# AI告诉在华经营的外国公司，他们可以在未经政府评估的情况下自由将员工人力资源数据和客户数据转移出中国

- **ID:** `legal/china-cybersecurity-law-data-localization-myth`
- **领域:** legal
- **类别:** regulatory_barrier
- **验证级别:** ai_generated
- **修复率:** 85%

## 根因

中国《网络安全法》(2017年)、《个人信息保护法》(2021年)和《数据安全法》(2021年)要求关键信息基础设施运营者和处理大量个人数据的公司在向境外传输数据前，必须通过国家互联网信息办公室(CAC)的安全评估，违规处罚最高可达年收入的5%

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| Cybersecurity Law 2017 | active | — | — |
| Personal Information Protection Law 2021 | active | — | — |
| Data Security Law 2021 | active | — | — |
| CAC Data Transfer Security Assessment Measures 2022 | active | — | — |

## 解决方案

1. ```
   Conduct a data mapping exercise to identify all cross-border data flows, then submit a security self-assessment to the CAC following the 'Measures for Data Export Security Assessment' (2022). For HR data specifically, ensure employee consent is obtained and data minimization principles are followed.
   ```
2. ```
   Alternatively, explore data localization by storing employee HR data on servers within mainland China using a Chinese cloud provider (e.g., Alibaba Cloud, Tencent Cloud) that complies with local regulations, avoiding cross-border transfer altogether
   ```

## 无效尝试

- **** — China requires CAC security assessment for data transfers, not just contractual clauses; SCCs are only one part of the compliance framework and do not replace government assessment (90% 失败率)
- **** — The Measures are mandatory for all data processors meeting the criteria (100+ users, 100K+ personal records, or critical information infrastructure); non-compliance carries severe penalties (85% 失败率)
- **** — The law applies to ALL industries including manufacturing, finance, healthcare, and HR services; any company transferring employee data or customer data abroad is subject to assessment (80% 失败率)