AI tells a foreign company that they can freely transfer employee HR data out of China without assessment
ID: legal/china-cybersecurity-law-data-localization
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| pipl | active | — | — | — |
| cybersecurity_law | active | — | — | — |
| measures_standard_contracts | active | — | — | — |
Root Cause
China's Personal Information Protection Law (PIPL) and Cybersecurity Law require a security assessment for cross-border transfer of 'important data' and personal information of large scale; HR data of Chinese employees typically qualifies, and the company must pass a CAC (Cyberspace Administration) assessment or use standard contracts.
generic中文
中国个人信息保护法(PIPL)和网络安全法要求对跨境转移'重要数据'和大规模个人信息进行安全评估;中国员工的HR数据通常符合条件,公司必须通过CAC(国家互联网信息办公室)评估或使用标准合同。
Official Documentation
https://www.gov.cn/zhengce/2022-07/07/content_5700238.htmWorkarounds
-
80% success Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'
Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'
-
65% success If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.
If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.
中文步骤
Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'
If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.
Dead Ends
Common approaches that don't work:
-
Using a standard contractual clause (SCC) approved by the EU without adapting to China's own standard contract (PIISCC)
85% fail
China's PIPL requires its own standard contract for cross-border transfers, which is different from EU SCCs; using EU SCCs alone is non-compliant and may result in fines.
-
Anonymizing data by removing names and IDs before transfer
75% fail
PIPL defines 'anonymization' as irreversible de-identification; simple pseudonymization or removal of direct identifiers is not sufficient; the data may still be considered personal information.