Cross-border Investment and Trade

Basic Overview

In the era of the digital economy, data serves as both a core strategic asset and a critical compliance baseline for enterprises. With the implementation of the Cybersecurity Law, Data Security Law, and Personal Information Protection Law alongside regulations such as the Measures for the Security Assessment of Outbound Data Transfer, the Measures for the Standard Contract for Outbound Transfer of Personal Information, and the General Plan for the Market-oriented Allocation of Data Elements, the regulatory landscape has shifted. The focus has moved from “risk prevention and mitigation” to a dual emphasis on “compliance” and “value creation”. Enterprises are required to secure the bottom line of data security and personal information protection while capturing new opportunities in data assetization, trading and circulation.

Zhonglun W&D Law Firm has been deeply engaged in the fields of cybersecurity and data compliance for over a decade, making it one of the earliest domestic law firms to systematically establish a practice in this area. We have been at the forefront of landmark projects, including the first wave of compliance rectifications and outbound data transfer filings following the enactment of the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. With a forward-looking perspective, we provide cutting-edge services for the market-oriented allocation of data elements across diverse sectors, including internet platforms, financial technology, healthcare, automotive, smart manufacturing, retail, and serving both state-owned enterprises and multinational corporations.

Our core expertise focuses on integrated services for risk mitigation and value creation, underpinned by standardized, actionable service workflows that range from routine operations, such as privacy policy optimization and data subject rights protection, to specialized scenarios like security assessment for outbound data transfer, standard contract filing for outbound transfer of personal information, and emergency response for data security incidents, as well as digital transformation initiatives including the construction of data compliance systems, data assetization, and compliance for data trading. Leveraging our cross-departmental synergy—integrating expertise from our Corporate, Finance, Insurance, Intellectual Property, and Dispute Resolution teams—we do more than solve isolated compliance issues. We build a “Business Security + Data Compliance + Strategic Development” triad to help clients achieve data-driven sustainable growth under a stringent regulatory environment.

Furthermore, as artificial intelligence becomes the core engine of the global technological revolution and industrial transformation, it is rapidly penetrating industries such as finance, healthcare, and manufacturing, which brings complex legal challenges regarding AI data governance, algorithmic compliance, AI agent supervision, cross-border compliance, and related dispute resolution. Leveraging our global service network and profound professional expertise, Zhonglun W&D Law Firm has built a multidisciplinary “Law + Technology + Industry” service synergy. Led by core practitioners in cybersecurity, data compliance, and intellectual property, and backed by specialist in dispute resolution, foreign-related business and government regulation, we focus on the compliance and litigation needs of the entire AI industry chain, and we are proud to be pioneers and practitioners at the frontier of AI-related legal services.

Services

(I) Legal Services for Data Compliance

1.Legal Services for Data Compliance Review and Remediation (Data Due Diligence)
▪Compliance review of personal information protection (including consent mechanisms, privacy policies, and user rights protection)
▪Compliance review for the identification and management of important data ▪Construction of category-and class-based data protection systems
▪Compliance review of third-party data cooperation (including entrusted processing, data sharing, and joint marketing)
2.Legal Services for Outbound Data Transfer Compliance
▪Applying for security assessment of outbound data transfers for Critical Information Infrastructure Operators and other qualified enterprises
▪Guidance on personal information protection certification
▪Filing guidance for standard contract for outbound transfer of personal information
▪Compliance review and legal opinion issuance for overseas data listings
3.Legal Services for Data Compliance Framework Development
▪Development of Data Asset Inventories and Data Flow Diagrams
▪Formulation of comprehensive internal policies, including Data Compliance Management Systems, Privacy Policies, and Data Processing Agreement templates
▪Design of data access control mechanisms and record retention protocols
▪Establishment of Data Subject Request (DSR) response workflows (including access, deletion, and withdrawal of consent)
4.Legal Services for Special Project Compliance
▪Compliance analysis for facial recognition and biometric data collection
▪Compliance guidelines for user profiling and automated decision-making ▪Compliance remediation for App and Mini-program (legal services for special campaigns launched by the Ministry of Industry and Information Technology)
▪Design of targeted advertising and Cookie compliance solutions
▪Preparation of Personal Information Protection Impact Assessment (PIA) reports
5.Legal Services for Data Security Incident
▪Assisting with emergency response and internal investigations
▪Guidance on notifying the affected data subjects and reporting to regulatory authorities
▪Assisting in communications with affected individuals to reduce reputational and legal risks
6.Legal Services for Data Compliance Training and Capacity Building
▪Customized training for management, legal, IT, product, and other relevant departments
▪Assisting enterprises in appointing Data Protection Officers (DPOs) and fulfilling their duties
▪Partnering with professional institutions to provide certification training services, such as certifications of Data Protection Officers (DPO) and International Association of Privacy Professionals (IAPP)
(II) Legal Services for Data-Related Projects

