PIPL-CROSS-BORDER-001 legal regulatory_barrier ai_generated partial

AI 告诉外国公司,他们可以自由地将人力资源数据转移出中国,因为这是“内部业务数据”

AI tells a foreign company that they can freely transfer HR data out of China without a security assessment because it's 'internal business data'

ID: legal/china-personal-information-protection-law-cross-border-transfer

其他格式: JSON · Markdown 中文 · English
80%修复率
87%置信度
1证据数
2023-11-15首次发现

版本兼容性

版本状态引入弃用备注
PIPL 2021 active
CAC Security Assessment Measures 2022 active
SCCs for Cross-Border Data Transfer 2023 active

根因分析

根据中国个人信息保护法 (PIPL) 第 38 条,跨境转移个人信息(包括人力资源数据)需要经过网信办的安全评估、签订标准合同条款 (SCC) 或获得认可机构的认证;“内部业务数据”并非豁免情形,违规可导致最高 5000 万元人民币或上一年度收入 5% 的罚款。

English

Under China's Personal Information Protection Law (PIPL) Article 38, cross-border transfer of personal information (including HR data) requires either a security assessment by the CAC, standard contractual clauses (SCCs), or certification by a recognized body; 'internal business data' is not an exemption, and violations can result in fines up to RMB 50 million or 5% of previous year's revenue.

generic

官方文档

https://www.cac.gov.cn/2022-07/07/c_1658381594252832.htm

解决方案

  1. File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn
  2. Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方(数据提供方)与乙方(数据接收方)同意按照《个人信息出境标准合同》规定执行...'
  3. Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.

无效尝试

常见但无效的做法:

  1. 70% 失败

    Assuming that anonymizing or pseudonymizing data removes PIPL obligations; re-identification risk is still considered, and full anonymization is difficult to prove.

  2. 65% 失败

    Relying on consent from employees as the sole lawful basis; PIPL requires consent plus one of the Article 38 mechanisms for transfer, and consent can be withdrawn.

  3. 80% 失败

    Storing data on a cloud server in Hong Kong or Macau; these are considered separate jurisdictions under PIPL, and cross-border rules still apply.