What is considered personal information under China’s PIPL?
The Personal Information Protection Law of the People’s Republic of China (PIPL), effective November 1, 2021, establishes a comprehensive framework for the protection of personal information. For foreign-invested enterprises operating in China, correctly identifying what constitutes personal information under PIPL is the foundational step for compliance. The definition is broad and extends well beyond what many enterprises expect, encompassing data types that are not classified as personal information in other jurisdictions. This article provides a detailed examination of the scope of personal information under PIPL, including the categories, criteria, and practical implications for foreign businesses.
The Legal Definition of Personal Information
Article 4 of PIPL defines personal information as “all kinds of information recorded electronically or otherwise that relates to an identified or identifiable natural person.” The definition excludes information that has been anonymized, meaning data that has been processed in such a way that it can no longer be used to identify a specific individual. The key interpretive question is what constitutes “relating to” an “identified or identifiable” person.
Chinese regulators have adopted an expansive interpretation of this definition. The Personal Information Security Specification (GB/T 35273-2020), a national standard that provides implementation guidance for PIPL, identifies dozens of specific data elements that qualify as personal information. These include not only obvious identifiers such as names and ID numbers but also less obvious categories such as device identifiers, browsing histories, location data, and behavioral preferences.
Categories of Personal Information Under PIPL
PIPL divides personal information into two main categories: general personal information and sensitive personal information. Sensitive personal information receives enhanced legal protections and stricter processing requirements.
General Personal Information
General personal information includes any data relating to an identified or identifiable natural person that does not fall within the sensitive personal information category. Examples include name, telephone number, email address, mailing address, job title, employment history, educational background, and publicly available professional information. While general personal information is subject to PIPL, the compliance requirements are less stringent than for sensitive personal information.
Notably, PIPL applies to the processing of personal information of individuals located in China, regardless of the individual’s nationality. This means that the personal information of foreign nationals working or residing in China is also protected under PIPL. Foreign enterprises must protect the personal data of their expatriate employees and foreign visitors to China to the same standard as Chinese nationals.
Sensitive Personal Information
Article 28 of PIPL defines sensitive personal information as personal information that, once leaked or illegally used, is likely to infringe upon the personal dignity of a natural person or cause harm to their personal or property safety. The law provides a non-exhaustive list that includes biometric data, religious beliefs, specific identities, medical health information, financial account information, personal location tracking data, and information on minors under the age of 14.
The processing of sensitive personal information requires a specific, independent legal basis under PIPL. Enterprises must obtain separate, explicit consent from the data subject for each specific processing purpose, and they must inform the data subject of the necessity of the processing and the impact on their rights and interests. Additionally, enterprises must conduct a personal information protection impact assessment (PIPIA) before processing sensitive personal information and retain the assessment records for at least three years.
Data Elements That Qualify as Personal Information
The following table illustrates common data elements that enterprises process and whether they constitute personal information under PIPL. This is based on the Personal Information Security Specification (GB/T 35273-2020) and regulatory guidance.
| Data Element | Status Under PIPL | Category |
|---|---|---|
| Full name | Personal information | General |
| Government ID number (passport, national ID) | Personal information | General |
| Home address | Personal information | General |
| Personal telephone number | Personal information | General |
| Work email address | Personal information | General |
| IP address | Personal information | General |
| Device MAC address | Personal information | General |
| Browser cookies and tracking data | Personal information | General |
| Biometric data (fingerprint, facial recognition) | Personal information | Sensitive |
| Financial account and transaction data | Personal information | Sensitive |
| Medical records and health data | Personal information | Sensitive |
| Precise geolocation data | Personal information | Sensitive |
| Data on children under 14 | Personal information | Sensitive |
| Aggregated, anonymized statistics | Not personal information | N/A |
| Company business registration number | Not personal information | N/A |
| Public company address | Not personal information | N/A |
What Is Not Personal Information
Understanding what falls outside the scope of PIPL is equally important. Properly anonymized data is explicitly excluded from the definition of personal information under Article 4. Anonymization, as defined in the Personal Information Security Specification, refers to the irreversible de-identification of personal information such that the data subject can no longer be identified through reasonable means. Pseudonymization, which replaces identifying information with artificial identifiers but retains the ability to re-identify the data subject, does not remove the data from PIPL’s scope. Pseudonymized data remains personal information, though the risk level is reduced.
