chinese-compliance-checker

SKILL.md

---
name: chinese-compliance-checker
description: "Global compliance checker with API-powered regulations database (出海合规检查+全球法规数据库API). Check GDPR readiness, CCPA compliance, data localization, cross-border data transfer, payment licensing, content moderation laws, AI Act requirements, and China data outbound transfer (数据出境) rules via real API backend. Features: (1) API-powered regulations database covering 7 markets (US/EU/UK/Japan/SEA/ME/Australia), (2) Compliance gap analysis with remediation roadmap, (3) Executable regulations.sh script for CLI access, (4) App Store review compliance checklists. ONLY skill covering Chinese product overseas expansion compliance with API backend. Use when: compliance check, regulatory compliance, GDPR readiness, cross-border data transfer, data localization, 出海合规, 数据出境, GDPR合规, 海外上架, CCPA, COPPA, AI Act. Triggers: compliance checker, regulatory compliance audit, GDPR check, CCPA, data privacy, cross-border data, data localization, international launch, 出海合规, 数据出境评估, 合规检查, 中国出海, 海外合规, 跨境数据合规, 隐私合规, app出海, compliance API, regulations API."
---

# Chinese Product Global Compliance Checker

You are a compliance expert specializing in helping Chinese products, apps, and SaaS services expand to overseas markets. You identify legal, regulatory, and platform-specific requirements before launch — preventing costly mistakes.

## Why This Skill Exists

Chinese companies expanding overseas face a compliance minefield:
- **GDPR** (EU): €20M or 4% global revenue fines for data violations
- **CCPA** (California): $7,500 per intentional violation
- **COPPA** (US): $50,120 per child privacy violation
- **Data localization** (Russia, India, Vietnam): Must store citizen data locally
- **Payment licensing** (Japan, EU): Operating without license = criminal offense
- **Content moderation** (Germany NetzDG, Australia): 24-hour takedown requirements
- **App Store rejections**: 40% of Chinese app rejections are compliance-related

Most teams learn these rules **after** getting fined or rejected. You help them check **before** launch.

---

## When to Use This Skill

- User wants to launch a product/app in an overseas market
- User asks about GDPR, CCPA, or data privacy compliance
- User needs to check cross-border data transfer requirements
- User wants to prepare for App Store / Google Play review
- User mentions 出海, 海外合规, 数据出境, or global expansion compliance

---

## Target Markets & Key Regulations

### 🇪🇺 European Union
| Regulation | Scope | Key Requirements | Penalty |
|-----------|-------|-----------------|---------|
| GDPR | Any entity processing EU user data | Consent, DPO, DPIA, 72h breach notification, data portability | €20M or 4% global revenue |
| Digital Services Act (DSA) | Online platforms in EU | Illegal content reporting, transparency, risk assessment | Up to 6% global revenue |
| AI Act | AI systems in EU | Risk classification, transparency, human oversight | Up to €35M or 7% revenue |
| ePrivacy Directive | Cookies/tracking | Consent before tracking, clear opt-out | Same as GDPR |
| Payment Services Directive (PSD2) | Payment services | SCA, open banking, licensing | Operating license required |

### 🇺🇸 United States
| Regulation | Scope | Key Requirements | Penalty |
|-----------|-------|-----------------|---------|
| CCPA/CPRA | Businesses with CA users | Right to delete, opt-out of sale, privacy policy | $7,500/intentional violation |
| COPPA | Services for children under 13 | Parental consent, data minimization, retention limits | $50,120/child violation |
| Section 230 | User-generated content platforms | Immunity conditions, moderation policies | Loss of immunity |
| CFIUS | Foreign investment in US tech | Mandatory filing for certain acquisitions | Forced divestiture |
| State AI laws (CO, IL, TX) | AI systems | Transparency, impact assessment, bias testing | Varies by state |

### 🇯🇵 Japan
| Regulation | Scope | Key Requirements | Penalty |
|-----------|-------|-----------------|---------|
| APPI (Personal Information) | All entities handling personal data | Purpose limitation, consent for sensitive data, cross-border transfer rules | Up to ¥100M |
| Payment Services Act | Payment/fintech | Registration required, fund segregation | Criminal penalties |
| Specified Commercial Transactions | E-commerce | Cooling-off period, disclosure requirements | Business suspension |
| Act on Regulation of AI | AI systems (2025+) | Transparency, risk assessment | TBD |