1.Legal Services for Data Asset Compliance
▪Legal services for data rights affirmation: reviewing the legality of data asset sources (user authorization, compliance of public data collection) and ownership relationships (distinguishing rights between raw data and processed data) to issue formal compliance opinions
2.Legal Services for Data Trading and Circulation Compliance
▪End-to-End Compliance Services for Data Trading:
Reviewing qualifications of transaction participants (reviewing the legal standing of data suppliers and demanders)
Compliance verification of data products (assessing the legal effectiveness of anonymization and de-identification)
Drafting of transaction contracts (defining data usage scope, warranties against defects of title, and liability for breach)
▪Compliance for Authorized Operation of Public Data:
Designing compliance solutions for public data access applications and authorized use, and reviewing public data authorization agreements, so as to mitigate the legal risks of data misuse
▪Collaboration with Data Exchanges:
Serving as a certified compliance assessment service provider for data exchanges in Shenzhen, Guangzhou, Kunming, and other cities, assisting enterprises in compliance reviews and filing material preparation prior to listing data products
3.Cutting- Edge Legal Services for the Marketization of Data Elements
▪Data Asset Financing Compliance
Assisting enterprises in financing activities centered on data assets, including compliance reviews of financing agreements and legal risk assessments of financing schemes (e.g., the data asset financing project of Hunan Shandy Technology Development Co., Ltd.)
▪Data-related Policy Consulting
Tracking developments at the National Data Administration and local data exchanges, interpreting policies such as the Master Plan for the Market-oriented Allocation of Data Factors, and advising on the strategic positioning of data-element businesses from a legal perspective
▪Rule-Making for Data Trading Ecosystems
Advising on rule-making for data exchanges and service providers (e.g., participating in the design of compliance frameworks for provincial-level data exchanges) to foster a compliant data trading ecosystem
(III) Legal Services for AI-Related Legal Services

1.Legal Services for AI Data Compliance
▪Training Data Compliance
Reviewing the legality of AI model training data collection, processing, and utilization; providing personal information de-identification and anonymization solutions; preventing risks of data poisoning and copyright infringement; and issuing reports on compliance verification of data sources
▪Data Processing Compliance
Standardizing operations across the AI data lifecycle, covering storage, labeling, transmission, and destruction; designing verification mechanisms for data quality compliance; defining the boundaries for compliant AI data use; and ensuring data processing meets regulatory requirements
▪Generated Data Compliance
Providing legal services for rights attribution, compliance review, and preservation for compliance of AI-generated content; establishing compliance review workflows prior to generated data release
2.Legal Services for Algorithm and Model Compliance
▪Algorithm Compliance Assessment
Conducting compliance reviews for algorithmic fairness, transparency, and explainability; identifying risks of algorithmic discrimination, monopoly, and abuse; and providing rectification plans and compliance demonstrations
▪Algorithm Filing and Submission
Assisting with the filing of generative AI algorithms and algorithm security assessments; preparing filing materials and liaising with regulatory authorities to ensure efficient completion of the filing process
▪AI Model Compliance
Providing end-to-end compliance services for the training, optimization, deployment, and iteration of large language models; reviewing compliance risks during model training; and formulating management procedures for model compliance
3.Legal Services for AI Product and Agent Compliance
▪Generative AI Product Compliance
Providing compliance-by-design for products such as AI writing, AI painting, AI voice, and AI office tools; drafting user agreements and privacy policies; and adapting to app store listing and regulatory requirements
▪AI Agent Compliance
Standardizing compliance workflows for data interaction, behavioral decision-making, user authorization, and commercial monetization for digital humans, virtual assistants, and industry-specific agents to prevent and mitigate compliance risks
▪AI Product Compliance Review
Assisting with internal and third-party compliance review for AI products; providing remediation guidance for identified issues to ensure products meet regulatory standards
4.Legal Services for AI Scenario-based and Cross-border Compliance
▪Compliance Services for Industry-specific Scenarios
Providing customized compliance solutions for scenarios such as AI-based autonomous driving systems, AI medical diagnosis, industrial intelligent control, intelligent marketing, and AI procurement for government and enterprises to meet sector-specific regulatory requirements
▪Compliance Services for Cross-border AI-related Business
Designing compliance frameworks for cross-border AI data transmission; assisting with security assessments, Standard Contract filings, or personal information protection certifications; adapting to AI regulatory policies across multiple jurisdictions (covering China-Japan, China-US, China-EU); and resolving compliance conflicts in cross-border cooperation
5.Legal Services for AI Compliance Framework Setup and Risk Mitigation
▪Compliance System Establishment
Formulating compliance management systems for AI businesses, including AI data compliance review mechanisms, algorithm compliance assessment processes, compliance training programs, and emergency response plans for security incidents to establish long-term compliance mechanisms
▪ Administrative Penalty Response
Assisting with regulatory investigations related to AI; providing legal services such as statements and defenses, hearing representation, and formulation of remediation plans to reduce the risk of penalties
▪Emergency Response Support
Providing real-time legal guidance for emergencies such as AI data breaches, algorithm failures, and generated content infringement; assisting enterprises in containing risk escalation
6.Legal Services for AI-related Litigation and Arbitration
▪Representation in AI-related Intellectual Property Disputes
Assisting with litigation and arbitration for cases involving algorithm patent infringement, copyright disputes over AI-generated content, and trade secret infringement (e.g., model parameter leaks)
▪Representation in AI Data Rights Disputes
Assisting with mediation, arbitration, and litigation for civil cases involving personal information infringement, data ownership disputes, and data transaction contract disputes
▪Representation in AI-related Administrative Litigation
Providing administrative reconsideration and administrative litigation services against administrative penalty decisions in the AI field to protect the legitimate rights and interests of enterprises

