Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · GB/T 42460

Information Security Technology — Guide for Evaluation of Personal Information De-identification Effect (GB/T 42460-2023).

信息安全技术 个人信息去标识化效果评估指南 (GB/T 42460-2023)

FILED UNDER · Personal Information

DCC summary, not a translation. GB/T 42460-2023 is a copyrighted national standard. The structured summary below is DCC’s own paraphrase of the standard’s framework, for overseas compliance teams.

Scope

GB/T 42460-2023 provides the goals, principles, framework and methods for evaluating the effectiveness of personal-information de-identification (去标识化) — that is, for judging whether a dataset that has been put through a de-identification process carries an acceptably low risk of re-identification. It applies to organizations evaluating the de-identification of their own datasets, and serves as a reference for assessors and regulators reviewing de-identification work.

It is a recommended standard. It is the natural companion to GB/T 37964 (the Guide for De-identification of Personal Information): where GB/T 37964 explains how to perform de-identification, GB/T 42460 explains how to test whether it succeeded.

Key contents

The standard frames de-identification effectiveness in terms of re-identification risk and walks through how to evaluate it.

Concepts and goals. It works from the PIPL/standards definitions of de-identification (processing so that personal information cannot identify a specific natural person without additional information) and anonymization (processing so that the subject cannot be re-identified and the data cannot be restored), and frames the evaluation goal as confirming that residual re-identification risk is controlled to an acceptable level given the data-use scenario.

Evaluation principles. Effectiveness is assessed relative to the release/sharing scenario and the resources a realistic attacker could bring to bear; the evaluation must consider both direct identifiers and quasi-identifiers, and the possibility of linkage with external datasets.

Identifiers and attributes. Guidance on distinguishing direct identifiers, quasi-identifiers and other attributes, since the re-identification risk turns largely on quasi-identifier combinations.

Evaluation framework and methods. An evaluation process and a set of methods/metrics for testing residual risk — addressing re-identification attack models (singling-out, linkage and inference), the de-identification models applied (such as generalization, suppression, pseudonymization and aggregation), and how to judge whether the chosen technique and parameters achieve the target risk level for the intended disclosure context.

Reporting. Guidance on documenting the evaluation and its conclusion.

The annexes provide reference material on attack models, risk metrics and worked considerations.

How it fits the regime

De-identification and anonymization are load-bearing concepts in PIPL. PIPL defines both terms (Article 73); anonymized information falls outside the definition of “personal information” (Article 4) and so outside the law’s scope, whereas de-identified information is still personal information and remains regulated. The practical question — has a dataset been de-identified or anonymized well enough? — is exactly what GB/T 42460 helps answer.

For overseas compliance teams, the standard matters whenever a Chinese operation relies on de-identification to reduce risk (for analytics, sharing, secondary use, or to argue data has been anonymized out of PIPL’s scope). It supplies the test method to back that reliance, and it pairs with GB/T 37964 (de-identification technique), GB/T 35273 (which calls for de-identified/encrypted storage of sensitive data) and the impact-assessment standard. It does not lower any statutory threshold — it is the evidentiary method for showing a de-identification claim holds up.

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

1 brief references this law.

  • § 01 · GBT-35273

    From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard

    On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.

    gbt-35273 · personal-information · pipl
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.

SUPPORT DCC

Keep the publication free to read. Suggested support is $19.99, or choose your own amount.

Support →