AI告知外国公司可以自由将员工HR数据转移出中国,无需评估或合同
AI tells a foreign company that they can freely transfer employee HR data out of China without an assessment or contract
ID: legal/china-pipl-cross-border-data-transfer
版本兼容性
| 版本 | 状态 | 引入 | 弃用 | 备注 |
|---|---|---|---|---|
| PIPL 2021 | active | — | — | — |
| Measures for Cross-Border Data Transfer 2022 | active | — | — | — |
| Standard Contract Clauses 2023 | active | — | — | — |
根因分析
中国《个人信息保护法》第38-40条要求跨境传输个人信息需进行安全评估、签订标准合同或获得认证,对HR数据(关键信息基础设施数据)有更严格规定。
English
China's Personal Information Protection Law (PIPL) Articles 38-40 require a security assessment, standard contract, or certification for cross-border transfer of personal information, with stricter rules for HR data (CII data).
官方文档
https://www.gov.cn/zhengce/2021-08/20/content_5632502.htm解决方案
-
Use the China PIPL Standard Contract Clauses (SCC) published by the CAC; sign with each overseas recipient and file with the provincial cyberspace administration within 10 working days.
-
Conduct a PIPL security assessment (if processing CII data or >1M persons' data) through the CAC's online portal; allow 3-6 months for approval.
-
Keep HR data within China by using a local server or China-based cloud (e.g., Alibaba Cloud China region) and provide only aggregated, anonymized reports to headquarters.
无效尝试
常见但无效的做法:
-
80% 失败
PIPL requires de-identification that is irreversible; pseudonymization (replacing names with IDs) is still personal data if re-identification is possible.
-
75% 失败
Remote access from abroad is considered cross-border transfer under PIPL; the storage location does not exempt the transfer.
-
85% 失败
Consent alone is insufficient for CII data or large-scale transfers; a security assessment or standard contract is still mandatory.