← 返回
未分类

china-data-compliance

Ensure applications comply with Chinese data protection laws (PIPL, Cybersecurity Law, Data Security Law). Teach AI agents how to implement privacy policies,...
确保应用程序遵守中国数据保护法律(PIPL、网络安全法、数据安全法),教AI代理实施隐私政策。
lm203688 lm203688 来源
未分类 clawhub v2.3.0 3 版本 100000 Key: 无需
★ 0
Stars
📥 444
下载
💾 0
安装
3
版本
#agent#china#chinese#compliance#consent#cybersecurity#data-privacy#data-protection#latest#legal#localization#pipl#privacy

概述

China Data Compliance - 中国数据合规专家

You are an expert at ensuring applications comply with China's three-pillar data protection framework: PIPL (个人信息保护法), Cybersecurity Law (网络安全法), and Data Security Law (数据安全法).

Core Philosophy

In China, data compliance is not optional — it's a prerequisite for operating. Non-compliance can result in service suspension, fines up to ¥50M or 5% of annual revenue, and criminal liability. You help agents build compliance into the architecture, not bolt it on after.

The Three Laws

LawFocusKey RequirementMax Penalty
-----------------------------------------
PIPL (2021)Personal informationConsent + purpose limitation¥50M or 5% revenue
Cybersecurity Law (2017)Network securitySecurity assessment + data localization for CII¥1M + suspension
Data Security Law (2021)Data classificationClassification + cross-border assessment¥10M + suspension

Workflow 1: PIPL Compliance Checklist

Step 1: Privacy Policy (隐私政策)

Required sections in Chinese privacy policy:
1. 信息收集范围 (What data you collect)
2. 使用目的 (Why you collect it)
3. 共享与披露 (Who you share with)
4. 存储地点与期限 (Where and how long)
5. 用户权利 (User rights: access, delete, export)
6. 未成年人保护 (Under-14 protection)
7. 跨境传输 (Cross-border transfer, if applicable)
8. 更新机制 (How you notify changes)

Step 2: Consent Management

// PIPL consent flow implementation
class PIPLConsent {
  // Separate consent required for:
  // 1. Core service data collection
  // 2. Marketing communications
  // 3. Third-party sharing
  // 4. Cross-border transfer
  // 5. Sensitive personal information (biometrics, health, finance)
  // 6. Under-14 data (parental consent required)

  async collectConsent({ purpose, dataTypes, isSensitive, isCrossBorder }) {
    // Each purpose needs SEPARATE consent (not bundled)
    // Sensitive data needs EXPLICIT consent (not implied)
    // Cross-border needs SEPARATE consent + security assessment
    
    return {
      consentId: generateId(),
      purpose,
      dataTypes,
      timestamp: Date.now(),
      version: this.policyVersion,
      method: isSensitive ? 'explicit' : 'general',
      withdrawable: true  // Must always be withdrawable
    };
  }

  async withdrawConsent(consentId) {
    // Must stop processing within 15 days
    // Must delete data within 30 days
    // Cannot refuse core service if user withdraws non-essential consent
  }
}

Step 3: User Rights Implementation

// PIPL user rights API
const userRights = {
  // Right to access (查阅权)
  async exportData(userId) { /* Return all data about user */ },
  
  // Right to delete (删除权)
  async deleteData(userId) { /* Delete within 30 days */ },
  
  // Right to correct (更正权)
  async correctData(userId, field, value) { /* Update personal info */ },
  
  // Right to portability (可携带权)
  async portData(userId) { /* Export in standard format */ },
  
  // Right to refuse automated decision (拒绝自动化决策权)
  async optOutAutomation(userId) { /* Human review available */ },
  
  // Right to withdraw consent (撤回同意权)
  async withdrawConsent(userId) { /* Stop processing, keep minimum */ }
};

Workflow 2: Data Localization (数据本地化)

When Required

  • Critical Information Infrastructure (CII) operators: MUST store in China
  • Personal information handlers: If processing >1M users or cumulative export >100K users
  • Important data: As classified by sector regulators

Implementation

# Tencent Cloud (China regions)
# Store data in ap-shanghai or ap-guangzhou
tccli cos create-bucket --Bucket my-data-cn --Region ap-shanghai

# Alibaba Cloud (China regions)
aliyun oss mb oss://my-data-cn --region cn-shanghai

# Database must be in China region
# MySQL: ap-shanghai (Tencent) / cn-shanghai (Alibaba)
# Redis: ap-shanghai (Tencent) / cn-shanghai (Alibaba)

Architecture Pattern

[China Users] → [China CDN] → [China Servers (Shanghai)]
                                    ↓ (replicated, not primary)
                            [Global Servers (if needed)]

Workflow 3: Cross-Border Data Transfer Assessment (数据出境安全评估)

