- The paper presents a multilingual model that uses a schema-driven approach and synthetic data to extract 42 fine-grained PII types at precise character spans.
- The paper implements a constraint-based synthetic data generation pipeline across seven languages to overcome training data scarcity and ensure diverse entity representation.
- The paper demonstrates superior performance on the SPY benchmark, achieving higher recall and balanced precision in legal and medical domains compared to public baselines.
Introduction
GLiNER2-PII addresses the complex problem of detecting personally identifiable information (PII) in unstructured text. The model is designed for high-precision, multilingual extraction of PII, which is critical for compliance with privacy-centric regulatory frameworks such as GDPR and CCPA. The PII extraction challenge is characterized by highly heterogeneous and context-dependent entity types, varied across locale and format, and a scarcity of annotated, shareable training corpora due to privacy constraints. GLiNER2-PII overcomes these obstacles via a schema-driven architecture and the synthesis of a curated multilingual synthetic corpus using a constraint-based generation pipeline.
Architecture and Methodology
GLiNER2-PII is a 0.3B-parameter model derived from the GLiNER2 schema-driven information extraction framework. The model is fine-tuned for exact character-span-level extraction over a granular schema of 42 PII entity types, spanning personal identity, contact/location, government identifiers, banking/payment, digital identity, secrets/credentials, and sensitive dates. This fine-grained inventory allows for both coarse and highly specific redaction strategies, enabling downstream systems to operate at different policy granularities.
At inference, the model consumes an input text x and a schema Y={(yi​,di​)}i=1M​ of target entity types (with optional descriptions), and emits all matched spans with confidence scores. This schema conditioning permits zero-shot and few-shot extension to custom label sets without architectural retraining. The model supports deployment scenarios in diverse regulatory or organizational environments, where schemas are dynamic and fine distinctions between sensitive entity subtypes are necessary.
Synthetic Data Generation
Given the prohibitive challenges of collecting and sharing real-world annotated PII texts, GLiNER2-PII is trained entirely on synthetic data. The data generation pipeline, adapted from the Pioneer Agent's constraint-driven methodology, automates the production of 4,910 texts annotated for span-level PII entities across seven languages (English, French, Spanish, German, Italian, Portuguese, and Dutch). The pipeline conditions LLMs on both structural constraints—e.g., required/entity-type counts, label-exclusion constraints—and diversity constraints (document type, locale, register, tone) to simulate realistic and varied PII occurrences.
This approach enables entity nesting, so for example, a full_name span may overlap with inner first_name and last_name, and a url could encapsulate a credential token. This design supports nuanced downstream policy enforcement, from conservative over-masking to precision masking.
Evaluation Protocol
GLiNER2-PII is evaluated against four strong public baselines: OpenAI Privacy Filter (BIOES-based token classifier), NVIDIA GLiNER PII, urchade/gliner_multi_pii-v1, and knowledgator/gliner-pii-base-v1.0. All models have varying internal categorization schemas, necessitating a deterministic, unified label mapping to the SPY benchmark's seven categories: name, address, email, phone number, ID number, URL, username.
The primary metric is exact-match span-level F1, requiring both label and span boundary alignment. Recall is emphasized due to the high cost of false negatives in real redaction pipelines.
Empirical Results
GLiNER2-PII achieves the highest span-level F1 on both the legal and medical subsets of the SPY benchmark and leads in overall average F1 across the five compared models.
Figure 1: Span-level F1 on the SPY benchmark, where GLiNER2-PII exhibits superior overall performance in both legal and medical domains.
The model attains recall scores of 0.722 (legal) and 0.681 (medical), substantially surpassing both other GLiNER variants and the OpenAI Privacy Filter baseline in recall with more balanced precision. While OpenAI Privacy Filter's recall is competitive, its low precision results in excessive over-masking. Urchade/gliner_multi_pii-v1 achieves the highest precision but at the expense of recall, reflecting a conservative extraction threshold. GLiNER2-PII achieves a more favorable balance, prioritizing high recall while maintaining reasonable precision, which is operationally desirable for privacy-preserving pipelines.
Discussion, Limitations, and Implications
A significant observation is that models trained exclusively on meticulously synthesized data from large decoder LMs can generalize effectively to naturally sampled text, even in out-of-domain (OOD) scenarios. This demonstrates the value of schema-diverse and format-varied synthetic annotation frameworks for low-resource privacy NLP. Label granularity in the training schema further assists the model in capturing broader category representations, as evidenced by notable gains in the "name" entity category.
The main persisting limitation is tendency towards false positives, particularly in name extraction, where model confusions include misclassification of organization and product names. Post-hoc techniques such as label-specific calibration or the integration of lightweight filtering modules could mitigate this, offering a pathway to improved deployment robustness.
Notably, evaluation is currently limited to legal and medical datasets, and all synthetic annotations remain unvalidated by human experts. Future directions include human-in-the-loop gold annotation, extending language/domain diversity in training, and end-to-end benchmarking in real redaction pipelines to profile both detection accuracy and inference efficiency.
The practical implication of GLiNER2-PII is the feasibility of deploying efficient, privacy-centric entity extraction components with broad schema adaptability, competitive accuracy, and the ability to plug into diverse international regulatory contexts. The public release of both model weights and codebase supports open experimentation and integration.
Conclusion
GLiNER2-PII establishes new state-of-the-art performance on multilingual span-level PII extraction, surpassing both token-classification and schema-conditioned baselines in F1 and recall. The results provide compelling evidence that synthetic training data, when generated under tightly controlled schema and diversity constraints, can support high-transfer, effective privacy-preserving NLP models. Further refinement and evaluation in broader, real-world conditions—with increased emphasis on calibration and error analysis—will elucidate remaining challenges in robust, high-stakes PII extraction.