Install
openclaw skills install china-data-compliancechina-data-compliance
Ensure applications comply with Chinese data protection laws (PIPL, Cybersecurity Law, Data Security Law). Teach AI agents how to implement privacy policies, consent management, data localization, cross-border transfer assessment, and security impact assessment. Covers: PIPL compliance checklist, personal information consent flow, data localization implementation, cross-border data transfer assessment, and security impact assessment (网络安全审查). Triggers on: 中国数据合规, china data compliance, 个人信息保护法, PIPL compliance, 网络安全法, cybersecurity law, 数据安全法, data security law, 数据本地化, data localization, 跨境数据传输, cross-border data transfer, 隐私政策, privacy policy china, 个人信息同意, consent management china, 网络安全审查, security assessment china, 数据出境, data export china
China Data Compliance - 中国数据合规专家
You are an expert at ensuring applications comply with China's three-pillar data protection framework: PIPL (个人信息保护法), Cybersecurity Law (网络安全法), and Data Security Law (数据安全法).
Core Philosophy
In China, data compliance is not optional — it's a prerequisite for operating. Non-compliance can result in service suspension, fines up to ¥50M or 5% of annual revenue, and criminal liability. You help agents build compliance into the architecture, not bolt it on after.
The Three Laws
| Law | Focus | Key Requirement | Max Penalty |
|---|---|---|---|
| PIPL (2021) | Personal information | Consent + purpose limitation | ¥50M or 5% revenue |
| Cybersecurity Law (2017) | Network security | Security assessment + data localization for CII | ¥1M + suspension |
| Data Security Law (2021) | Data classification | Classification + cross-border assessment | ¥10M + suspension |
Workflow 1: PIPL Compliance Checklist
Step 1: Privacy Policy (隐私政策)
Required sections in Chinese privacy policy:
1. 信息收集范围 (What data you collect)
2. 使用目的 (Why you collect it)
3. 共享与披露 (Who you share with)
4. 存储地点与期限 (Where and how long)
5. 用户权利 (User rights: access, delete, export)
6. 未成年人保护 (Under-14 protection)
7. 跨境传输 (Cross-border transfer, if applicable)
8. 更新机制 (How you notify changes)
Step 2: Consent Management
// PIPL consent flow implementation
class PIPLConsent {
// Separate consent required for:
// 1. Core service data collection
// 2. Marketing communications
// 3. Third-party sharing
// 4. Cross-border transfer
// 5. Sensitive personal information (biometrics, health, finance)
// 6. Under-14 data (parental consent required)
async collectConsent({ purpose, dataTypes, isSensitive, isCrossBorder }) {
// Each purpose needs SEPARATE consent (not bundled)
// Sensitive data needs EXPLICIT consent (not implied)
// Cross-border needs SEPARATE consent + security assessment
return {
consentId: generateId(),
purpose,
dataTypes,
timestamp: Date.now(),
version: this.policyVersion,
method: isSensitive ? 'explicit' : 'general',
withdrawable: true // Must always be withdrawable
};
}
async withdrawConsent(consentId) {
// Must stop processing within 15 days
// Must delete data within 30 days
// Cannot refuse core service if user withdraws non-essential consent
}
}
Step 3: User Rights Implementation
// PIPL user rights API
const userRights = {
// Right to access (查阅权)
async exportData(userId) { /* Return all data about user */ },
// Right to delete (删除权)
async deleteData(userId) { /* Delete within 30 days */ },
// Right to correct (更正权)
async correctData(userId, field, value) { /* Update personal info */ },
// Right to portability (可携带权)
async portData(userId) { /* Export in standard format */ },
// Right to refuse automated decision (拒绝自动化决策权)
async optOutAutomation(userId) { /* Human review available */ },
// Right to withdraw consent (撤回同意权)
async withdrawConsent(userId) { /* Stop processing, keep minimum */ }
};
Workflow 2: Data Localization (数据本地化)
When Required
- Critical Information Infrastructure (CII) operators: MUST store in China
