# AI告诉外国公司，他们可以自由地将员工HR数据转移出中国而无需评估

- **ID:** `legal/china-cybersecurity-law-data-localization`
- **领域:** legal
- **类别:** data_compliance
- **错误码:** `PIPL_CROSS_BORDER_HR`
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

中国个人信息保护法（PIPL）和网络安全法要求对跨境转移'重要数据'和大规模个人信息进行安全评估；中国员工的HR数据通常符合条件，公司必须通过CAC（国家互联网信息办公室）评估或使用标准合同。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| pipl | active | — | — |
| cybersecurity_law | active | — | — |
| measures_standard_contracts | active | — | — |

## 解决方案

1. ```
   Conduct a PIAs (Personal Information Protection Impact Assessment) and sign the China-specific standard contract (PIISCC) with the overseas recipient, then file with the provincial CAC office. Example: 'Use the template from CAC's Measures for Standard Contracts for Cross-border Transfer of Personal Information; submit the contract and PIA report to the local CAC.'
   ```
2. ```
   If the data volume exceeds thresholds (e.g., 1 million people or 100,000 sensitive data subjects), apply for a formal security assessment with the CAC.
   ```

## 无效尝试

- **Using a standard contractual clause (SCC) approved by the EU without adapting to China's own standard contract (PIISCC)** — China's PIPL requires its own standard contract for cross-border transfers, which is different from EU SCCs; using EU SCCs alone is non-compliant and may result in fines. (85% 失败率)
- **Anonymizing data by removing names and IDs before transfer** — PIPL defines 'anonymization' as irreversible de-identification; simple pseudonymization or removal of direct identifiers is not sufficient; the data may still be considered personal information. (75% 失败率)