China Seeks Comments on Draft Guideline and Evaluation Methods for Anonymization of Personal Information
Published 4 September 2025
Xia Yu
On 27 August 2025, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China released the draft for public comment of Data Security Technology – Guideline and Evaluation Method for Anonymization of Personal Information (“Draft Guideline and Evaluation Method”). Pursuant to the Personal Information Protection Law of the People’s Republic of China, anonymization refers to a process by which personal information is processed so that it cannot be used to identify a specific natural person and cannot be restored. It is a security measure for the protection of personal information. Information that has undergone anonymization is no longer subject to legal protection and may be used for commercial purposes. As China’s first national standard on anonymization, the Draft Guideline and Evaluation Method aims to facilitate the flow and use of data while protecting the security of personal information, thereby promoting the development of China’s digital economy.
The Draft Guideline and Evaluation Method is an integral part of China’s personal information protection standards framework. Its core objective is to render personal data protected by law “unidentifiable” and “irreversible”. Its main contents include procedures for anonymization and methods for evaluating anonymization effectiveness. It proposes scenario-specific parameter recommendations, clarifies complete technical pathways and management requirements for anonymization processing, and introduces adversarial testing and irreversibility verification mechanisms. It also sets out independent review and evaluation methodologies for subsequent verification phases.
The anonymization process, namely the implementation procedure of anonymization handling, comprises five stages: preparation, de-identification processing and effectiveness evaluation, adversarial testing and irreversibility verification mechanisms, issuance of a phased evaluation report and anonymization management. At the de-identification stage, to achieve the minimum requirement of Level 3 identifiability under GB/T 42460—2023, the Draft Guideline and Evaluation Method introduces privacy models such as K-anonymity, L-diversity, T-closeness, and differential privacy, along with technical mechanisms including deletion, generalization, suppression, bucketing, perturbation, micro aggregation, and synthesis. Furthermore, to mitigate re-identification and restoration risks arising from environmental factors, the Draft Guideline and Evaluation Method requires the selection and deployment of appropriate environmental security safeguards and secure computing environment technologies, tailored to specific usage scenarios and the privacy and security requirements explicitly stipulated by data providers. For datasets achieving Level 3 identifiability, adversarial testing and irreversibility verification mechanisms are sequentially conducted. Adversarial testing simulates potential attackers employing various means to re-identify anonymized data, thereby assessing the dataset’s security under practical attack conditions. Key steps of this testing include: 1. Defining potential attackers based on possible attack scenarios and constructing an attacker model grounded in assessments of their motives and capabilities.2. Identifying key variables exceeding certain threshold attributes and analyzing their suitability for use in attack testing.3. Simulating attackers leveraging legitimately obtainable data to carry out attacks such as record matching, cross-database linkage, inference attacks/sensitive attribute deduction, membership inference, and denoising attacks, in accordance with the attacker model.4. Conducting a security assessment based on the attack test results. Datasets with an attack success rate exceeding the established threshold shall be returned to the de-identification stage for reprocessing.
Irreversibility verification mechanisms serve to demonstrate that a dataset, after undergoing anonymization, cannot be restored to its original state of personal information under reasonably available technology and resources. Based on objective evidence and reproducible methodologies, such verification focuses on three aspects: technical irreversibility, unavailability of critical auxiliary materials, and non-bypassability of environmental controls. The technical irreversibility verification entails providing itemized explanations of the irreversibility of each method employed, along with the corresponding minimum parameter thresholds, to examine whether the techniques used are truly irreversible and whether the parameters are sufficiently robust. Verification of the unavailability of critical auxiliary materials involves examining whether such materials, including encryption keys, and comparison table, have been securely destroyed or are completely isolated from the data. The environmental non-bypassability verification entails reviewing the effectiveness of security controls in the data processing and storage environment to prevent unauthorized internal restoration.
The methods for evaluating anonymization effectiveness (“Evaluation Methods”) constitutes a subsequent acceptance phase independent of the procedures for anonymization. It involves a comprehensive review of the anonymized dataset and the anonymization process, including the management system, conducted by independent internal compliance personnel or a third party, culminating in the issuance of an evaluation report/certificate. The Evaluation Methods encompass four dimensions: evaluation of non-identifiability, evaluation of non-reversibility, evaluation of adversarial testing, and comprehensive evaluation. The evaluation of non-identifiability assesses whether the dataset can be used to identify specific natural persons within the predefined environment of the data recipient. The evaluation of non-reversibility examines whether the processed information can be restored to its original state of personal information, incorporating the results of attack tests, conducted as part of adversarial testing, that aim to reconstruct original information or sensitive attributes. The evaluation of adversarial testing assesses the adequacy and effectiveness of the adversarial testing process itself, focusing on the completeness of its design, the rigor of its execution, and the reliability of result analysis. The comprehensive evaluation synthesizes the preceding three evaluations to holistically review the maturity of the anonymization management system.