Service Performance

(1) Legal Services for Data Compliance
Providing legal services to top two Chinese insurance institutions (including several subsidiaries) for its data compliance projects
Providing legal services to a renowned public institution directly under a national ministry for its data compliance project, with a focus on web crawler-related business
Providing legal services to Pudao Credit Company Limited (China’s top 2 licensed consumer credit-reporting agency) for its data compliance project
Providing legal services to Baidu Online Network Technology (Beijing) Co., Ltd. for its data compliance project, with a focus on web crawler and important data
Providing legal services to Meituan for its telecommunications regulation compliance project
Providing legal services to a global top 2 theme park for its telecommunications regulatory and data compliance project
Providing legal services to a domestic top 3 theme park for its cybersecurity and data compliance project
Providing legal services to a Fortune Global 500 Japanese electronics company for its telecommunications regulatory and data compliance project
Providing legal services to a top 3 Japanese telecommunications company for the establishment of a joint venture in China with a top 3 domestic internet company and a renowned Taiwan-based electronics enterprise
Providing legal services to a renowned Japanese trading company in the telecommunications regulatory and data compliance project for its collaboration with a Chinese cross-border e-commerce platform
Providing legal services to a prominent Japanese listed company
Providing legal services to a renowned Japanese-invested automobile company for its data-related project
Providing legal services to a leading recruitment industry company on data security for its collaborative project with LinkedIn
Providing legal services to the Chinese subsidiary of a prominent Japanese listed company for its data compliance (facial recognition) project
Providing legal services to a renowned Japanese listed company for the telecommunications regulatory compliance in connection with its investment in China
Providing legal services to a renowned domestic investment company for legal consulting on telecommunications licensing
Providing legal services to a Fortune Global 500 information technology company for its projects of standard contract filings for outbound transfer of personal information
Providing legal services to a foreign-invested financial company for the security assessment of outbound data transfer
Providing legal services to a foreign-invested tourism company for the security assessment of outbound data transfer
Providing legal services to a Japanese automaker for the data processing architecture, telecommunications, important data, personal information, and surveying and mapping compliance of its autonomous driving module R&D and internet projects in China
Providing legal services to China Mobile (Shanghai) Industrial Research Institute for its training project on cybersecurity and data compliance
Providing legal services to a listed company, Dian Diagnostics Group Co., Ltd., for its compliance assessment project for data product listing
Providing comprehensive data compliance legal services to multiple pre-IPO companies, covering administrative penalty response and data compliance system development
Providing legal services to internationally renowned enterprises such as Sumitomo Chemical Co., Ltd. for compliance confirmation regarding important data and personal information processing
(2) Legal Services for Data Element Related Performance
Providing legal services for the first data asset credit-enhancement financing compliance assessment in Hunan province
Providing legal services for the compliance assessment of the first state-owned data asset listing and data asset inclusion in financial statements in Heilongjiang province
Providing legal services to Dian Diagnostics Group Co., Ltd. for the compliance assessment of the listing of several data products at Hangzhou Data Exchange
Providing legal services to Shenzhen Yunti Technology Co., Ltd. for the compliance assessment of the listing of data products at a data exchange
Providing legal services to PipeChina Storage and Transportation Technology Development Co., Ltd. for the data product registration at the Northern Big Data Exchange Center
(3) Legal Services for AI-related Projects
Providing end-to-end compliance services to an international automotive group for its R&D project on AI-based autonomous driving system
Providing scenario-based compliance services to an AI-based medical technology company
Providing agent compliance services to an AI-based medical service company
Providing compliance rectification services to a foreign AI-based marketing company
Providing legal services to a fund for its AI-related M&A project
Providing legal services to an AI-based education technology company for its data compliance system establishment project