# AI 告诉外国公司，他们可以自由地将人力资源数据转移出中国，因为这是“内部业务数据”

- **ID:** `legal/china-personal-information-protection-law-cross-border-transfer`
- **领域:** legal
- **类别:** regulatory_barrier
- **错误码:** `PIPL-CROSS-BORDER-001`
- **验证级别:** ai_generated
- **修复率:** 80%

## 根因

根据中国个人信息保护法 (PIPL) 第 38 条，跨境转移个人信息（包括人力资源数据）需要经过网信办的安全评估、签订标准合同条款 (SCC) 或获得认可机构的认证；“内部业务数据”并非豁免情形，违规可导致最高 5000 万元人民币或上一年度收入 5% 的罚款。

## 版本兼容性

| 版本 | 状态 | 引入 | 弃用 |
|------|------|------|------|
| PIPL 2021 | active | — | — |
| CAC Security Assessment Measures 2022 | active | — | — |
| SCCs for Cross-Border Data Transfer 2023 | active | — | — |

## 解决方案

1. ```
   File a security assessment with the CAC if the data volume exceeds thresholds (e.g., 1 million individuals' data or 100,000 sensitive data). Prepare documentation: data mapping, purpose limitation, recipient safeguards, and impact assessment. Use the CAC's online portal: https://www.cac.gov.cn
   ```
2. ```
   Sign the standard contractual clauses (SCCs) with the overseas recipient and file them with the local CAC office within 10 working days. Example clause template: '甲方（数据提供方）与乙方（数据接收方）同意按照《个人信息出境标准合同》规定执行...'
   ```
3. ```
   Obtain PIPL certification from a recognized body (e.g., China Cybersecurity Review Technology and Certification Center). This is suitable for multinationals with ongoing cross-border HR data flows.
   ```

## 无效尝试

- **** — Assuming that anonymizing or pseudonymizing data removes PIPL obligations; re-identification risk is still considered, and full anonymization is difficult to prove. (70% 失败率)
- **** — Relying on consent from employees as the sole lawful basis; PIPL requires consent plus one of the Article 38 mechanisms for transfer, and consent can be withdrawn. (65% 失败率)
- **** — Storing data on a cloud server in Hong Kong or Macau; these are considered separate jurisdictions under PIPL, and cross-border rules still apply. (80% 失败率)