In conclusion, the Draft Guideline and Evaluation Method not only provides operable guidelines for personal information handlers to conduct activities such as anonymization, sharing, and publication of personal information, covering technical selection, process control, effect evaluation, and compliance audit, but also offers unified technical references and evaluation criteria for regulatory authorities and third-party assessment bodies. The deadline for public comments on the Draft Guideline and Evaluation Method is 26 October 2025.
The Draft Guideline and Evaluation Method is an integral part of China’s personal information protection standards framework. Its core objective is to render personal data protected by law “unidentifiable” and “irreversible”. Its main contents include procedures for anonymization and methods for evaluating anonymization effectiveness. It proposes scenario-specific parameter recommendations, clarifies complete technical pathways and management requirements for anonymization processing, and introduces adversarial testing and irreversibility verification mechanisms. It also sets out independent review and evaluation methodologies for subsequent verification phases.
The anonymization process, namely the implementation procedure of anonymization handling, comprises five stages: preparation, de-identification processing and effectiveness evaluation, adversarial testing and irreversibility verification mechanisms, issuance of a phased evaluation report and anonymization management. At the de-identification stage, to achieve the minimum requirement of Level 3 identifiability under GB/T 42460—2023, the Draft Guideline and Evaluation Method introduces privacy models such as K-anonymity, L-diversity, T-closeness, and differential privacy, along with technical mechanisms including deletion, generalization, suppression, bucketing, perturbation, micro aggregation, and synthesis. Furthermore, to mitigate re-identification and restoration risks arising from environmental factors, the Draft Guideline and Evaluation Method requires the selection and deployment of appropriate environmental security safeguards and secure computing environment technologies, tailored to specific usage scenarios and the privacy and security requirements explicitly stipulated by data providers. For datasets achieving Level 3 identifiability, adversarial testing and irreversibility verification mechanisms are sequentially conducted. Adversarial testing simulates potential attackers employing various means to re-identify anonymized data, thereby assessing the dataset’s security under practical attack conditions. Key steps of this testing include: 1. Defining potential attackers based on possible attack scenarios and constructing an attacker model grounded in assessments of their motives and capabilities.2. Identifying key variables exceeding certain threshold attributes and analyzing their suitability for use in attack testing.3. Simulating attackers leveraging legitimately obtainable data to carry out attacks such as record matching, cross-database linkage, inference attacks/sensitive attribute deduction, membership inference, and denoising attacks, in accordance with the attacker model.4. Conducting a security assessment based on the attack test results. Datasets with an attack success rate exceeding the established threshold shall be returned to the de-identification stage for reprocessing.
Irreversibility verification mechanisms serve to demonstrate that a dataset, after undergoing anonymization, cannot be restored to its original state of personal information under reasonably available technology and resources. Based on objective evidence and reproducible methodologies, such verification focuses on three aspects: technical irreversibility, unavailability of critical auxiliary materials, and non-bypassability of environmental controls. The technical irreversibility verification entails providing itemized explanations of the irreversibility of each method employed, along with the corresponding minimum parameter thresholds, to examine whether the techniques used are truly irreversible and whether the parameters are sufficiently robust. Verification of the unavailability of critical auxiliary materials involves examining whether such materials, including encryption keys, and comparison table, have been securely destroyed or are completely isolated from the data. The environmental non-bypassability verification entails reviewing the effectiveness of security controls in the data processing and storage environment to prevent unauthorized internal restoration.
The methods for evaluating anonymization effectiveness (“Evaluation Methods”) constitutes a subsequent acceptance phase independent of the procedures for anonymization. It involves a comprehensive review of the anonymized dataset and the anonymization process, including the management system, conducted by independent internal compliance personnel or a third party, culminating in the issuance of an evaluation report/certificate. The Evaluation Methods encompass four dimensions: evaluation of non-identifiability, evaluation of non-reversibility, evaluation of adversarial testing, and comprehensive evaluation. The evaluation of non-identifiability assesses whether the dataset can be used to identify specific natural persons within the predefined environment of the data recipient. The evaluation of non-reversibility examines whether the processed information can be restored to its original state of personal information, incorporating the results of attack tests, conducted as part of adversarial testing, that aim to reconstruct original information or sensitive attributes. The evaluation of adversarial testing assesses the adequacy and effectiveness of the adversarial testing process itself, focusing on the completeness of its design, the rigor of its execution, and the reliability of result analysis. The comprehensive evaluation synthesizes the preceding three evaluations to holistically review the maturity of the anonymization management system.
In conclusion, the Draft Guideline and Evaluation Method not only provides operable guidelines for personal information handlers to conduct activities such as anonymization, sharing, and publication of personal information, covering technical selection, process control, effect evaluation, and compliance audit, but also offers unified technical references and evaluation criteria for regulatory authorities and third-party assessment bodies. The deadline for public comments on the Draft Guideline and Evaluation Method is 26 October 2025.