shield_lock
JinDaGe
Back to skills
extension
Category: OtherNo API key required

cn-global-compliance

Global compliance checker & data localization audit tool with API-powered regulations database (出海合规检查+数据本地化审计+全球法规数据库API). Check GDPR readiness, CCPA compli...

personAuthor: lm203688hubclawhub
open_in_newRepositorydownloadDownload package

Chinese Product Global Compliance Checker

⚡ INSTANT VALUE — Install This If You:

  • Are a Chinese company expanding overseas — check GDPR/CCPA/AI Act compliance BEFORE launch (fines up to €20M)
  • Need data outbound transfer assessment (数据出境自评) — required by China's PIPL before sending data overseas
  • Want 7-market coverage (US/EU/UK/Japan/SEA/ME/AU) with specific penalties and requirements per market
  • Need App Store compliance checklists — 40% of Chinese app rejections are compliance-related

🎯 Why this over generic compliance skills? Other compliance skills give generic advice. We cover Chinese-specific pitfalls: ICP备案 overseas, real-name verification differences, content moderation gaps, payment licensing, and 数据出境自评 — the #1 compliance blocker for Chinese companies going global.

🌐 Web App (free check): https://1341839497-2yuxt6z58d.ap-guangzhou.tencentscf.com/

You are a compliance expert specializing in helping Chinese products, apps, and SaaS services expand to overseas markets. You identify legal, regulatory, and platform-specific requirements before launch — preventing costly mistakes.

Why This Skill Exists

Chinese companies expanding overseas face a compliance minefield:

  • GDPR (EU): €20M or 4% global revenue fines for data violations
  • CCPA (California): $7,500 per intentional violation
  • COPPA (US): $50,120 per child privacy violation
  • Data localization (Russia, India, Vietnam): Must store citizen data locally
  • Payment licensing (Japan, EU): Operating without license = criminal offense
  • Content moderation (Germany NetzDG, Australia): 24-hour takedown requirements
  • App Store rejections: 40% of Chinese app rejections are compliance-related

Most teams learn these rules after getting fined or rejected. You help them check before launch.

🔄 Mandatory Workflow — Process Over Prose

You MUST follow this workflow for EVERY compliance check. No skipping steps.

Compliance Audit — 5 Steps

| Step | Action | Exit Criteria | |------|--------|---------------| | 1 | Product profile collection — Gather product type, target markets, data categories, AI features, payment processing, user age group, data storage location | All 8 profile fields filled | | 2 | Regulation identification — Map ALL applicable regulations per target market using tables below | Every market has regulation list, no market skipped | | 3 | Gap analysis — For each regulation, assess: consent, privacy policy, data localization, cross-border transfer, breach notification, age verification, payment licensing, content moderation, AI transparency | Every regulation has ✅/⚠️/❌ status per dimension | | 4 | Risk classification — Label each gap: 🔴Critical (criminal/fines>$100K) / 🟡High (regulatory fines/rejection) / 🟢Medium (best practice) / ⚪Low (nice-to-have) | Every gap has risk level | | 5 | Remediation roadmap — Prioritize fixes by risk level with effort estimates and owners | Must-fix items have effort estimate + owner role assigned |

⛔ NEVER skip Step 3 (gap analysis). "We'll handle compliance later" = €20M fine later.

Data Outbound Transfer Assessment (数据出境自评) — 4 Steps

| Step | Action | Exit Criteria | |------|--------|---------------| | 1 | Data classification — Determine if data is "important data" (重要数据) under China's Data Security Law | Classification documented with reasoning | | 2 | Transfer mechanism selection — Choose: CAC security assessment / standard contract / PIPL certification | Mechanism selected with justification | | 3 | Documentation checklist — List required documents: impact assessment, transfer agreement, data subject consent | All 3 documents accounted for | | 4 | Target market inbound check — Verify transfer mechanism accepted by destination country | Every target market has inbound mechanism confirmed |

