One of the most important classifications under the Personal Information Protection Law (PIPL) is Sensitive Personal Information (SPI). Unlike general personal information, SPI is subject to stricter compliance requirements due to its potential to cause serious harm if misused or leaked.

*Disclaimer: This guide is intended for informational purposes only and does not constitute legal or regulatory advice. Chinafy is not a legal or corporate advisory entity. Given that legal obligations vary by business type and context, we recommend consulting with qualified legal counsel for advice specific to your organization. If needed, Chinafy can connect you with one of our experienced legal partners.

TL;DR: In Mainland China, Sensitive Personal Information (SPI) is a subset of Personal Information (PI) as it includes data which could cause harm to individuals if mishandled. Examples include biometric information, health data, religious beliefs and information about minors. Under the PIPL, handling SPI generally triggers stricter statutory requirements, such as separate consent, risk assessments, and tighter security protocols. Identifying SPI accurately is essential due to the significant regulatory and operational implications. China’s evolving standards continue to refine what qualifies as SPI and how it should be managed.

What qualifies as Sensitive Personal Information (SPI)?

Under China’s Personal Information Protection Law (PIPL), Sensitive Personal Information (SPI) refers to personal data that, if disclosed or misused, can easily lead to the infringement of human dignity or endanger personal safety or property.

The definition of SPI is risk-based, which means it emphasizes the consequences of mishandling rather than the type of data alone.

How is SPI defined under the PIPL?

Under Article 28 of the PIPL, SPI is described as personal information that, once leaked or illegally used, may result in:

Infringement of personal dignity – such as reputational harm or discrimination.

Threats to personal safety – for instance, through stalking or physical threats.

Threats to property safety – like unauthorized access to financial accounts.

The law highlights a broad set of categories that require stricter controls.

There are, however, supplementary standards, including GB/T 35273-2020 ( Information Security Technology – Personal information Security Specification) and evolving SPI guidelines, that help to refine and contextualize these categories for enforcement.

Examples of SPI under Chinese regulations

The PIPL offers a baseline list, expanded upon by draft and national standards. Common categories of SPI include:

Core examples from the PIPL include:

Biometric characteristics: fingerprints, iris data, facial recognition.

Religious beliefs: faith affiliations, religious group membership.

Specific identity information: criminal status, disability, military or police roles.

Medical and health information: diagnosis, treatment, genetic data.

Financial accounts: bank account numbers, payment credentials.

Tracking/location data: GPS paths, travel and accommodation records.

Information about minors under 14.

Additional examples from Standards include:

Personal biometric data: includes genes, voiceprints, gait, eye prints.

Personal property information: includes bank account, bank deposit information, credit records.

Health data: includes pathological information, hospitalization records, allergies.

Financial info: income levels, bank password, securities and insurance.

Other information: includes religious practices, sexual orientation, marriage history, undisclosed criminal records.

Note: there can be discrepancies between different standards. For instance, GB/T 35273-2020 includes 'ID card' as SPI, while the SPI Guide only lists 'ID card photos'. Ultimately, identifying SPI requires a case-by-case and context-specific analysis, focusing on whether the disclosure or illegal use of the information is likely to cause harm to personal safety or property safety. Standards also evolve and change over time so it’s important to be aware of the potential for discrepancies between different guidelines.

How is SPI treated differently from other data?

Compared to general personal information (PI), SPI is subject to stricter controls, such as:

Separate consent requirement: This is in contrast to general PI, which typically requires informed consent, but not necessarily "separate" consent in all processing scenarios. Separate consent (distinct from consent for general personal information) typically involves more conspicuous notices (e.g., a separate pop-up window or specific interfaces). (PIPL, Article 29).

Stricter protective measures: Regulatory guidance recommends stricter protective measures compared to general PI, with some standards including measures like channel encryption during transmission, regular security evaluation, separate storage of encryption keys from encrypted data, role-based permission controls, monitoring abnormal operations, auditing transmissions, and automatic deletion after expiration.

Personal Information Protection Impact Assessment (PIPIA): Processing SPI is one of the explicit triggers requiring a Personal Information Protection Impact Assessment (PIPIA) in advance. A PIPIA assesses the legality, legitimacy, and necessity of the processing, the potential impact on individuals' rights and security risks, and the adequacy of protective measures.

Cross-Border Transfer restrictions: Transferring SPI outside China faces specific restrictions and triggers. Transferring even a single individual's SPI outside China may necessitate certain procedures, such as filing with the Chinese data regulator.

Minors' data as SPI: Any personal information of a minor under the age of 14 is automatically categorized as SPI. This subjects all data related to this age group to the stricter requirements for SPI processing, including obtaining parental/guardian consent and formulating special processing rules.

Higher accountability and penalties for violations: Failure to comply with the stricter obligations for SPI processing can contribute to a violation being deemed "grave," potentially resulting in higher fines (up to CNY 50 million or 5% of previous year's turnover) and other severe consequences like suspension of services or revocation of licenses.

These stricter requirements reflect SPI’s potential for harm if data is mishandled and the need for heightened oversight.

Industry-specific and contextual SPI considerations

SPI identification isn’t one-size-fits-all. Businesses must:

Assess context: The same data may or may not be SPI depending on the use case.

Consider aggregation: Data that may seem benign in isolation could be SPI when combined.

Be aware of technology and usage contexts: Certain processing methods or technologies have specific rules related to SPI, such as Automated Decision-Making (ADM), which requires providing individuals options to refuse or opt-out.

Follow local and sectoral rules: Free Trade Zones and regulators may define additional or narrower SPI scopes.

Stay updated: Draft guidelines continue to evolve, with frequent updates from the CAC and related bodies.

Identifying and handling SPI requires a nuanced approach that goes beyond simply checking against a list of categories, involving a detailed analysis of risk, purpose, and specific processing scenarios.

Chinafy collaborates with specialized partners, such as Lianwei Pancloud and MS Advisory who can offer insight into regulatory trends and compliance considerations.

Get in touch with Chinafy today to better understand the next steps for your company’s website and data in China.