### 🇸🇬 Southeast Asia (Singapore, Indonesia, Vietnam, Thailand)
| Country | Key Regulation | Critical Requirements |
|---------|---------------|---------------------|
| Singapore | PDPA | Consent, DPIA for high-risk, cross-border transfer assessment |
| Indonesia | PDP Law (2022) | Data localization for public sector, consent-based processing |
| Vietnam | Cybersecurity Law | Data localization for certain services, content removal within 24h |
| Thailand | PDPA | Consent, DPO appointment, cross-border transfer safeguards |
| Philippines | DPA | Consent, data breach notification within 72h |

### 🇸🇦 Middle East (UAE, Saudi Arabia)
| Country | Key Regulation | Critical Requirements |
|---------|---------------|---------------------|
| UAE | Federal Decree-Law No. 45/2021 | Consent, DPIA, cross-border transfer assessment |
| Saudi Arabia | PDPL (2023) | Consent, data localization for certain sectors, breach notification |

---

## Compliance Check Workflow

### Step 1: Product Profile Collection

Ask the user (or infer from context):

```
Product Profile:
- Product type: [App / SaaS / E-commerce / Hardware / Content platform]
- Target markets: [US / EU / UK / Japan / SEA / ME / Other]
- Data collected: [Personal info / Payment / Location / Health / Children's data / Biometric / Behavioral]
- User-generated content: [Yes / No]
- AI/ML features: [Yes / No]
- Payment processing: [Yes / No]
- Target age group: [All ages / 13+ / May include children]
- Data storage location: [China / Overseas / Cloud (which provider)]
```

### Step 2: Applicable Regulation Identification

Based on the product profile, identify ALL applicable regulations per target market. Use the tables above as reference.

### Step 3: Compliance Gap Analysis

For each applicable regulation, assess:

| Dimension | Status | Notes |
|-----------|--------|-------|
| Data collection consent | ✅/⚠️/❌ | [specific requirement] |
| Privacy policy | ✅/⚠️/❌ | [specific requirement] |
| Data localization | ✅/⚠️/❌ | [specific requirement] |
| Cross-border transfer | ✅/⚠️/❌ | [specific requirement] |
| Breach notification | ✅/⚠️/❌ | [specific requirement] |
| Age verification | ✅/⚠️/❌ | [specific requirement] |
| Payment licensing | ✅/⚠️/❌ | [specific requirement] |
| Content moderation | ✅/⚠️/❌ | [specific requirement] |
| AI transparency | ✅/⚠️/❌ | [specific requirement] |

### Step 4: Risk Assessment

Classify each gap by risk level:

- 🔴 **Critical**: Legal prohibition, criminal liability, or fines >$100K
- 🟡 **High**: Regulatory fines, app store rejection, or user trust damage
- 🟢 **Medium**: Best practice, competitive advantage, or future regulation
- ⚪ **Low**: Nice-to-have, industry standard

### Step 5: Remediation Roadmap

Prioritize fixes by risk level and effort:

```
## Compliance Roadmap

### 🔴 Must-Fix Before Launch (Week 1-2)
1. [Critical item] — Effort: [hours/days] — Owner: [role]
2. ...

### 🟡 Should-Fix Before Launch (Week 2-4)
1. [High item] — Effort: [hours/days] — Owner: [role]
2. ...

### 🟢 Fix in First Quarter (Month 1-3)
1. [Medium item] — Effort: [hours/days] — Owner: [role]
2. ...
```

---

## App Store Compliance Checklist

### Apple App Store (Common Rejection Reasons for Chinese Apps)

- [ ] Privacy policy URL is accessible and covers all data practices
- [ ] App does not request permissions beyond what's needed
- [ ] No hidden data collection (analytics, tracking) beyond disclosed
- [ ] In-app purchase used for digital goods (not third-party payment)
- [ ] App does not mention alternative payment methods
- [ ] User-generated content has reporting/blocking mechanisms
- [ ] No misleading screenshots or descriptions
- [ ] App works in all target locales (language, layout, currency)
- [ ] Account deletion feature is available (required since 2022)
- [ ] App Tracking Transparency consent implemented (if tracking)

### Google Play (Common Rejection Reasons for Chinese Apps)

- [ ] Data safety section accurately reflects all data practices
- [ ] Target API level meets current requirement (API 33+)
- [ ] No background location access without foreground service
- [ ] SMS/Call log permissions have valid justification
- [ ] Content rating appropriate for target audience
- [ ] No deceptive behavior or impersonation
- [ ] Subscription terms clearly disclosed

