# AI tells a foreign company that they can freely transfer HR data out of China without a security assessment because it's 'internal business data' - **ID:** `legal/china-personal-information-protection-law-cross-border-transfer` - **Domain:** legal - **Category:** regulatory_barrier - **Error Code:** `PIPL-CROSS-BORDER-001` - **Verification:** ai_generated - **Fix Rate:** 80% ## Root Cause Under China's Personal Information Protection Law (PIPL) Article 38, cross-border transfer of personal information (including HR data) requires either a security assessment by the CAC, standard contractual clauses (SCCs), or certification by a recognized body; 'internal business data' is not an exemption, and violations can result in fines up to RMB 50 million or 5% of previous year's revenue. ## Version Compatibility | Version | Status | Introduced | Deprecated | |---------|--------|------------|------------| | PIPL 2021 | active | — | — | | CAC Security Assessment Measures 2022 | active | — | — | | SCCs for Cross-Border Data Transfer 2023 | active | — | — | ## Workarounds 1. **File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn** (75% success) ``` File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn ``` 2. **Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方(数据提供方)与乙方(数据接收方)同意按照《个人信息出境标准合同》规定执行...'** (80% success) ``` Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方(数据提供方)与乙方(数据接收方)同意按照《个人信息出境标准合同》规定执行...' ``` 3. **Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.** (70% success) ``` Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows. ``` ## Dead Ends - **** — Assuming that anonymizing or pseudonymizing data removes PIPL obligations; re-identification risk is still considered, and full anonymization is difficult to prove. (70% fail) - **** — Relying on consent from employees as the sole lawful basis; PIPL requires consent plus one of the Article 38 mechanisms for transfer, and consent can be withdrawn. (65% fail) - **** — Storing data on a cloud server in Hong Kong or Macau; these are considered separate jurisdictions under PIPL, and cross-border rules still apply. (80% fail)