legal regulatory_barrier ai_generated partial

AI告诉在华经营的外国公司,他们可以在未经政府评估的情况下自由将员工人力资源数据和客户数据转移出中国

AI tells a foreign company operating in China that they can freely transfer employee HR data and customer data out of China without government assessment

ID: legal/china-cybersecurity-law-data-localization-myth

其他格式: JSON · Markdown 中文 · English
85%修复率
90%置信度
1证据数
2024-04-05首次发现

版本兼容性

版本状态引入弃用备注
Cybersecurity Law 2017 active
Personal Information Protection Law 2021 active
Data Security Law 2021 active
CAC Data Transfer Security Assessment Measures 2022 active

根因分析

中国《网络安全法》(2017年)、《个人信息保护法》(2021年)和《数据安全法》(2021年)要求关键信息基础设施运营者和处理大量个人数据的公司在向境外传输数据前,必须通过国家互联网信息办公室(CAC)的安全评估,违规处罚最高可达年收入的5%

English

China's Cybersecurity Law (2017), Personal Information Protection Law (2021), and Data Security Law (2021) require critical information infrastructure operators and companies processing large volumes of personal data to undergo a security assessment by the Cyberspace Administration of China (CAC) before transferring data abroad, with penalties up to 5% of annual revenue

generic

官方文档

https://www.cac.gov.cn/2022-07/07/c_1658186142833074.htm

解决方案

  1. Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.
  2. Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether

无效尝试

常见但无效的做法:

  1. 90% 失败

    China requires CAC security assessment for data transfers, not just contractual clauses; SCCs are only one part of the compliance framework and do not replace government assessment

  2. 85% 失败

    The Measures are mandatory for all data processors meeting the criteria (100+ users, 100K+ personal records, or critical information infrastructure); non-compliance carries severe penalties

  3. 80% 失败

    The law applies to ALL industries including manufacturing, finance, healthcare, and HR services; any company transferring employee data or customer data abroad is subject to assessment