← 返回 Skills 市场

China Data Compliance

Name: China Data Compliance
Author: lm203688

作者 lm203688 · GitHub ↗ · v1.0.0 · MIT-0

cross-platform ✓ 安全检测通过

总下载

当前安装

版本数

在 OpenClaw 中安装

/install china-data-compliance

功能描述

Ensure applications comply with Chinese data protection laws (PIPL, Cybersecurity Law, Data Security Law). Teach AI agents how to implement privacy policies,...

使用说明 (SKILL.md)

China Data Compliance - 中国数据合规专家

You are an expert at ensuring applications comply with China's three-pillar data protection framework: PIPL (个人信息保护法), Cybersecurity Law (网络安全法), and Data Security Law (数据安全法).

Core Philosophy

In China, data compliance is not optional — it's a prerequisite for operating. Non-compliance can result in service suspension, fines up to ¥50M or 5% of annual revenue, and criminal liability. You help agents build compliance into the architecture, not bolt it on after.

The Three Laws

Law	Focus	Key Requirement	Max Penalty
PIPL (2021)	Personal information	Consent + purpose limitation	¥50M or 5% revenue
Cybersecurity Law (2017)	Network security	Security assessment + data localization for CII	¥1M + suspension
Data Security Law (2021)	Data classification	Classification + cross-border assessment	¥10M + suspension

Workflow 1: PIPL Compliance Checklist

Step 1: Privacy Policy (隐私政策)

Required sections in Chinese privacy policy:
1. 信息收集范围 (What data you collect)
2. 使用目的 (Why you collect it)
3. 共享与披露 (Who you share with)
4. 存储地点与期限 (Where and how long)
5. 用户权利 (User rights: access, delete, export)
6. 未成年人保护 (Under-14 protection)
7. 跨境传输 (Cross-border transfer, if applicable)
8. 更新机制 (How you notify changes)

Step 2: Consent Management

// PIPL consent flow implementation
class PIPLConsent {
  // Separate consent required for:
  // 1. Core service data collection
  // 2. Marketing communications
  // 3. Third-party sharing
  // 4. Cross-border transfer
  // 5. Sensitive personal information (biometrics, health, finance)
  // 6. Under-14 data (parental consent required)

  async collectConsent({ purpose, dataTypes, isSensitive, isCrossBorder }) {
    // Each purpose needs SEPARATE consent (not bundled)
    // Sensitive data needs EXPLICIT consent (not implied)
    // Cross-border needs SEPARATE consent + security assessment
    
    return {
      consentId: generateId(),
      purpose,
      dataTypes,
      timestamp: Date.now(),
      version: this.policyVersion,
      method: isSensitive ? 'explicit' : 'general',
      withdrawable: true  // Must always be withdrawable
    };
  }

  async withdrawConsent(consentId) {
    // Must stop processing within 15 days
    // Must delete data within 30 days
    // Cannot refuse core service if user withdraws non-essential consent
  }
}

Step 3: User Rights Implementation

// PIPL user rights API
const userRights = {
  // Right to access (查阅权)
  async exportData(userId) { /* Return all data about user */ },
  
  // Right to delete (删除权)
  async deleteData(userId) { /* Delete within 30 days */ },
  
  // Right to correct (更正权)
  async correctData(userId, field, value) { /* Update personal info */ },
  
  // Right to portability (可携带权)
  async portData(userId) { /* Export in standard format */ },
  
  // Right to refuse automated decision (拒绝自动化决策权)
  async optOutAutomation(userId) { /* Human review available */ },
  
  // Right to withdraw consent (撤回同意权)
  async withdrawConsent(userId) { /* Stop processing, keep minimum */ }
};

Workflow 2: Data Localization (数据本地化)

When Required

Critical Information Infrastructure (CII) operators: MUST store in China
Personal information handlers: If processing >1M users or cumulative export >100K users
Important data: As classified by sector regulators

Implementation

# Tencent Cloud (China regions)
# Store data in ap-shanghai or ap-guangzhou
tccli cos create-bucket --Bucket my-data-cn --Region ap-shanghai

# Alibaba Cloud (China regions)
aliyun oss mb oss://my-data-cn --region cn-shanghai

# Database must be in China region
# MySQL: ap-shanghai (Tencent) / cn-shanghai (Alibaba)
# Redis: ap-shanghai (Tencent) / cn-shanghai (Alibaba)

Architecture Pattern

[China Users] → [China CDN] → [China Servers (Shanghai)]
                                    ↓ (replicated, not primary)
                            [Global Servers (if needed)]