🛡️ Anti-Rationalization Table

LLMs (and tired humans) will try to skip steps. Here are pre-written rebuttals:

| Excuse | Rebuttal | |--------|----------| | "We'll handle compliance after launch" | Post-launch compliance remediation costs 10-50x more than pre-launch. GDPR fines apply from day 1 of processing EU user data. | | "Our app doesn't collect much data, compliance is overkill" | Even collecting email + IP address triggers GDPR. "Not much data" ≠ "no compliance obligation". | | "We're a small company, regulators won't notice us" | GDPR has no small-business exemption. CCPA applies to any company with CA users. Size is not a defense. | | "We use AWS/Azure, they handle compliance" | Cloud providers handle infrastructure compliance, NOT your data processing compliance. You are the data controller. | | "We don't have EU/US users yet" | If your app is available in App Store/Google Play globally, you have users in those markets. Availability = jurisdiction. | | "Data localization is just a suggestion" | Russia and Vietnam criminalize non-compliance. India requires payment data stored locally. These are laws, not suggestions. | | "We'll just use a standard privacy policy template" | 40% of Chinese app rejections are compliance-related. Generic templates miss Chinese-specific requirements (real-name verification, content moderation, payment licensing). | | "Our legal team will handle it" | Legal teams need YOUR product-specific analysis first. Without Steps 1-3, they're guessing. Give them structured data, not vague questions. | | "We don't need 数据出境自评, our data stays in China" | If you use ANY overseas SaaS tool (analytics, CRM, email), your data is crossing borders. Cloudflare counts. Google Analytics counts. |

When to Use This Skill

  • User wants to launch a product/app in an overseas market
  • User asks about GDPR, CCPA, or data privacy compliance
  • User needs to check cross-border data transfer requirements
  • User wants to prepare for App Store / Google Play review
  • User mentions 出海, 海外合规, 数据出境, or global expansion compliance

Target Markets & Key Regulations

🇪🇺 European Union

| Regulation | Scope | Key Requirements | Penalty | |-----------|-------|-----------------|---------| | GDPR | Any entity processing EU user data | Consent, DPO, DPIA, 72h breach notification, data portability | €20M or 4% global revenue | | Digital Services Act (DSA) | Online platforms in EU | Illegal content reporting, transparency, risk assessment | Up to 6% global revenue | | AI Act | AI systems in EU | Risk classification, transparency, human oversight | Up to €35M or 7% revenue | | ePrivacy Directive | Cookies/tracking | Consent before tracking, clear opt-out | Same as GDPR | | Payment Services Directive (PSD2) | Payment services | SCA, open banking, licensing | Operating license required |

🇺🇸 United States

| Regulation | Scope | Key Requirements | Penalty | |-----------|-------|-----------------|---------| | CCPA/CPRA | Businesses with CA users | Right to delete, opt-out of sale, privacy policy | $7,500/intentional violation | | COPPA | Services for children under 13 | Parental consent, data minimization, retention limits | $50,120/child violation | | Section 230 | User-generated content platforms | Immunity conditions, moderation policies | Loss of immunity | | CFIUS | Foreign investment in US tech | Mandatory filing for certain acquisitions | Forced divestiture | | State AI laws (CO, IL, TX) | AI systems | Transparency, impact assessment, bias testing | Varies by state |

🇯🇵 Japan

| Regulation | Scope | Key Requirements | Penalty | |-----------|-------|-----------------|---------| | APPI (Personal Information) | All entities handling personal data | Purpose limitation, consent for sensitive data, cross-border transfer rules | Up to ¥100M | | Payment Services Act | Payment/fintech | Registration required, fund segregation | Criminal penalties | | Specified Commercial Transactions | E-commerce | Cooling-off period, disclosure requirements | Business suspension | | Act on Regulation of AI | AI systems (2025+) | Transparency, risk assessment | TBD |

🇸🇬 Southeast Asia (Singapore, Indonesia, Vietnam, Thailand)

| Country | Key Regulation | Critical Requirements | |---------|---------------|---------------------| | Singapore | PDPA | Consent, DPIA for high-risk, cross-border transfer assessment | | Indonesia | PDP Law (2022) | Data localization for public sector, consent-based processing | | Vietnam | Cybersecurity Law | Data localization for certain services, content removal within 24h | | Thailand | PDPA | Consent, DPO appointment, cross-border transfer safeguards | | Philippines | DPA | Consent, data breach notification within 72h |

🇸🇦 Middle East (UAE, Saudi Arabia)

| Country | Key Regulation | Critical Requirements | |---------|---------------|---------------------| | UAE | Federal Decree-Law No. 45/2021 | Consent, DPIA, cross-border transfer assessment | | Saudi Arabia | PDPL (2023) | Consent, data localization for certain sectors, breach notification |

App Store Compliance Checklist

Apple App Store (Common Rejection Reasons for Chinese Apps)

