What is considered personal information under China’s PIPL?

Date:

Share post:





What is considered personal information under China’s PIPL?


What is considered personal information under China’s PIPL?

The Personal Information Protection Law of the People’s Republic of China (PIPL), effective November 1, 2021, establishes a comprehensive framework for the protection of personal information. For foreign-invested enterprises operating in China, correctly identifying what constitutes personal information under PIPL is the foundational step for compliance. The definition is broad and extends well beyond what many enterprises expect, encompassing data types that are not classified as personal information in other jurisdictions. This article provides a detailed examination of the scope of personal information under PIPL, including the categories, criteria, and practical implications for foreign businesses.

The Legal Definition of Personal Information

Article 4 of PIPL defines personal information as “all kinds of information recorded electronically or otherwise that relates to an identified or identifiable natural person.” The definition excludes information that has been anonymized, meaning data that has been processed in such a way that it can no longer be used to identify a specific individual. The key interpretive question is what constitutes “relating to” an “identified or identifiable” person.

Chinese regulators have adopted an expansive interpretation of this definition. The Personal Information Security Specification (GB/T 35273-2020), a national standard that provides implementation guidance for PIPL, identifies dozens of specific data elements that qualify as personal information. These include not only obvious identifiers such as names and ID numbers but also less obvious categories such as device identifiers, browsing histories, location data, and behavioral preferences.

Categories of Personal Information Under PIPL

PIPL divides personal information into two main categories: general personal information and sensitive personal information. Sensitive personal information receives enhanced legal protections and stricter processing requirements.

General Personal Information

General personal information includes any data relating to an identified or identifiable natural person that does not fall within the sensitive personal information category. Examples include name, telephone number, email address, mailing address, job title, employment history, educational background, and publicly available professional information. While general personal information is subject to PIPL, the compliance requirements are less stringent than for sensitive personal information.

Notably, PIPL applies to the processing of personal information of individuals located in China, regardless of the individual’s nationality. This means that the personal information of foreign nationals working or residing in China is also protected under PIPL. Foreign enterprises must protect the personal data of their expatriate employees and foreign visitors to China to the same standard as Chinese nationals.

Sensitive Personal Information

Article 28 of PIPL defines sensitive personal information as personal information that, once leaked or illegally used, is likely to infringe upon the personal dignity of a natural person or cause harm to their personal or property safety. The law provides a non-exhaustive list that includes biometric data, religious beliefs, specific identities, medical health information, financial account information, personal location tracking data, and information on minors under the age of 14.

The processing of sensitive personal information requires a specific, independent legal basis under PIPL. Enterprises must obtain separate, explicit consent from the data subject for each specific processing purpose, and they must inform the data subject of the necessity of the processing and the impact on their rights and interests. Additionally, enterprises must conduct a personal information protection impact assessment (PIPIA) before processing sensitive personal information and retain the assessment records for at least three years.

Key Distinction: Under PIPL, general personal information includes names, email addresses, and job titles, while sensitive personal information includes biometric data, financial account information, health data, and location tracking. Sensitive personal information requires a higher standard of consent and a mandatory impact assessment before processing.

Data Elements That Qualify as Personal Information

The following table illustrates common data elements that enterprises process and whether they constitute personal information under PIPL. This is based on the Personal Information Security Specification (GB/T 35273-2020) and regulatory guidance.

Data Element Status Under PIPL Category
Full name Personal information General
Government ID number (passport, national ID) Personal information General
Home address Personal information General
Personal telephone number Personal information General
Work email address Personal information General
IP address Personal information General
Device MAC address Personal information General
Browser cookies and tracking data Personal information General
Biometric data (fingerprint, facial recognition) Personal information Sensitive
Financial account and transaction data Personal information Sensitive
Medical records and health data Personal information Sensitive
Precise geolocation data Personal information Sensitive
Data on children under 14 Personal information Sensitive
Aggregated, anonymized statistics Not personal information N/A
Company business registration number Not personal information N/A
Public company address Not personal information N/A

What Is Not Personal Information

Understanding what falls outside the scope of PIPL is equally important. Properly anonymized data is explicitly excluded from the definition of personal information under Article 4. Anonymization, as defined in the Personal Information Security Specification, refers to the irreversible de-identification of personal information such that the data subject can no longer be identified through reasonable means. Pseudonymization, which replaces identifying information with artificial identifiers but retains the ability to re-identify the data subject, does not remove the data from PIPL’s scope. Pseudonymized data remains personal information, though the risk level is reduced.

