.png){kind=logo}
April 30, 2026
Compliance Tips for the Application of Artificial Intelligence Technology (III) - Data Processing Compliance
In the previous article, we analyzed the compliance obligations and legal risks that relevant entities may face when applying algorithm technologies. In this article, we mainly discuss the potential legal risks for enterprises in data processing.
According to Article 3 of the Data Security Law of the People's Republic of China, the term "data" as used in this Law, refers to any record of information by electronic or other means; "data processing" includes the collection, storage, use, processing, transmission, provision, and disclosure of data. Generally speaking, the problematic links in the data processing process often occur in data collection and transmission. Therefore, this article will focus on these two aspects.
I. Data Collection Compliance Risks
Regarding data collection, enterprises mainly need to consider how to ensure the compliance of data sources. Therefore, we will focus on the following four issues here:
A. What is Compliant Data Collection?
Pursuant to Article 32 of the Data Security Law and Articles 5, 6, 7 and 10 of the Personal Information Protection Law, data collection shall meet the following requirements:
1. Legitimate and proper methods shall be adopted;
2. Data shall be collected within the purposes and scope prescribed by laws and administrative regulations;
3. Methods with the least impact on personal rights and interests shall be adopted;
4. The purposes, methods and scope of processing shall be explicitly stated;
5. No illegal trading, provision or disclosure of others' personal information shall be conducted; etc.
In short, data collection shall be legitimate, proper, necessary, honest and within the minimum scope, which constitutes the compliance standards for data collection.
B. What is "Consent"?
How to prove that data collection complies with regulatory requirements? For personal information data, pursuant to Article 13 of the Personal Information Protection Law, at least one of the seven preconditions must be met [1] .
For commercial activities, the first two scenarios are generally applicable, namely: (1) obtaining personal consent; (2) necessary for the conclusion and performance of a contract where the individual is a party, or necessary for the implementation of human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts.
Obtaining personal consent is not simply a matter of getting a click of agreement. According to Articles 14, 15 and 16 of the Personal Information Protection Law [2] , obtaining consent must meet at least the following conditions:
1. Sufficient notification;
2. Voluntary and explicit expression;
3. Withdrawal of consent permitted;
4. Provision of services or products shall not be refused on the grounds of non-consent or withdrawal of consent, unless the processing of personal information is necessary for the provision of such services or products;
5. Re-obtaining of consent is required in case of any change;
6. Separate consent or written consent is required where there are mandatory provisions.
In addition, from the perspective of judicial practice, if no options such as skip or reject are provided in the process of obtaining consent, the user's consent obtained in form may still be deemed as not actually obtained.
For example, in the case of Luo v. a Technology Co., Ltd., concerning the right to privacy and protection of personal information [3] , the court held that where the collection of user profile information is not necessary for the provision of network services, if a website or software does not provide other login methods for users who refuse to submit such information on its login and registration interface, it shall be deemed that the user provided personal information without voluntary consent, and the effect of having obtained personal consent shall not be established.
C. What is "Necessary for the Performance of a Contract"?
In determining whether the processing of personal information is "necessary for the conclusion and performance of a contract where the individual is a party", according to the interpretation of the Supreme People's Court [4] , the determination may be made by combining the provisions of relevant laws, administrative regulations, rules and normative documents on the scope of necessary personal information, and by considering the type and content of the contract.
If the failure to process the relevant information would make it impossible to realize the basic functional services agreed upon in the contract or the additional functional services independently selected by the user, the act of processing personal information may be deemed necessary for the conclusion and performance of the contract; otherwise, it shall not be deemed as such.
In terms of legal provisions, the Cyberspace Administration of China has issued the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, which enterprises may refer to if they involve the collection of personal information.
D. Is Data Crawling Legal?
In addition to directly obtaining data in commercial activities, enterprises sometimes use technical means to crawl data from the internet. Is such obtained data legal?
From the perspective of some local regulations [5] and judicial practice [6] , legality depends on various factors such as whether the data is collected from legally public channels, whether industry self-regulatory conventions are observed, whether the crawler protocols and rules of the crawled target websites are respected, whether a prior assessment is conducted on the possible impact on the performance and functions of network services, whether the normal functions of network services are interfered with or the normal operation of computer information systems is hindered, whether others' intellectual property rights are infringed, and whether unfair competition is caused. It is difficult to draw a general conclusion.
