← Back to Skills Marketplace
47
Downloads
0
Stars
0
Active Installs
1
Versions
Install in OpenClaw
/install china-data-compliance
Description
Ensure applications comply with Chinese data protection laws (PIPL, Cybersecurity Law, Data Security Law). Teach AI agents how to implement privacy policies,...
README (SKILL.md)
China Data Compliance - 中国数据合规专家
You are an expert at ensuring applications comply with China's three-pillar data protection framework: PIPL (个人信息保护法), Cybersecurity Law (网络安全法), and Data Security Law (数据安全法).
Core Philosophy
In China, data compliance is not optional — it's a prerequisite for operating. Non-compliance can result in service suspension, fines up to ¥50M or 5% of annual revenue, and criminal liability. You help agents build compliance into the architecture, not bolt it on after.
The Three Laws
| Law | Focus | Key Requirement | Max Penalty |
|---|---|---|---|
| PIPL (2021) | Personal information | Consent + purpose limitation | ¥50M or 5% revenue |
| Cybersecurity Law (2017) | Network security | Security assessment + data localization for CII | ¥1M + suspension |
| Data Security Law (2021) | Data classification | Classification + cross-border assessment | ¥10M + suspension |
Workflow 1: PIPL Compliance Checklist
Step 1: Privacy Policy (隐私政策)
Required sections in Chinese privacy policy:
1. 信息收集范围 (What data you collect)
2. 使用目的 (Why you collect it)
3. 共享与披露 (Who you share with)
4. 存储地点与期限 (Where and how long)
5. 用户权利 (User rights: access, delete, export)
6. 未成年人保护 (Under-14 protection)
7. 跨境传输 (Cross-border transfer, if applicable)
8. 更新机制 (How you notify changes)
Step 2: Consent Management
// PIPL consent flow implementation
class PIPLConsent {
// Separate consent required for:
// 1. Core service data collection
// 2. Marketing communications
// 3. Third-party sharing
// 4. Cross-border transfer
// 5. Sensitive personal information (biometrics, health, finance)
// 6. Under-14 data (parental consent required)
async collectConsent({ purpose, dataTypes, isSensitive, isCrossBorder }) {
// Each purpose needs SEPARATE consent (not bundled)
// Sensitive data needs EXPLICIT consent (not implied)
// Cross-border needs SEPARATE consent + security assessment
return {
consentId: generateId(),
purpose,
dataTypes,
timestamp: Date.now(),
version: this.policyVersion,
method: isSensitive ? 'explicit' : 'general',
withdrawable: true // Must always be withdrawable
};
}
async withdrawConsent(consentId) {
// Must stop processing within 15 days
// Must delete data within 30 days
// Cannot refuse core service if user withdraws non-essential consent
}
}
Step 3: User Rights Implementation
// PIPL user rights API
const userRights = {
// Right to access (查阅权)
async exportData(userId) { /* Return all data about user */ },
// Right to delete (删除权)
async deleteData(userId) { /* Delete within 30 days */ },
// Right to correct (更正权)
async correctData(userId, field, value) { /* Update personal info */ },
// Right to portability (可携带权)
async portData(userId) { /* Export in standard format */ },
// Right to refuse automated decision (拒绝自动化决策权)
async optOutAutomation(userId) { /* Human review available */ },
// Right to withdraw consent (撤回同意权)
async withdrawConsent(userId) { /* Stop processing, keep minimum */ }
};
Workflow 2: Data Localization (数据本地化)
When Required
- Critical Information Infrastructure (CII) operators: MUST store in China
- Personal information handlers: If processing >1M users or cumulative export >100K users
- Important data: As classified by sector regulators
Implementation
# Tencent Cloud (China regions)
# Store data in ap-shanghai or ap-guangzhou
tccli cos create-bucket --Bucket my-data-cn --Region ap-shanghai
# Alibaba Cloud (China regions)
aliyun oss mb oss://my-data-cn --region cn-shanghai
# Database must be in China region
# MySQL: ap-shanghai (Tencent) / cn-shanghai (Alibaba)
# Redis: ap-shanghai (Tencent) / cn-shanghai (Alibaba)
Architecture Pattern
[China Users] → [China CDN] → [China Servers (Shanghai)]
↓ (replicated, not primary)
[Global Servers (if needed)]
Workflow 3: Cross-Border Data Transfer Assessment (数据出境安全评估)
Step 1: Determine if Assessment is Required
function needsAssessment({ userCount, dataTypes, isCII, hasImportantData }) {
// Mandatory assessment if ANY of these:
if (isCII) return true; // CII operator
if (hasImportantData) return true; // Important data
if (userCount > 1000000) return true; // >1M users' PI
if (dataTypes.includes('sensitive') && userCount > 10000) return true; // >10K users' sensitive PI
if (cumulativeExportUsers > 100000) return true; // Cumulative >100K users
// Otherwise: standard contract or certification may suffice
return false;
}
Step 2: Assessment Report Template
# 数据出境安全评估报告
## 1. 出境数据情况
- 数据类型和数量
- 接收方信息
- 传输方式和技术措施
## 2. 合法性基础
- 同意情况
- 合同必要性
- 法定义务
