[co-author: Qiuyang Zhao]
It’s well-known that China’s data protection laws define sensitive personal information very differently to other jurisdictions. Instead of a closed list of data types, sensitive personal information in China has traditionally been defined by reference to a broad “risk of harm” test. A new national standard, which will come into force on 1 November 2025, helpfully clarifies and narrows the definition (de-classifying certain data types as sensitive personal information). It also provides detailed guidance on how to process and secure sensitive personal information in compliance with the Personal Information Protection Law (“PIPL“).
We set out below key highlights of the Standard compared to existing laws, regulations and national standards, and practical compliance tips.
New Standard
The new national standard on sensitive personal information, GB/T 45574-2025 Information Security Technology – Security Requirements for Processing of Sensitive Personal Information (“Standard“) is set to take effect on 1 November 2025.
Identifying sensitive personal information
The Standard essentially incorporates the identification method and list of examples for sensitive personal information set out in the Guide for Sensitive Personal Information Identification published last year (“Guide“), by:
- refining the examples from earlier national standards such as the Personal Information Security Specifications to generally narrow the scope of sensitive personal information — for instance, approximate location data derived from IP addresses is excluded from sensitive personal information; and
- reaffirming that the overarching “risk of harm” test remains decisive for determining sensitive personal information — for instance, personal information listed as examples in the Standard may be deemed non-sensitive if it fails the “risk of harm” test, whereas non-sensitive personal information may become sensitive when aggregated if the aggregated information passes the test.
Please refer to our summary of the Guide for further details on the updated approach to identifying sensitive personal information.
Collection of sensitive personal information
The Standard notably recommends the following practices when collecting sensitive personal information to ensure minimal, function-based and non-automated collection of sensitive personal information:
- avoiding collecting sensitive personal information when non-sensitive personal information can achieve the processing purposes;
- collecting sensitive personal information only when data subjects engage with specific business functions that require such information;
- collecting sensitive personal information separately based on distinct business functions or service scenarios; and
- refraining from using tools (e.g., auto-downloading programs or scripts) to automatically collect sensitive personal information from websites or mobile applications.
Separate notice and consent
The Standard advocates for separate notice methods before collecting sensitive personal information, such as separate pop-ups, SMS alerts, input fields, animations, redirection to separate prompt interfaces, or voice prompts. For multiple sensitive personal information processing activities, it recommends providing a separate consent mechanism for each processing purpose and business function, rather than bundling consents together. This may, therefore, require organisations to review and update their China consent language.
DPO appointment
In addition to the existing legal requirement to appoint a DPO for data controllers processing the personal information of over one million individuals, the Standard further provides that data controllers processing sensitive personal information of over 100,000 individuals should appoint a DPO and establish a management body to oversee personal information processing activities and protective measures. The DPO should be a member of the controller’s management team, possessing professional knowledge of personal information protection and relevant management experience. The Standard further recommends conducting security background checks on the DPO and personnel in key positions. It is currently unclear whether a DPO appointed in these circumstances must be registered with the CAC under the new DPO registration framework (see CHINA: DPOs must be registered before 29 August 2025 | Privacy Matters).
General security requirements for sensitive personal information
The Standard outlines general security requirements that data controllers are expected to follow when managing and processing sensitive personal information. Beyond those already explicitly set out in the PIPL and other existing laws and regulations, such as personal information protection impact assessments, record-keeping, and compliance audits, the general security requirements outlined in the Standard and applicable to all sensitive personal information include, for example:
- Organisational requirements
- classifying and maintaining an updated directory of sensitive personal information;
- establishing: (i) dedicated policies and procedures delineating security roles and responsibilities throughout the lifecycle of sensitive personal information processing, and (ii) authorization processes for critical operations involving sensitive personal information—such as internal sharing, external provision, public disclosure, bulk queries, plaintext display, downloads, and outputs;
- implementing risk monitoring, alerting, and response mechanisms for abnormal activities (e.g., frequent or excessive queries, downloads, printing of sensitive personal information, or after-hours operations);
- performing monthly security audits of processing logs and user permissions to timely handle unreasonable authorizations or operations;
- Technical requirements
- defaulting to de-identification when displaying sensitive personal information in products or internal systems;
- encrypting sensitive personal information in storage and transmission;
- applying watermarks that indicate the identity of the accessing subject and access time to the display interface for sensitive personal information, and restricting functions such as copying, printing, and screen capturing for centralized display interfaces; and
- implementing field-level access controls for sensitive personal information; and
- storing sensitive personal information separately.
Many of these will already form part of multinational organizations’ data protection compliance programme, but given the different definition of sensitive personal information in China it will be important before 1 November 2025 for organizations to ensure these enhanced measures are applied to all sensitive personal information caught by the China definition.
Category-specific security requirements
The Standard also sets out security requirements specific to different categories of sensitive personal information. For example, specific identity information (such as disabilities) and financial information should generally be de-identified when displayed, and only fully displayed after identity verification. It further recommends not using specific identity information for profiling or personalized recommendations and adopting a continuous notification mechanism for ongoing collection of location and trajectory data.
Way forward
While the extent to which the Standard will be relied upon by regulators or courts in practice remains to be seen, organizations are generally advised to grasp and, where practicable, adapt their existing personal information compliance programs to, the Standard before 1 November 2025 to enhance compliance, foster customer trust, and more effectively manage operational risks within the Chinese market.
[View source.]
