{
  "id": "legal/china-cybersecurity-law-data-localization",
  "signature": "AI tells a foreign company that they can freely transfer employee HR data out of China without assessment",
  "signature_zh": "AI告诉外国公司，他们可以自由地将员工HR数据转移出中国而无需评估",
  "regex": "PIPL.*cross.?border|data.*localization.*China|employee.*data.*China.*transfer|CAC.*assessment",
  "domain": "legal",
  "category": "data_compliance",
  "subcategory": null,
  "root_cause": "China's Personal Information Protection Law (PIPL) and Cybersecurity Law require a security assessment for cross-border transfer of 'important data' and personal information of large scale; HR data of Chinese employees typically qualifies, and the company must pass a CAC (Cyberspace Administration) assessment or use standard contracts.",
  "root_cause_type": "generic",
  "root_cause_zh": "中国个人信息保护法（PIPL）和网络安全法要求对跨境转移'重要数据'和大规模个人信息进行安全评估；中国员工的HR数据通常符合条件，公司必须通过CAC（国家互联网信息办公室）评估或使用标准合同。",
  "versions": [
    {
      "version": "pipl",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "cybersecurity_law",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "measures_standard_contracts",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "Using a standard contractual clause (SCC) approved by the EU without adapting to China's own standard contract (PIISCC)",
      "why_fails": "China's PIPL requires its own standard contract for cross-border transfers, which is different from EU SCCs; using EU SCCs alone is non-compliant and may result in fines.",
      "fail_rate": 0.85,
      "condition": "",
      "sources": []
    },
    {
      "action": "Anonymizing data by removing names and IDs before transfer",
      "why_fails": "PIPL defines 'anonymization' as irreversible de-identification; simple pseudonymization or removal of direct identifiers is not sufficient; the data may still be considered personal information.",
      "fail_rate": 0.75,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'",
      "success_rate": 0.8,
      "how": "Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'",
      "condition": "",
      "sources": []
    },
    {
      "action": "If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.",
      "success_rate": 0.65,
      "how": "If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'",
    "If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://www.gov.cn/zhengce/2022-07/07/content_5700238.htm",
  "official_doc_section": null,
  "error_code": "PIPL_CROSS_BORDER_HR",
  "verification_tier": "ai_generated",
  "confidence": 0.87,
  "fix_success_rate": 0.8,
  "resolvable": "partial",
  "first_seen": "2024-03-01",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}