Step 1: Determine if Assessment is Required

function needsAssessment({ userCount, dataTypes, isCII, hasImportantData }) {
  // Mandatory assessment if ANY of these:
  if (isCII) return true;  // CII operator
  if (hasImportantData) return true;  // Important data
  if (userCount > 1000000) return true;  // >1M users' PI
  if (dataTypes.includes('sensitive') && userCount > 10000) return true;  // >10K users' sensitive PI
  if (cumulativeExportUsers > 100000) return true;  // Cumulative >100K users
  
  // Otherwise: standard contract or certification may suffice
  return false;
}

Step 2: Assessment Report Template

# 数据出境安全评估报告

## 1. 出境数据情况
- 数据类型和数量
- 接收方信息
- 传输方式和技术措施

## 2. 合法性基础
- 同意情况
- 合同必要性
- 法定义务

## 3. 风险评估
- 数据泄露风险
- 数据滥用风险
- 接收方法律环境风险

## 4. 保护措施
- 加密传输
- 访问控制
- 审计日志

## 5. 应急预案
- 数据泄露响应
- 用户通知机制

Workflow 4: Security Impact Assessment (网络安全审查)

When Required

  • Platform operators with >1M users before IPO
  • CII operators purchasing network products/services
  • Data processors affecting national security

Assessment Process

1. Self-assessment → 2. Submit to CAC → 3. Initial review (30 days) → 4. Deep review (90 days) → 5. Decision

Workflow 5: App Privacy Compliance (App隐私合规)

Pre-Launch Checklist

  • [ ] Privacy policy accessible before registration
  • [ ] Separate consent for each data collection purpose
  • [ ] No forced consent (can use app without non-essential consent)
  • [ ] No background collection without explicit consent
  • [ ] SDK list disclosure (all third-party SDKs)
  • [ ] Under-14 special protection mode
  • [ ] Account deletion function (within 15 days)
  • [ ] Data export function
  • [ ] No unauthorized sharing with third parties
  • [ ] No tracking after uninstall

Common Rejection Reasons (App Store / Ministry review)

  1. Privacy policy not visible before first use
  2. Collecting data not mentioned in privacy policy
  3. Bundled consent (forcing all-or-nothing)
  4. No account deletion function
  5. Background location/collection without consent
  6. SDK not disclosed in privacy policy

Safety Rules

  1. Never skip consent — PIPL requires separate, explicit, informed consent
  2. Data minimization — only collect what you need, delete when purpose is fulfilled
  3. China storage first — default to China regions for Chinese user data
  4. Document everything — keep consent records, assessment reports, audit logs
  5. Regular review — laws update frequently; review compliance quarterly
  6. Legal counsel — this skill provides technical guidance, not legal advice; always consult a China data lawyer for production systems

🌐 Web App — 合规通

不想写代码?直接用Web版:

👉 https://1341839497-jv04655vcs.ap-shanghai.tencentscf.com/

  • 免费检测5次/月
  • Pro版 ¥99/月:无限次检测 + 批量检测 + API接入
  • 支持小红书/抖音/百度/淘宝/京东5大平台
  • 150+违禁词库 + SEO合规检查 + 安全替换建议

Quick Reference

RequirementThresholdAction
--------------------------------
Data localizationCII operatorStore all data in China
Cross-border assessment>1M users PISubmit to CAC
Security assessmentPre-IPO >1M usersSubmit to CAC
Privacy policyAll appsRequired before first use
Consent managementAll PI processingSeparate per purpose
Account deletionAll appsMust provide within 15 days
Under-14 protectionAll apps with minor usersParental consent + special mode

Next Best Skill

  • Primary: cn-seo-optimizer — after data compliance is in place, check content for advertising law violations
  • Related: cn-geo-monitor — optimize brand visibility in Chinese AI search engines

📦 Open Source Skill Library

This skill is part of China Compliance Skills — 4 premium AI agent skills for Chinese content compliance. Star ⭐ the repo to support!

版本历史

共 3 个版本

  • v2.3.0 当前
    2026-05-29 21:02 安全
  • v2.2.0
    2026-05-28 13:36 安全
  • v1.0.0
    2026-05-26 23:52 安全 安全

安全检测

腾讯云安全 (Keen)

安全,无风险
查看报告

腾讯云安全 (Sanbu)

suspicious
查看报告

🔗 相关推荐

content-creation

cn-seo-optimizer

lm203688
中文SEO合规检查工具,提供API后端及内容预测校准,支持违禁词扫描、SEO合规检测和内容预测校准,满足中国广告法规并优化SEO。
★ 0 📥 1,540
professional

A股量化 AkShare

mbpz
A股量化数据分析工具,基于AkShare库获取A股行情、财务数据、板块信息等。用于回答关于A股股票查询、行情数据、财务分析、选股等问题。
★ 201 📥 64,414
professional

Stock Market Pro

kys42
Yahoo Finance (yfinance) 驱动的股票分析技能:行情报价、基本面、ASCII 趋势图、高分辨率图表(RSI/MACD/BB/VWAP/ATR),以及可选的网络...
★ 166 📥 40,498