Filed under personal-information
Every brief tagged "personal-information".
- § 01 · GBT-35273
From Consent to Governance: What the 2026 Draft Revision of GB/T 35273 Changes Against the 2020 Standard
On June 17, 2026 the National Cybersecurity Standardization Technical Committee (TC260), with CESI as drafting lead, released for public comment a systematic revision of GB/T 35273 — China's most-cited personal-information standard, the de-facto 'small PIPL.' The draft retitles the standard from 'Information Security Technology' to 'Data Security Technology' and expands its normative references from one standard to eight. DCC reads the revision as a role change, not a clause count: the standard moves from a consent-and-notice manual into a governance-capability framework. The substantive increments against GB/T 35273-2020: a new Chapter 5 importing PIPL Article 13's seven lawful bases as a standalone chapter with hard boundaries on each (contract-necessity, HR, public-disclosure) plus an evidence-chain duty; a sensitive-PI redefinition aligned to PIPL Article 28 with a new aggregation rule (multiple items that together meet the threshold are treated as sensitive as a whole); a formal 'separate consent' definition (3.7) with a negative list; a new eighth basic principle, 'quality assurance' (Chapter 4(f)); dedicated AI clauses on the collection side (6.7), in minimum-necessity (6.1 d–f), in aggregation/training (8.4), and a new generative-AI use clause (8.5.4) with output review and a 15-working-day deletion SLA; a unified-account-system clause (8.6) aimed at one-account-many-products groups; a terminal/IoT collection clause (6.8); a wholly new Chapter 11 on overseas-jurisdiction determination and conflict handling; and a systematized internal-control chapter (13) covering the person in charge of personal information protection, working body, processing-activity records, impact assessment, and a GB/T 46903-anchored compliance audit. Subject-rights response time tightens from 30 days to 15 working days. Clause numbers are from the comment draft and are not final; formal release is expected after 2027.
- § 02 · ANONYMIZATION
Reviving a Zombie Provision — Xu Ke's Concentric-Circle Reconstruction of the Anonymization Regime
Xu Ke (UIBE) calls PIPL Article 4's anonymization carve-out a 'zombie provision' (僵尸法条) — on the books, never used, and one of the biggest blockages in the data-element market. His diagnosis: the zombie state is caused not by the text but by three unaddressed worries (processors fear the standard is unattainable or value-destroying; regulators fear anonymization becomes an evasion tool; users fear it's a hollow promise). His cure is a concentric-circle architecture that maps three risk types (systemic / operational / residual) onto three layers of anonymity (presumptive / determined / trust). This is the most complete academic blueprint yet for making the anonymization clause operational — and it pairs directly with TRIMPS's risk-based, recipient-relative reading.
- § 03 · ANONYMIZATION
From 'Cannot Be Restored' to 'Difficult to Restore' — TRIMPS on Whether Anonymization Is Absolute, and Whether It's Recipient-Relative
The Third Research Institute of the Ministry of Public Security (TRIMPS) — the body behind China's classified-protection regime and national eID platform — takes on the two questions that determine whether anonymization actually gets data out of PIPL scope. First: does PIPL's 'cannot be restored' standard (Art 73) require re-identification probability of literally zero? The 2025 draft PI Anonymization Guide quietly softened it to 'difficult to restore,' aligning China with the GDPR 'all reasonable means' test and reframing anonymization as a dynamic, continuously-assessed, risk-based process rather than a one-time terminal state. Second: is anonymization recipient-relative — can the same dataset be PI in one party's hands and anonymized in another's? TRIMPS reads the EU SRB v EDPS case and UK ICO guidance toward 'yes,' with major implications for how overseas counsel structure data sharing and cross-border transfer.
- § 04 · AI-GOVERNANCE
Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy
Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.
- § 05 · PERSONAL-INFORMATION
Ai Lin — Why Platform Gig Workers Need PI-Protection Tilt and How to Build It
Ai Lin (Jilin University Law School) takes on the under-attended question of personal-information protection for platform gig workers — the food-delivery couriers, ride-hail drivers, freight drivers, and 'internet marketers' who occupy China's new-employment-form category. The structural problem: PIPL's individual-consent baseline doesn't work in employment relations where the worker has no meaningful bargaining power against the platform's algorithmic management. Ai imports the alienated-labor framework from Marx and the 'scenario fairness' principle from contextual integrity to argue for a tilt-protection regime. Three operational responses: enhanced transparency + tiered PI safeguards; treating algorithmic rules as workplace regulations subject to collective bargaining; full-process regulatory accountability. Highly relevant for multinationals operating platform-gig models in China or contracting with Chinese platform workforces.
- § 06 · ENFORCEMENT
Seven Lessons for Data Compliance Teams from the SAMR 'Ghost Takeout' Series — 3.5 Billion Yuan, 9-Month Suspensions, and the Per-Merchant Aggregation Doctrine
In April 2026, the State Administration for Market Regulation (SAMR) imposed administrative penalties on seven major e-commerce platforms in the 'ghost takeout' series — 3.5 billion yuan in aggregate corporate fines, nearly 20 million yuan in individual fines on legal representatives and food-safety officers, and 3-to-9-month business suspensions. While the cases were ostensibly food-safety enforcement, their analytical structure — pierce-the-paper-compliance, per-merchant aggregation of penalties, identification of licensed-entity liability holders, dual penalties on individual compliance officers — translates directly to data-compliance enforcement. Adapted from a substantive practitioner analysis by 黄春林 (Huang Chunlin), this DCC brief works through seven operational lessons that DSO / PIPO / DPO and compliance counsel should apply *before* the analogous enforcement wave reaches data compliance.