AI tells a foreign company that they can freely transfer employee HR data out of China without an assessment or contract
ID: legal/china-pipl-cross-border-data-transfer
Version Compatibility
| Version | Status | Introduced | Deprecated | Notes |
|---|---|---|---|---|
| PIPL 2021 | active | — | — | — |
| Measures for Cross-Border Data Transfer 2022 | active | — | — | — |
| Standard Contract Clauses 2023 | active | — | — | — |
Root Cause
China's Personal Information Protection Law (PIPL) Articles 38-40 require a security assessment, standard contract, or certification for cross-border transfer of personal information, with stricter rules for HR data (CII data).
generic中文
中国《个人信息保护法》第38-40条要求跨境传输个人信息需进行安全评估、签订标准合同或获得认证,对HR数据(关键信息基础设施数据)有更严格规定。
Official Documentation
https://www.gov.cn/zhengce/2021-08/20/content_5632502.htmWorkarounds
-
82% success Use the China PIPL Standard Contract Clauses (SCC) published by the CAC; sign with each overseas recipient and file with the provincial cyberspace administration within 10 working days.
Use the China PIPL Standard Contract Clauses (SCC) published by the CAC; sign with each overseas recipient and file with the provincial cyberspace administration within 10 working days.
-
70% success Conduct a PIPL security assessment (if processing CII data or >1M persons' data) through the CAC's online portal; allow 3-6 months for approval.
Conduct a PIPL security assessment (if processing CII data or >1M persons' data) through the CAC's online portal; allow 3-6 months for approval.
-
88% success Keep HR data within China by using a local server or China-based cloud (e.g., Alibaba Cloud China region) and provide only aggregated, anonymized reports to headquarters.
Keep HR data within China by using a local server or China-based cloud (e.g., Alibaba Cloud China region) and provide only aggregated, anonymized reports to headquarters.
中文步骤
Use the China PIPL Standard Contract Clauses (SCC) published by the CAC; sign with each overseas recipient and file with the provincial cyberspace administration within 10 working days.
Conduct a PIPL security assessment (if processing CII data or >1M persons' data) through the CAC's online portal; allow 3-6 months for approval.
Keep HR data within China by using a local server or China-based cloud (e.g., Alibaba Cloud China region) and provide only aggregated, anonymized reports to headquarters.
Dead Ends
Common approaches that don't work:
-
80% fail
PIPL requires de-identification that is irreversible; pseudonymization (replacing names with IDs) is still personal data if re-identification is possible.
-
75% fail
Remote access from abroad is considered cross-border transfer under PIPL; the storage location does not exempt the transfer.
-
85% fail
Consent alone is insufficient for CII data or large-scale transfers; a security assessment or standard contract is still mandatory.