obtain the consent of the minor’s parents or legal guardians. Companies are also required to formulate special personal information processing rules for handling the personal information of minors under the age of 14.
Meanwhile, the draft standards stipulate that companies must comply with the following requirements before they can collect sensitive personal information:
- If the purpose of processing can be achieved by collecting non-sensitive personal information, sensitive personal information should not be collected;
- Sensitive personal information required to fulfill a certain business operation should only be collected during the period when the user uses said business operation; and
- Sensitive personal information should be collected separately according to business operations or service scenarios.
Mechanisms to inform users
The draft standards also provide specific requirements for notifying and receiving consent from users before they can collect sensitive personal information from them.
They stipulate that “enhanced forms of notification” should be used to inform individuals before collecting sensitive personal information. These forms include separate pop-up windows, text messages, fill-in boxes, animations, and transfer to separate prompt interfaces (such as a separate window) to provide the required information.
If a mobile application is used to continuously collect sensitive personal information, a continuous prompt or prompt mechanisms placed at intervals must be employed. “Continuous collection” refers to the uninterrupted and continuous collection of user information while they are using the service, such as audio recording, video recording, continuous location trajectory, and so on.
If the continuous collection of geographical data is required for navigation, floating windows, pop-up windows, or a voice recording or vibration must be used to remind the user that the current geographical location is being used at certain intervals.
Finally, when the services that a company provides no longer collect sensitive personal information or ceases to assume responsibility for protecting the information, the company must inform the user of this change.
Obtaining consent from users
Under the draft standards, companies must comply with certain requirements before collecting sensitive personal information.
The first is that if a company is processing general personal information based on individual consent, it must obtain separate consent from the user before processing sensitive personal information. To do this, the user can either take the initiative to provide individual consent, or the company can prompt them to provide consent by setting up a separate page, phone call, text message, or other channel and facilitating them to agree to various activities through actions such as clicking and checking items.
In some situations, companies must obtain written consent from an individual, rather than obtaining consent through actions such as clicking a consent box. These include situations such as the collection of biometrics, asking for personal information from credit reporting agencies, providing credit information to other entities by institutions engaged in the credit business, providing information related to real estate transactions during the use of real estate brokerage services, and so on.
To obtain consent in written form, the company can provide the information to obtain consent either in paper or digital form, and the user can give individual consent by actively signing or stamping the written information.
If a company needs to obtain consent for multiple sensitive personal information processing activities, a separate consent mechanism should be provided to the user according to the purpose of the processing activity. Separate consent means that the company must obtain consent for the processing of sensitive personal information separately from obtaining consent for processing general personal information. Interfaces that provide separate consent for the processing of sensitive personal information should not include other information processing matters.
If a company installs image collection or personal identification equipment in public places, such as a facial recognition camera, it must set up prominent signs to remind individuals of the personal information being collected. Unless separate consent is obtained from the individual, any personal images or sensitive personal information such as identification information collected through the installation, can in principle, only be used to maintain public safety and cannot be used for other purposes.
If a company discloses sensitive personal information and it is assessed to have a significant impact on an individual’s rights and interests, the individual’s separate consent should be obtained.
Finally, if sensitive personal information is processed based on individual consent, the company should provide the individual with a convenient way to withdraw consent and should also explain to the individual the impact that withdrawing consent may have on the individual.
Sensitive personal information protection
The draft standards outline special requirements for the protection of sensitive personal information in China. These requirements include (but are not limited to):
- Employing channel encryption when transmitting sensitive personal information over the Internet.
- Carrying out regular evaluation and verification of the security status of sensitive personal information transmission methods.
- Storing sensitive personal information that has been encrypted and de-identified separately from decryption keys and other personal information.
- Implementing role-based permissions control and trigger operation authorization according to the needs of the business process for operations such as access, modification, deletion, and export of sensitive personal information.
- Monitoring abnormal operations and establishing early warning and response mechanisms for the handling of sensitive personal information.
- Regularly sorting the list of application and API assets and regularly auditing the transmission of sensitive personal information by applications and APIs.
- Establishing a mechanism for automatic deletion of sensitive personal information after expiration.
The draft standards also outline specific protection requirements for the various types of sensitive personal information in China.
Carrying out a personal information protection impact assessment
Under the PIPL, companies that process sensitive personal information are required to carry out a personal information protection impact assessment (PIPIA), similar to a data protection impact assessment (DPIA).
A PIPIA is a risk assessment designed to prevent problems that could put personal information in danger before they occur.
The PIPL requires that a PIPIA includes the following content:
- Whether the purpose and method of processing personal information are legal, legitimate, and necessary.
- The potential impact on personal rights and security risks.
- Whether the protective measures taken are legal, effective, and commensurate with the level of risk.
PIPIAs and processing records should be kept for at least three years.
Cross-border transfer of sensitive personal information
Under the PIPL and related regulations, companies that wish to export personal information outside of China may be required to undergo one of three procedures, which vary in complexity depending on the volume and type of data that is exported.
- Undergoing a security review by the Cybersecurity Administration of China (CAC);
- Receiving third-party personal information protection certification; or
- Signing a standard contract with the overseas recipient of the personal information.
In order to qualify for the latter two mechanisms, which are more straightforward, a company must have accumulatively transferred the sensitive personal information of less than 10,000 users since January 1 of the previous year. Any company that exceeds this threshold must undergo a security review by the CAC.
About Us
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.
Dezan Shira & Associates has offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE). We also have partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, and Bangladesh.
- Previous Article China’s Education Sector: Latest Trends and Policies
- Next Article China’s Cross-Border E-Commerce: 2023 Performance and 2024 Outlook