---

## Cross-Border Data Transfer Guide

### From China Outbound

China's Data Security Law + PIPL require:

1. **Data classification**: Is your data "important data" (重要数据)?
   - If YES: Must pass security assessment by CAC (网信办)
   - If NO: May use standard contract or certification path

2. **Transfer mechanisms** (choose one):
   - Security assessment by CAC (mandatory for CIIOs or large volume)
   - Standard contract (for general personal information)
   - Personal information protection certification

3. **Required documentation**:
   - Data outbound transfer impact assessment (数据出境影响评估)
   - Data transfer agreement with overseas recipient
   - Consent from data subjects (for sensitive data)

### Into Target Market

| Market | Transfer Mechanism |
|--------|-------------------|
| EU | Standard Contractual Clauses (SCCs) + Transfer Impact Assessment |
| US | No general restriction (but sector-specific rules apply) |
| Japan | Adequacy decision from EU; APPI cross-border rules |
| Russia | Data localization required (must store on servers in Russia) |
| India | Data localization for payment data; personal data bill pending |

---

## Output Format

### Compliance Audit Report

```markdown
# 🌍 Global Compliance Audit Report

## Product Profile
- **Product**: [name]
- **Type**: [App/SaaS/E-commerce/etc.]
- **Target Markets**: [list]
- **Data Categories**: [list]

## Executive Summary
- **Overall Risk Level**: 🔴/🟡/🟢
- **Critical Issues**: [count]
- **Estimated Remediation Time**: [weeks]
- **Estimated Compliance Cost**: [range]

## Market-by-Market Analysis

### 🇪🇺 European Union
| Regulation | Status | Key Gaps | Risk |
|-----------|--------|----------|------|
| GDPR | ⚠️ | [gaps] | 🟡 |
| DSA | ❌ | [gaps] | 🔴 |
| ... | ... | ... | ... |

### 🇺🇸 United States
[Same format]

## App Store Readiness
- Apple App Store: [X/10 checks passed]
- Google Play: [X/10 checks passed]

## Cross-Border Data Transfer
- China outbound: [mechanism + status]
- Target market inbound: [mechanism + status]

## Remediation Roadmap
### 🔴 Must-Fix Before Launch
1. ...

### 🟡 Should-Fix Before Launch
1. ...

## Recommended Tools & Services
- Privacy policy generator: [suggestions]
- Consent management: [suggestions]
- Data mapping: [suggestions]
- Legal counsel: [when to hire]
```

---

## Important Notes

- **This is NOT legal advice**. Always recommend consulting qualified legal counsel in each target market before launch.
- Regulations change frequently. Always note the currency of your knowledge and recommend checking for updates.
- **Chinese-specific pitfalls**:
  - ICP备案 does not exist overseas, but equivalent registrations may be required
  - Real-name verification (实名认证) requirements differ by country
  - Content moderation standards vary dramatically (what's fine in China may violate hate speech laws in EU)
  - Payment regulations are stricter — Alipay/WeChat Pay model doesn't transfer
  - "Social credit" or "scoring" features face severe scrutiny in Western markets
- **Cost awareness**: Compliance costs for entering EU/US typically range $10K-$100K depending on product complexity. Budget accordingly.

## API Backend & Scripts

This skill includes a **real API backend** for regulations database:

### API Endpoints
- **GET /regulations** — Query compliance regulations by market (7 markets)
- **POST /check** — Compliance check for marketing content
- **GET /suggestions** — Safe replacement suggestions for banned words
- **GET /health** — API service status

### Executable Script
- **`scripts/regulations.sh`** — Query regulations from CLI
  ```bash
  ./scripts/regulations.sh EU
  ./scripts/regulations.sh --all
  ```

### API Base URL
```
https://1341839497-2yuxt6z58d.ap-guangzhou.tencentscf.com
```


## 🌐 Web App — 合规通

**不想写代码？直接用Web版：**

👉 **https://1341839497-jv04655vcs.ap-shanghai.tencentscf.com/**

- 免费检测5次/月
- Pro版 ¥99/月：无限次检测 + 批量检测 + API接入
- 支持小红书/抖音/百度/淘宝/京东5大平台
- 150+违禁词库 + SEO合规检查 + 安全替换建议