{
  "id": "legal/china-cybersecurity-law-data-localization-myth",
  "signature": "AI tells a foreign company operating in China that they can freely transfer employee HR data and customer data out of China without government assessment",
  "signature_zh": "AI告诉在华经营的外国公司，他们可以在未经政府评估的情况下自由将员工人力资源数据和客户数据转移出中国",
  "regex": "(?i)(china.*(?:data transfer|data localization|cybersecurity|personal information|cross-border|employee data|hr data)|beijing.*(?:data|cybersecurity))",
  "domain": "legal",
  "category": "regulatory_barrier",
  "subcategory": null,
  "root_cause": "China's Cybersecurity Law (2017), Personal Information Protection Law (2021), and Data Security Law (2021) require critical information infrastructure operators and companies processing large volumes of personal data to undergo a security assessment by the Cyberspace Administration of China (CAC) before transferring data abroad, with penalties up to 5% of annual revenue",
  "root_cause_type": "generic",
  "root_cause_zh": "中国《网络安全法》(2017年)、《个人信息保护法》(2021年)和《数据安全法》(2021年)要求关键信息基础设施运营者和处理大量个人数据的公司在向境外传输数据前，必须通过国家互联网信息办公室(CAC)的安全评估，违规处罚最高可达年收入的5%",
  "versions": [
    {
      "version": "Cybersecurity Law 2017",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Personal Information Protection Law 2021",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "Data Security Law 2021",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "CAC Data Transfer Security Assessment Measures 2022",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "China requires CAC security assessment for data transfers, not just contractual clauses; SCCs are only one part of the compliance framework and do not replace government assessment",
      "fail_rate": 0.9,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The Measures are mandatory for all data processors meeting the criteria (100+ users, 100K+ personal records, or critical information infrastructure); non-compliance carries severe penalties",
      "fail_rate": 0.85,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "The law applies to ALL industries including manufacturing, finance, healthcare, and HR services; any company transferring employee data or customer data abroad is subject to assessment",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.",
      "success_rate": 0.88,
      "how": "Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.",
      "condition": "",
      "sources": []
    },
    {
      "action": "Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether",
      "success_rate": 0.8,
      "how": "Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.",
    "Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether"
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://www.cac.gov.cn/2022-07/07/c_1658186142833074.htm",
  "official_doc_section": null,
  "error_code": null,
  "verification_tier": "ai_generated",
  "confidence": 0.9,
  "fix_success_rate": 0.85,
  "resolvable": "partial",
  "first_seen": "2024-04-05",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}