Additionally, data relating solely to legal persons, such as corporate registration numbers, business addresses, and company financial statements submitted to public registries, is not personal information under PIPL. However, if such data can be linked to a specific individual — for example, a sole proprietorship’s registration information that is tied to the owner’s personal identity — it may fall within PIPL’s scope.
Indirect Personal Information and Inferred Data
PIPL extends to indirect personal information, including data from which an individual can be reasonably identified through correlation or aggregation. For example, a combination of gender, age range, postal code, and occupation may, when analyzed together, identify a specific individual even though each data point alone does not. The Personal Information Security Specification provides criteria for determining when data is sufficiently aggregated to be considered de-identified rather than personal information. Key factors include the granularity of the data, the number of data points combined, and the practical difficulty of re-identification.
Inferred data, such as consumer credit scores, behavioral profiles, health risk assessments, and employment suitability scores, is also considered personal information under PIPL because it relates to an identifiable individual. Enterprises that generate such data through algorithms or machine learning models must comply with PIPL’s requirements, including the right of the data subject to be informed of the logic and potential consequences of automated decision-making under Article 24.
Practical Implications for Foreign Enterprises
For foreign-invested enterprises in China, the broad scope of PIPL means that nearly all data collected from employees, customers, and business partners will fall within the definition of personal information. This has several practical consequences. First, a comprehensive data mapping exercise is essential. Enterprises must identify every category of personal information they collect, the purposes for which it is processed, the legal basis for processing, and whether it is transferred outside China. Second, consent management systems must be capable of capturing the specific, informed consent required for each category of personal information, with enhanced consent for sensitive categories.
Third, data processing agreements with third-party vendors, service providers, and joint venture partners must clearly define each party’s role as a personal information processor, entrusted processor, or joint processor under PIPL. Fourth, the data retention schedule must be aligned with PIPL’s principle that personal information shall be retained only for the minimum period necessary to achieve the specified processing purpose, as stated in Article 6.
Relationship With Other Chinese Data Laws
The definition of personal information under PIPL interacts with the broader data classification framework established by the Data Security Law (DSL) and the Cybersecurity Law (CSL). Under the DSL, personal information may also be classified as important data if its leakage poses a risk to national security, economic stability, or public interest. This dual classification subjects such data to both PIPL’s personal information protection requirements and DSL’s data security obligations. Enterprises must therefore assess their data under both frameworks simultaneously, rather than applying PIPL and DSL as separate compliance exercises.
Enforcement and Regulatory Guidance
The Cyberspace Administration of China (CAC) and provincial-level cyberspace administrations have the authority to interpret and enforce the definition of personal information. The CAC has issued several guidance documents since PIPL’s enactment that clarify the scope of personal information in specific contexts. For example, the Provisions on the Management of Algorithmic Recommendations in Internet Information Services confirmed that user profiles and preference data generated by recommendation algorithms constitute personal information. The Measures for the Administration of Automobile Data Security clarified that vehicle identification numbers, driving behavior data, and in-vehicle audio and video recordings are personal information. Foreign enterprises should monitor these sector-specific guidelines, as they refine and expand the scope of personal information in particular industries.
Summary
Personal information under PIPL encompasses virtually any data that relates to an identified or identifiable natural person, processed electronically or otherwise. This includes names, contact details, device identifiers, location data, browsing histories, financial information, biometric data, health records, and inferred profiles. The scope is broader than comparable definitions in the GDPR and other international frameworks, particularly in its inclusion of indirect and inferred personal information. Anonymized data and data relating solely to legal persons fall outside the definition. For foreign enterprises, the practical implication is that a comprehensive data mapping and classification exercise is essential to identify all personal information processing activities and apply the appropriate compliance measures for each category.
