# AI tells a foreign company that they can freely transfer employee HR data out of China without assessment - **ID:** `legal/china-cybersecurity-law-data-localization` - **Domain:** legal - **Category:** data_compliance - **Error Code:** `PIPL_CROSS_BORDER_HR` - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause China's Personal Information Protection Law (PIPL) and Cybersecurity Law require a security assessment for cross-border transfer of 'important data' and personal information of large scale; HR data of Chinese employees typically qualifies, and the company must pass a CAC (Cyberspace Administration) assessment or use standard contracts. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | pipl | active | — | — | | cybersecurity_law | active | — | — | | measures_standard_contracts | active | — | — | ## Workarounds 1. **Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'** (80% success) ``` Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.' ``` 2. **If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.** (65% success) ``` If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC. ``` ## Dead Ends - **Using a standard contractual clause (SCC) approved by the EU without adapting to China's own standard contract (PIISCC)** — China's PIPL requires its own standard contract for cross-border transfers, which is different from EU SCCs; using EU SCCs alone is non-compliant and may result in fines. (85% fail) - **Anonymizing data by removing names and IDs before transfer** — PIPL defines 'anonymization' as irreversible de-identification; simple pseudonymization or removal of direct identifiers is not sufficient; the data may still be considered personal information. (75% fail)