{
  "id": "legal/china-personal-information-protection-law-cross-border-transfer",
  "signature": "AI tells a foreign company that they can freely transfer HR data out of China without a security assessment because it's 'internal business data'",
  "signature_zh": "AI 告诉外国公司，他们可以自由地将人力资源数据转移出中国，因为这是“内部业务数据”",
  "regex": "freely transfer (HR|employee|personal) data out of China (without|no need for) (security )?assessment (because|as) (it's|is) (internal )?business data",
  "domain": "legal",
  "category": "regulatory_barrier",
  "subcategory": null,
  "root_cause": "Under China's Personal Information Protection Law (PIPL) Article 38, cross-border transfer of personal information (including HR data) requires either a security assessment by the CAC, standard contractual clauses (SCCs), or certification by a recognized body; 'internal business data' is not an exemption, and violations can result in fines up to RMB 50 million or 5% of previous year's revenue.",
  "root_cause_type": "generic",
  "root_cause_zh": "根据中国个人信息保护法 (PIPL) 第 38 条，跨境转移个人信息（包括人力资源数据）需要经过网信办的安全评估、签订标准合同条款 (SCC) 或获得认可机构的认证；“内部业务数据”并非豁免情形，违规可导致最高 5000 万元人民币或上一年度收入 5% 的罚款。",
  "versions": [
    {
      "version": "PIPL 2021",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "CAC Security Assessment Measures 2022",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    },
    {
      "version": "SCCs for Cross-Border Data Transfer 2023",
      "introduced": null,
      "deprecated": null,
      "removed": null,
      "behavior_change": null,
      "status": "active"
    }
  ],
  "os_specific": {},
  "dead_ends": [
    {
      "action": "",
      "why_fails": "Assuming that anonymizing or pseudonymizing data removes PIPL obligations; re-identification risk is still considered, and full anonymization is difficult to prove.",
      "fail_rate": 0.7,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Relying on consent from employees as the sole lawful basis; PIPL requires consent plus one of the Article 38 mechanisms for transfer, and consent can be withdrawn.",
      "fail_rate": 0.65,
      "condition": "",
      "sources": []
    },
    {
      "action": "",
      "why_fails": "Storing data on a cloud server in Hong Kong or Macau; these are considered separate jurisdictions under PIPL, and cross-border rules still apply.",
      "fail_rate": 0.8,
      "condition": "",
      "sources": []
    }
  ],
  "workarounds": [
    {
      "action": "File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn",
      "success_rate": 0.75,
      "how": "File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn",
      "condition": "",
      "sources": []
    },
    {
      "action": "Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方（数据提供方）与乙方（数据接收方）同意按照《个人信息出境标准合同》规定执行...'",
      "success_rate": 0.8,
      "how": "Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方（数据提供方）与乙方（数据接收方）同意按照《个人信息出境标准合同》规定执行...'",
      "condition": "",
      "sources": []
    },
    {
      "action": "Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.",
      "success_rate": 0.7,
      "how": "Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.",
      "condition": "",
      "sources": []
    }
  ],
  "workarounds_zh": [
    "File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn",
    "Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方（数据提供方）与乙方（数据接收方）同意按照《个人信息出境标准合同》规定执行...'",
    "Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows."
  ],
  "transition_graph": {
    "leads_to": [],
    "preceded_by": [],
    "frequently_confused_with": []
  },
  "official_doc_url": "https://www.cac.gov.cn/2022-07/07/c_1658381594252832.htm",
  "official_doc_section": null,
  "error_code": "PIPL-CROSS-BORDER-001",
  "verification_tier": "ai_generated",
  "confidence": 0.87,
  "fix_success_rate": 0.8,
  "resolvable": "partial",
  "first_seen": "2023-11-15",
  "last_confirmed": "2024-06-01",
  "last_updated": "2024-06-01",
  "evidence_count": 1,
  "tags": [],
  "locale": "en",
  "aliases": []
}