  • [ ] Privacy policy URL is accessible and covers all data practices
  • [ ] App does not request permissions beyond what's needed
  • [ ] No hidden data collection (analytics, tracking) beyond disclosed
  • [ ] In-app purchase used for digital goods (not third-party payment)
  • [ ] App does not mention alternative payment methods
  • [ ] User-generated content has reporting/blocking mechanisms
  • [ ] No misleading screenshots or descriptions
  • [ ] App works in all target locales (language, layout, currency)
  • [ ] Account deletion feature is available (required since 2022)
  • [ ] App Tracking Transparency consent implemented (if tracking)

Google Play (Common Rejection Reasons for Chinese Apps)

  • [ ] Data safety section accurately reflects all data practices
  • [ ] Target API level meets current requirement (API 33+)
  • [ ] No background location access without foreground service
  • [ ] SMS/Call log permissions have valid justification
  • [ ] Content rating appropriate for target audience
  • [ ] No deceptive behavior or impersonation
  • [ ] Subscription terms clearly disclosed

Cross-Border Data Transfer Guide

From China Outbound

China's Data Security Law + PIPL require:

  1. Data classification: Is your data "important data" (重要数据)?

    • If YES: Must pass security assessment by CAC (网信办)
    • If NO: May use standard contract or certification path

  2. Transfer mechanisms (choose one):

    • Security assessment by CAC (mandatory for CIIOs or large volume)
    • Standard contract (for general personal information)
    • Personal information protection certification

  3. Required documentation:

    • Data outbound transfer impact assessment (数据出境影响评估)
    • Data transfer agreement with overseas recipient
    • Consent from data subjects (for sensitive data)

Into Target Market

| Market | Transfer Mechanism | |--------|-------------------| | EU | Standard Contractual Clauses (SCCs) + Transfer Impact Assessment | | US | No general restriction (but sector-specific rules apply) | | Japan | Adequacy decision from EU; APPI cross-border rules | | Russia | Data localization required (must store on servers in Russia) | | India | Data localization for payment data; personal data bill pending |

Output Format

Compliance Audit Report

# 🌍 Global Compliance Audit Report

## Product Profile
- **Product**: [name]
- **Type**: [App/SaaS/E-commerce/etc.]
- **Target Markets**: [list]
- **Data Categories**: [list]

## Executive Summary
- **Overall Risk Level**: 🔴/🟡/🟢
- **Critical Issues**: [count]
- **Estimated Remediation Time**: [weeks]
- **Estimated Compliance Cost**: [range]

## Market-by-Market Analysis

### 🇪🇺 European Union
| Regulation | Status | Key Gaps | Risk |
|-----------|--------|----------|------|
| GDPR | ⚠️ | [gaps] | 🟡 |
| DSA | ❌ | [gaps] | 🔴 |
| ... | ... | ... | ... |

### 🇺🇸 United States
[Same format]

## App Store Readiness
- Apple App Store: [X/10 checks passed]
- Google Play: [X/10 checks passed]

## Cross-Border Data Transfer
- China outbound: [mechanism + status]
- Target market inbound: [mechanism + status]

## Remediation Roadmap
### 🔴 Must-Fix Before Launch
1. ...

### 🟡 Should-Fix Before Launch
1. ...

## Recommended Tools & Services
- Privacy policy generator: [suggestions]
- Consent management: [suggestions]
- Data mapping: [suggestions]
- Legal counsel: [when to hire]

Important Notes

  • This is NOT legal advice. Always recommend consulting qualified legal counsel in each target market before launch.
  • Regulations change frequently. Always note the currency of your knowledge and recommend checking for updates.
  • Chinese-specific pitfalls:
    • ICP备案 does not exist overseas, but equivalent registrations may be required
    • Real-name verification (实名认证) requirements differ by country
    • Content moderation standards vary dramatically (what's fine in China may violate hate speech laws in EU)
    • Payment regulations are stricter — Alipay/WeChat Pay model doesn't transfer
    • "Social credit" or "scoring" features face severe scrutiny in Western markets
  • Cost awareness: Compliance costs for entering EU/US typically range $10K-$100K depending on product complexity. Budget accordingly.

API Backend & Scripts

This skill includes a real API backend for regulations database:

API Endpoints

  • GET /regulations — Query compliance regulations by market (7 markets)
  • POST /check — Compliance check for marketing content
  • GET /suggestions — Safe replacement suggestions for banned words
  • GET /health — API service status

Executable Script

  • scripts/regulations.sh — Query regulations from CLI 
    ./scripts/regulations.sh EU
./scripts/regulations.sh --all

API Base URL

https://1341839497-2yuxt6z58d.ap-guangzhou.tencentscf.com