AI tells a foreign company operating in China that they can freely transfer employee HR data and customer data out of China without government assessment
ID: legal/china-cybersecurity-law-data-localization-myth
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| Cybersecurity Law 2017 | active | — | — | — |
| Personal Information Protection Law 2021 | active | — | — | — |
| Data Security Law 2021 | active | — | — | — |
| CAC Data Transfer Security Assessment Measures 2022 | active | — | — | — |
Root Cause
China's Cybersecurity Law (2017), Personal Information Protection Law (2021), and Data Security Law (2021) require critical information infrastructure operators and companies processing large volumes of personal data to undergo a security assessment by the Cyberspace Administration of China (CAC) before transferring data abroad, with penalties up to 5% of annual revenue
generic中文
中国《网络安全法》(2017年)、《个人信息保护法》(2021年)和《数据安全法》(2021年)要求关键信息基础设施运营者和处理大量个人数据的公司在向境外传输数据前,必须通过国家互联网信息办公室(CAC)的安全评估,违规处罚最高可达年收入的5%
Official Documentation
https://www.cac.gov.cn/2022-07/07/c_1658186142833074.htmWorkarounds
-
88% success Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.
Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.
-
80% success Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether
Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether
中文步骤
Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.
Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether
Dead Ends
Common approaches that don't work:
-
90% fail
China requires CAC security assessment for data transfers, not just contractual clauses; SCCs are only one part of the compliance framework and do not replace government assessment
-
85% fail
The Measures are mandatory for all data processors meeting the criteria (100+ users, 100K+ personal records, or critical information infrastructure); non-compliance carries severe penalties
-
80% fail
The law applies to ALL industries including manufacturing, finance, healthcare, and HR services; any company transferring employee data or customer data abroad is subject to assessment