- with Senior Company Executives, HR and Inhouse Counsel
- in United States
- with readers working within the Business & Consumer Services, Healthcare and Property industries
In recent years, overseas generative AI tools such as Copilot, ChatGPT, Claude, and Gemini have gradually entered the daily operations of enterprises. From drafting emails and organizing data to internal collaboration and client communication, these tools have significantly enhanced efficiency. Simultaneously, enterprises operating within China—including subsidiaries established by multinational corporations—inevitably face a series of legal and compliance challenges when utilizing these foreign AI tools.
Under China’s current legal framework, legislators encourage the development and application of AI tools while maintaining cautious oversight. Existing Chinese AI-related legislation primarily imposes obligations on “AI service providers”. Nevertheless, ordinary users of AI tools are also subject to various compliance requirements. In particular, because online activities naturally involve cross-border networks and overlapping jurisdictions, enterprises in China that use AI tools developed, owned, and operated overseas may encounter additional legal risks with substantial practical implications. These risks are especially concentrated in areas such as cross-border data transfers, cross-border network access, trade secret protection, cybersecurity, and AI regulation.
The foremost issue to address is cross-border data transfer. The operational logic of foreign AI tools dictates that the content input by enterprises during use is typically transmitted to overseas servers for processing; legally, this process constitutes a “cross-border data transfer”. Under China’s data regulatory framework, data export under specific circumstances may trigger stringent regulatory requirements. Examples include cross-border transfers by “Critical Information Infrastructure Operators” (such as those in energy or government services), the export of “Important Data” (such as financial or telecommunications data), and the transfer of personal information, particularly sensitive personal information. Relevant Chinese laws establish varying degrees of compliance obligations for the cross-border transfer of different categories and volumes of data.
Closely related is the issue of cross-border network access. Influenced by differences in national regulatory measures regarding website access and cross-border application services, as well as the service providers’ own configurations and technical platform issues, users may encounter restricted access to certain AI platforms. For enterprises in China seeking to resolve these issues, the primary consideration must be how to establish cross-border communication channels in a compliant manner.
Beyond regulatory risks, the commercial risks enterprises may face when using AI tools—specifically concerning their own trade secret protection and cybersecurity—warrant equal attention. When generative AI systems process input data, there is a possibility that this data may be utilized for model optimization or even indirectly reflected in future outputs, thereby creating a risk of disclosure to other users. Consequently, enterprises must carefully review the Terms of Service of AI application providers and implement corresponding confidentiality and cybersecurity measures, such as desensitizing input information in advance, or configuring the AI application to a mode that “disallows data usage for experience optimization”. Furthermore, confidentiality clauses are prevalent in many commercial cooperation contracts. As AI applications become more ubiquitous, extending confidentiality obligations to AI usage scenarios naturally must become a universal awareness among users. Inputting one’s own or a third party’s confidential information into a third-party AI system may be deemed an unauthorized disclosure constituting a breach of contract or an illegal act. This necessitates careful judgment based on information type and usage method prior to application, and critically, requires special advisories regarding AI-related confidentiality obligations during contract formation and compliance training.
Particular attention must be paid to the legal status of enterprise users within the AI regulatory framework. Should an enterprise embed AI capabilities into its own products or services, or provide AI-generated content to external users, it may be classified as an “AI service provider”. In such scenarios, the enterprise will face substantially stricter compliance requirements, such as content safety management, algorithm filing, and corresponding data compliance obligations, thereby significantly increasing its legal risks and compliance costs.
Given the complexity and relative uncertainty of the aforementioned issues, enterprises within China should promptly integrate the use of AI tools—especially overseas AI tools—into their internal compliance systems. This poses a greater challenge for multinational groups and their subsidiaries in China, as their compliance frameworks must often reconcile differing legal regulations from both China and their home countries on identical matters. Consequently, it is highly necessary for enterprises to conduct targeted case-by-case assessments and to formulate and implement personalized compliance programs tailored to their specific business models and data types.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
