PI vs. SPI: Breaking Down Personal Information in PIPL Compliance

As we approach the first year anniversary of China's PIPL laws going into effect, it seems a good time for a refresher on the two levels of personal information it governs. Given the extreme penalties for non-compliance, including significant penalties, bans and even jail time, making sure you are compliant and staying compliant is critical. Given that new data sources, third party vendors and even consumer facing collection can change quickly, be sure to schedule regular reviews of your data handling related to Chinese citizens and their personal - and sensitive personal - information.

Nuna Network - Get Started Today

Get started with Nuna Network today. Verify and monitor Chinese companies instantly. Get access to over 180 million Chinese companies.

Get Started Today

Personal information is any information that is associated with an individual, whether it is electronic or in another format. Anyone that handles PI is considered under the PIPL laws to be a PI data processor.

SPI is PI that, if leaked, could easily infringe an individual’s dignity, or harm a person or damage their property. Processing SPI requires a stated purpose, sufficient necessity, and stricter protective measures. Separate consent or opt-in steps are required, and written consent may be needed as well.

• Genetics
• Biometric data used to identify someone
• Health
• Race/ethnicity
• Politics
• Religion
• Philosophy
• Union membership
• Sex life
• Sexual orientation
• Data related to a person's "specially-designated status,"
• Data related to a person's financial accounts, and
• GPS / location data
• Any data of a minor under 14*

*PIPL specifically defines any and all personal information of a minor under the age of 14 as SPI.

Should you see items on the list above that might designate your data as SPI, you may be considered a data controller that must perform data-privacy impact assessment ("DPIA"). This will review your data-processing plans with regards to some specific types of SPI, including:

• A "systematic description of the envisaged processing operations"
• A similar description of the purposes of the data-processing operations, including the data controller's legitimate interest
• The "necessity and proportionality" of your operations
• The risks those operations present to data subjects' rights
• The "measures envisaged" to mitigate any risks

Need help with your data strategy? Nuna Network is here for you. We’re the partner of choice and go-to resource for businesses or individuals seeking guidance in researching, developing, and establishing bespoke data solutions with over 180+ million companies indexed across 55+ data points. Feel free to reach out to a Nuna Network data expert to discuss further.

Nuna Network offers more than a one-time report, but a range of validation, verification, and diligence services that help you determine the authenticity of a Chinese company. Check out our valuable guides, helpful tips, and other practical information to help you navigate the complex landscape of Chinese Businesses.