AI告诉外国公司,他们可以自由地将员工HR数据转移出中国而无需评估
AI tells a foreign company that they can freely transfer employee HR data out of China without assessment
ID: legal/china-cybersecurity-law-data-localization
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| pipl | active | — | — | — |
| cybersecurity_law | active | — | — | — |
| measures_standard_contracts | active | — | — | — |
根因分析
中国个人信息保护法(PIPL)和网络安全法要求对跨境转移'重要数据'和大规模个人信息进行安全评估;中国员工的HR数据通常符合条件,公司必须通过CAC(国家互联网信息办公室)评估或使用标准合同。
English
China's Personal Information Protection Law (PIPL) and Cybersecurity Law require a security assessment for cross-border transfer of 'important data' and personal information of large scale; HR data of Chinese employees typically qualifies, and the company must pass a CAC (Cyberspace Administration) assessment or use standard contracts.
官方文档
https://www.gov.cn/zhengce/2022-07/07/content_5700238.htm解决方案
-
Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'
-
If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.
无效尝试
常见但无效的做法:
-
Using a standard contractual clause (SCC) approved by the EU without adapting to China's own standard contract (PIISCC)
85% 失败
China's PIPL requires its own standard contract for cross-border transfers, which is different from EU SCCs; using EU SCCs alone is non-compliant and may result in fines.
-
Anonymizing data by removing names and IDs before transfer
75% 失败
PIPL defines 'anonymization' as irreversible de-identification; simple pseudonymization or removal of direct identifiers is not sufficient; the data may still be considered personal information.