Additionally, data relating solely to legal persons, such as corporate registration numbers, business addresses, and company financial statements submitted to public registries, is not personal information under PIPL. However, if such data can be linked to a specific individual — for example, a sole proprietorship’s registration information that is tied to the owner’s personal identity — it may fall within PIPL’s scope.

Indirect Personal Information and Inferred Data

PIPL extends to indirect personal information, including data from which an individual can be reasonably identified through correlation or aggregation. For example, a combination of gender, age range, postal code, and occupation may, when analyzed together, identify a specific individual even though each data point alone does not. The Personal Information Security Specification provides criteria for determining when data is sufficiently aggregated to be considered de-identified rather than personal information. Key factors include the granularity of the data, the number of data points combined, and the practical difficulty of re-identification.

Inferred data, such as consumer credit scores, behavioral profiles, health risk assessments, and employment suitability scores, is also considered personal information under PIPL because it relates to an identifiable individual. Enterprises that generate such data through algorithms or machine learning models must comply with PIPL’s requirements, including the right of the data subject to be informed of the logic and potential consequences of automated decision-making under Article 24.

Practical Implications for Foreign Enterprises

For foreign-invested enterprises in China, the broad scope of PIPL means that nearly all data collected from employees, customers, and business partners will fall within the definition of personal information. This has several practical consequences. First, a comprehensive data mapping exercise is essential. Enterprises must identify every category of personal information they collect, the purposes for which it is processed, the legal basis for processing, and whether it is transferred outside China. Second, consent management systems must be capable of capturing the specific, informed consent required for each category of personal information, with enhanced consent for sensitive categories.

Third, data processing agreements with third-party vendors, service providers, and joint venture partners must clearly define each party’s role as a personal information processor, entrusted processor, or joint processor under PIPL. Fourth, the data retention schedule must be aligned with PIPL’s principle that personal information shall be retained only for the minimum period necessary to achieve the specified processing purpose, as stated in Article 6.

Practical Note: Foreign enterprises often underestimate the scope of PIPL by assuming that only directly identifying data such as names and ID numbers are regulated. In practice, PIPL covers IP addresses, device identifiers, cookies, location data, work contact details, and behavioral profiles. A thorough data audit is the only reliable way to ensure complete compliance.

Relationship With Other Chinese Data Laws

The definition of personal information under PIPL interacts with the broader data classification framework established by the Data Security Law (DSL) and the Cybersecurity Law (CSL). Under the DSL, personal information may also be classified as important data if its leakage poses a risk to national security, economic stability, or public interest. This dual classification subjects such data to both PIPL’s personal information protection requirements and DSL’s data security obligations. Enterprises must therefore assess their data under both frameworks simultaneously, rather than applying PIPL and DSL as separate compliance exercises.

Enforcement and Regulatory Guidance

The Cyberspace Administration of China (CAC) and provincial-level cyberspace administrations have the authority to interpret and enforce the definition of personal information. The CAC has issued several guidance documents since PIPL’s enactment that clarify the scope of personal information in specific contexts. For example, the Provisions on the Management of Algorithmic Recommendations in Internet Information Services confirmed that user profiles and preference data generated by recommendation algorithms constitute personal information. The Measures for the Administration of Automobile Data Security clarified that vehicle identification numbers, driving behavior data, and in-vehicle audio and video recordings are personal information. Foreign enterprises should monitor these sector-specific guidelines, as they refine and expand the scope of personal information in particular industries.

Summary

Personal information under PIPL encompasses virtually any data that relates to an identified or identifiable natural person, processed electronically or otherwise. This includes names, contact details, device identifiers, location data, browsing histories, financial information, biometric data, health records, and inferred profiles. The scope is broader than comparable definitions in the GDPR and other international frameworks, particularly in its inclusion of indirect and inferred personal information. Anonymized data and data relating solely to legal persons fall outside the definition. For foreign enterprises, the practical implication is that a comprehensive data mapping and classification exercise is essential to identify all personal information processing activities and apply the appropriate compliance measures for each category.


Related articles

How a Korean Logistics Firm Set Up 3 Warehouses Across China: Real Estate Case Study

How a Korean Logistics Firm Set Up 3 Warehouses Across China: Real Estate Case Study body{font-family:'Segoe UI',Arial,sans-serif;line-height:1.8;colo

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study A Japanese automotive precision components maker, Aichi Precisio

How a French Retailer Negotiated a Prime Location Lease in Nanjing Road: Case Study

How a French Retailer Negotiated a Prime Location Lease in Nanjing Road: Case Study body{font-family:'Segoe UI',Arial,sans-serif;line-height:1.8;color

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study

How a Japanese Manufacturer Bought Factory Land in Suzhou Industrial Park: Case Study A Japanese automotive precision components maker, Aichi Precisio