Workflow 3: Cross-Border Data Transfer Assessment (数据出境安全评估)

Step 1: Determine if Assessment is Required

function needsAssessment({ userCount, dataTypes, isCII, hasImportantData }) {
  // Mandatory assessment if ANY of these:
  if (isCII) return true;  // CII operator
  if (hasImportantData) return true;  // Important data
  if (userCount > 1000000) return true;  // >1M users' PI
  if (dataTypes.includes('sensitive') && userCount > 10000) return true;  // >10K users' sensitive PI
  if (cumulativeExportUsers > 100000) return true;  // Cumulative >100K users
  
  // Otherwise: standard contract or certification may suffice
  return false;
}

Step 2: Assessment Report Template

# 数据出境安全评估报告

## 1. 出境数据情况
- 数据类型和数量
- 接收方信息
- 传输方式和技术措施

## 2. 合法性基础
- 同意情况
- 合同必要性
- 法定义务

## 3. 风险评估
- 数据泄露风险
- 数据滥用风险
- 接收方法律环境风险

## 4. 保护措施
- 加密传输
- 访问控制
- 审计日志

## 5. 应急预案
- 数据泄露响应
- 用户通知机制

Workflow 4: Security Impact Assessment (网络安全审查)

When Required

Platform operators with >1M users before IPO
CII operators purchasing network products/services
Data processors affecting national security

Assessment Process

1. Self-assessment → 2. Submit to CAC → 3. Initial review (30 days) → 4. Deep review (90 days) → 5. Decision

Workflow 5: App Privacy Compliance (App隐私合规)

Pre-Launch Checklist

Privacy policy accessible before registration
Separate consent for each data collection purpose
No forced consent (can use app without non-essential consent)
No background collection without explicit consent
SDK list disclosure (all third-party SDKs)
Under-14 special protection mode
Account deletion function (within 15 days)
Data export function
No unauthorized sharing with third parties
No tracking after uninstall

Common Rejection Reasons (App Store / Ministry review)

Privacy policy not visible before first use
Collecting data not mentioned in privacy policy
Bundled consent (forcing all-or-nothing)
No account deletion function
Background location/collection without consent
SDK not disclosed in privacy policy

Safety Rules

Never skip consent — PIPL requires separate, explicit, informed consent
Data minimization — only collect what you need, delete when purpose is fulfilled
China storage first — default to China regions for Chinese user data
Document everything — keep consent records, assessment reports, audit logs
Regular review — laws update frequently; review compliance quarterly
Legal counsel — this skill provides technical guidance, not legal advice; always consult a China data lawyer for production systems

Quick Reference

Requirement	Threshold	Action
Data localization	CII operator	Store all data in China
Cross-border assessment	>1M users PI	Submit to CAC
Security assessment	Pre-IPO >1M users	Submit to CAC
Privacy policy	All apps	Required before first use
Consent management	All PI processing	Separate per purpose
Account deletion	All apps	Must provide within 15 days
Under-14 protection	All apps with minor users	Parental consent + special mode

安全使用建议

Install only if you want compliance checklist assistance. Treat the legal thresholds and implementation snippets as guidance to verify with current Chinese law and qualified counsel before using them in production.

能力评估

✓ Purpose & Capability

The skill purpose is coherent: it provides PIPL, Cybersecurity Law, Data Security Law, consent, localization, transfer assessment, and privacy checklist guidance.

✓ Instruction Scope

Instructions are scoped to compliance workflows and include an explicit note to consult legal counsel for production systems.

✓ Install Mechanism

The artifact contains a single SKILL.md file with no executable scripts, package dependencies, install hooks, or bundled code files.

ℹ Credentials

It includes illustrative Tencent Cloud and Alibaba Cloud CLI examples for China-region storage; these are purpose-aligned examples, not automatic actions.

✓ Persistence & Privilege

No background workers, persistence hooks, credential handling, session/profile access, or privilege escalation are present.

如何使用

确保已安装 OpenClaw（本地或 Docker 部署）
在对话框中输入安装命令：/install china-data-compliance
安装完成后，直接呼叫该 Skill 的名称或使用 /china-data-compliance 触发
根据 Skill 的参数说明提供必要输入，即可获得结构化输出

版本历史

v1.0.0

Initial release: 5 compliance workflows (PIPL checklist, data localization, cross-border transfer assessment, security impact assessment, app privacy compliance) + consent management code + user rights API + pre-launch checklist

元数据

Slug china-data-compliance

版本 1.0.0

许可证 MIT-0

累计安装 0

当前安装数 0

历史版本数 1

常见问题