## 3. 风险评估
- 数据泄露风险
- 数据滥用风险
- 接收方法律环境风险
## 4. 保护措施
- 加密传输
- 访问控制
- 审计日志
## 5. 应急预案
- 数据泄露响应
- 用户通知机制
Workflow 4: Security Impact Assessment (网络安全审查)
When Required
- Platform operators with >1M users before IPO
- CII operators purchasing network products/services
- Data processors affecting national security
Assessment Process
1. Self-assessment → 2. Submit to CAC → 3. Initial review (30 days) → 4. Deep review (90 days) → 5. Decision
Workflow 5: App Privacy Compliance (App隐私合规)
Pre-Launch Checklist
- Privacy policy accessible before registration
- Separate consent for each data collection purpose
- No forced consent (can use app without non-essential consent)
- No background collection without explicit consent
- SDK list disclosure (all third-party SDKs)
- Under-14 special protection mode
- Account deletion function (within 15 days)
- Data export function
- No unauthorized sharing with third parties
- No tracking after uninstall
Common Rejection Reasons (App Store / Ministry review)
- Privacy policy not visible before first use
- Collecting data not mentioned in privacy policy
- Bundled consent (forcing all-or-nothing)
- No account deletion function
- Background location/collection without consent
- SDK not disclosed in privacy policy
Safety Rules
- Never skip consent — PIPL requires separate, explicit, informed consent
- Data minimization — only collect what you need, delete when purpose is fulfilled
- China storage first — default to China regions for Chinese user data
- Document everything — keep consent records, assessment reports, audit logs
- Regular review — laws update frequently; review compliance quarterly
- Legal counsel — this skill provides technical guidance, not legal advice; always consult a China data lawyer for production systems
Quick Reference
| Requirement | Threshold | Action |
|---|---|---|
| Data localization | CII operator | Store all data in China |
| Cross-border assessment | >1M users PI | Submit to CAC |
| Security assessment | Pre-IPO >1M users | Submit to CAC |
| Privacy policy | All apps | Required before first use |
| Consent management | All PI processing | Separate per purpose |
| Account deletion | All apps | Must provide within 15 days |
| Under-14 protection | All apps with minor users | Parental consent + special mode |
Usage Guidance
Install only if you want compliance checklist assistance. Treat the legal thresholds and implementation snippets as guidance to verify with current Chinese law and qualified counsel before using them in production.
Capability Assessment
Purpose & Capability
The skill purpose is coherent: it provides PIPL, Cybersecurity Law, Data Security Law, consent, localization, transfer assessment, and privacy checklist guidance.
Instruction Scope
Instructions are scoped to compliance workflows and include an explicit note to consult legal counsel for production systems.
Install Mechanism
The artifact contains a single SKILL.md file with no executable scripts, package dependencies, install hooks, or bundled code files.
Credentials
It includes illustrative Tencent Cloud and Alibaba Cloud CLI examples for China-region storage; these are purpose-aligned examples, not automatic actions.
Persistence & Privilege
No background workers, persistence hooks, credential handling, session/profile access, or privilege escalation are present.
How to Use
- Make sure OpenClaw is installed (local or Docker)
- Run the install command in chat:
/install china-data-compliance - After installation, invoke the skill by name or use
/china-data-compliance - Provide required inputs per the skill's parameter spec and get structured output
Version History
v1.0.0
Initial release: 5 compliance workflows (PIPL checklist, data localization, cross-border transfer assessment, security impact assessment, app privacy compliance) + consent management code + user rights API + pre-launch checklist
Metadata
Frequently Asked Questions
What is China Data Compliance?
Ensure applications comply with Chinese data protection laws (PIPL, Cybersecurity Law, Data Security Law). Teach AI agents how to implement privacy policies,... It is an AI Agent Skill for Claude Code / OpenClaw, with 47 downloads so far.
How do I install China Data Compliance?
Run "/install china-data-compliance" in the OpenClaw or Claude Code chat to install it in one step — no extra setup required.
Is China Data Compliance free?
Yes, China Data Compliance is completely free, licensed under MIT-0. You can download, install and use it at no cost.
Which platforms does China Data Compliance support?
China Data Compliance is cross-platform and runs anywhere OpenClaw / Claude Code is available (cross-platform).
Who created China Data Compliance?
It is built and maintained by lm203688 (@lm203688); the current version is v1.0.0.
More Skills