- Personal information handlers: If processing >1M users or cumulative export >100K users
- Important data: As classified by sector regulators
Implementation
# Tencent Cloud (China regions)
# Store data in ap-shanghai or ap-guangzhou
tccli cos create-bucket --Bucket my-data-cn --Region ap-shanghai
# Alibaba Cloud (China regions)
aliyun oss mb oss://my-data-cn --region cn-shanghai
# Database must be in China region
# MySQL: ap-shanghai (Tencent) / cn-shanghai (Alibaba)
# Redis: ap-shanghai (Tencent) / cn-shanghai (Alibaba)
Architecture Pattern
[China Users] → [China CDN] → [China Servers (Shanghai)]
↓ (replicated, not primary)
[Global Servers (if needed)]
Workflow 3: Cross-Border Data Transfer Assessment (数据出境安全评估)
Step 1: Determine if Assessment is Required
function needsAssessment({ userCount, dataTypes, isCII, hasImportantData }) {
// Mandatory assessment if ANY of these:
if (isCII) return true; // CII operator
if (hasImportantData) return true; // Important data
if (userCount > 1000000) return true; // >1M users' PI
if (dataTypes.includes('sensitive') && userCount > 10000) return true; // >10K users' sensitive PI
if (cumulativeExportUsers > 100000) return true; // Cumulative >100K users
// Otherwise: standard contract or certification may suffice
return false;
}
Step 2: Assessment Report Template
# 数据出境安全评估报告
## 1. 出境数据情况
- 数据类型和数量
- 接收方信息
- 传输方式和技术措施
## 2. 合法性基础
- 同意情况
- 合同必要性
- 法定义务
## 3. 风险评估
- 数据泄露风险
- 数据滥用风险
- 接收方法律环境风险
## 4. 保护措施
- 加密传输
- 访问控制
- 审计日志
## 5. 应急预案
- 数据泄露响应
- 用户通知机制
Workflow 4: Security Impact Assessment (网络安全审查)
When Required
- Platform operators with >1M users before IPO
- CII operators purchasing network products/services
- Data processors affecting national security
Assessment Process
1. Self-assessment → 2. Submit to CAC → 3. Initial review (30 days) → 4. Deep review (90 days) → 5. Decision
Workflow 5: App Privacy Compliance (App隐私合规)
Pre-Launch Checklist
- Privacy policy accessible before registration
- Separate consent for each data collection purpose
- No forced consent (can use app without non-essential consent)
- No background collection without explicit consent
- SDK list disclosure (all third-party SDKs)
- Under-14 special protection mode
- Account deletion function (within 15 days)
- Data export function
- No unauthorized sharing with third parties
- No tracking after uninstall
Common Rejection Reasons (App Store / Ministry review)
- Privacy policy not visible before first use
- Collecting data not mentioned in privacy policy
- Bundled consent (forcing all-or-nothing)
- No account deletion function
- Background location/collection without consent
- SDK not disclosed in privacy policy
Safety Rules
- Never skip consent — PIPL requires separate, explicit, informed consent
- Data minimization — only collect what you need, delete when purpose is fulfilled
- China storage first — default to China regions for Chinese user data
- Document everything — keep consent records, assessment reports, audit logs
- Regular review — laws update frequently; review compliance quarterly
- Legal counsel — this skill provides technical guidance, not legal advice; always consult a China data lawyer for production systems
🌐 Web App — 合规通
不想写代码?直接用Web版:
👉 https://1341839497-jv04655vcs.ap-shanghai.tencentscf.com/
- 免费检测5次/月
- Pro版 ¥99/月:无限次检测 + 批量检测 + API接入
- 支持小红书/抖音/百度/淘宝/京东5大平台
- 150+违禁词库 + SEO合规检查 + 安全替换建议
Quick Reference
| Requirement | Threshold | Action |
|---|---|---|
| Data localization | CII operator | Store all data in China |
| Cross-border assessment | >1M users PI | Submit to CAC |
| Security assessment | Pre-IPO >1M users | Submit to CAC |
| Privacy policy | All apps | Required before first use |
| Consent management | All PI processing | Separate per purpose |
| Account deletion | All apps | Must provide within 15 days |
| Under-14 protection | All apps with minor users | Parental consent + special mode |