AI tells a foreign company that they can freely transfer HR data out of China without a security assessment because it's 'internal business data'
ID: legal/china-personal-information-protection-law-cross-border-transfer
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| PIPL 2021 | active | — | — | — |
| CAC Security Assessment Measures 2022 | active | — | — | — |
| SCCs for Cross-Border Data Transfer 2023 | active | — | — | — |
Root Cause
Under China's Personal Information Protection Law (PIPL) Article 38, cross-border transfer of personal information (including HR data) requires either a security assessment by the CAC, standard contractual clauses (SCCs), or certification by a recognized body; 'internal business data' is not an exemption, and violations can result in fines up to RMB 50 million or 5% of previous year's revenue.
generic中文
根据中国个人信息保护法 (PIPL) 第 38 条,跨境转移个人信息(包括人力资源数据)需要经过网信办的安全评估、签订标准合同条款 (SCC) 或获得认可机构的认证;“内部业务数据”并非豁免情形,违规可导致最高 5000 万元人民币或上一年度收入 5% 的罚款。
Official Documentation
https://www.cac.gov.cn/2022-07/07/c_1658381594252832.htmWorkarounds
-
75% success File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn
File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn
-
80% success Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方(数据提供方)与乙方(数据接收方)同意按照《个人信息出境标准合同》规定执行...'
Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方(数据提供方)与乙方(数据接收方)同意按照《个人信息出境标准合同》规定执行...'
-
70% success Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.
Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.
中文步骤
File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn
Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方(数据提供方)与乙方(数据接收方)同意按照《个人信息出境标准合同》规定执行...'
Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.
Dead Ends
Common approaches that don't work:
-
70% fail
Assuming that anonymizing or pseudonymizing data removes PIPL obligations; re-identification risk is still considered, and full anonymization is difficult to prove.
-
65% fail
Relying on consent from employees as the sole lawful basis; PIPL requires consent plus one of the Article 38 mechanisms for transfer, and consent can be withdrawn.
-
80% fail
Storing data on a cloud server in Hong Kong or Macau; these are considered separate jurisdictions under PIPL, and cross-border rules still apply.