II. Data Transmission Compliance Risks
Regarding data transmission, the main issue involves cross-border transmission. According to existing legal provisions, data can be transmitted cross-border, but such transmission must comply with legal requirements. Therefore, we will mainly discuss the following issues here:
A. What is Cross-border Data Transfer?
According to the Guidelines for the Declaration of Cross-border Data Transfer Security Assessment (3rd Edition), the following three situations all constitute acts of cross-border data transfer:
1. A data processor transmits data collected and generated in domestic operations overseas;
2. Data collected and generated by a data processor is stored domestically, and overseas institutions, organizations or individuals may inquire about, retrieve, download or export such data;
3. Other data processing activities such as the processing of personal information of natural persons in China overseas, in accordance with the provisions of Paragraph 2 of Article 3 of the Personal Information Protection Law.
B. Which Cross-Border Data Transfers Are Subject to Review?
Pursuant to Article 37 of the Cybersecurity Law, operators of critical information infrastructure (CIIO) must store personal information and important data collected and generated in China within the territory of China; if such data really needs to be transferred overseas, a security assessment shall be conducted in accordance with the measures formulated by the Cyberspace Administration of China.
According to Article 31 of the Data Security Law, the administration of the security of cross-border transfer of important data collected and generated in China by operators of critical information infrastructure shall apply the provisions of the Cybersecurity Law of the People's Republic of China; the measures for the administration of the security of cross-border transfer of important data collected and generated in China by other data processors shall be formulated by the national cyberspace administration department in conjunction with the relevant departments of the State Council.
In addition, Article 41 of the Personal Information Protection Law stipulates that the competent authorities of the People's Republic of China shall handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China in accordance with relevant laws and the international treaties or agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities of the People's Republic of China, no personal information processor shall provide personal information stored in China to foreign judicial or law enforcement agencies.
In short, in cases involving the cross-border transfer of personal information and important data collected and generated by operators of critical information infrastructure (CIIO), important data collected and generated in China by other data processors, and personal information, a review is generally required.
C. What Conditions Must Be Met for Cross-Border Data Transfer?
According to Article 35 of the Regulations on the Administration of Network Data Security, cross-border data transfers under different situations must meet different conditions. A network data processor may provide personal information to overseas parties if one of the following conditions is met:
1. Passing the cross-border data transfer security assessment organized by the national cyberspace administration department;
2. Obtaining personal information protection certification from a professional institution in accordance with the provisions of the national cyberspace administration department;
3. Complying with the provisions of the standard contract for cross-border transfer of personal information formulated by the national cyberspace administration department;
4. Really necessary to provide personal information to overseas parties for the conclusion and performance of a contract where the individual is a party;
5. Really necessary to provide employees' personal information to overseas parties for the implementation of cross-border human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts;
6. Really necessary to provide personal information to overseas parties for the performance of statutory duties or obligations;
7. Really necessary to provide personal information to overseas parties in emergency situations to protect the life, health and property safety of natural persons;
8. Other conditions prescribed by laws, administrative regulations or the national cyberspace administration department.
As for which situations require security assessment, which require personal information protection certification, and which require the signing of standard contracts, such judgments shall be made in accordance with the relevant provisions of the Data Security Law, the Personal Information Protection Law, the Regulations on the Administration of Network Data Security, the Measures for the Security Assessment of Cross-border Data Transfer, the Provisions on Promoting and Regulating Cross-border Data Flow, the Measures for the Certification of Cross-border Transfer of Personal Information, the Measures for Standard Contracts for Cross-border Transfer of Personal Information, the Guidelines for the Filing of Standard Contracts for Cross-border Transfer of Personal Information, etc. Due to space limitations, this article will not elaborate on them here.
D. In Which Situations Is Review Not Required?
In addition to the situations requiring review, the Provisions on Promoting and Regulating Cross-border Data Flow also stipulate some exempt situations. For example, a data processor that provides personal information to overseas parties may be exempted from declaring a cross-border data transfer security assessment, concluding standard contracts for the cross-border transfer of personal information, and obtaining personal information protection certification if one of the following conditions is met:
1. Really necessary to provide personal information to overseas parties for the conclusion and performance of a contract, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa application, examination services, etc.;
2. Really necessary to provide employees' personal information to overseas parties for the implementation of cross-border human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts;
3. Really necessary to provide personal information to overseas parties in emergency situations to protect the life, health and property safety of natural persons;
4. A data processor other than an operator of critical information infrastructure has cumulatively provided personal information (excluding sensitive personal information) to overseas parties for less than 100,000 individuals since January 1 of the current year. Of course, the personal information provided to overseas parties, as referred to herein, does not include important data.
III. Compliance Recommendations
In general, the compliance boundaries of data processing have become relatively clear under the current legal provisions. At a time when it has become a consensus that data should be used legally, the application of artificial intelligence technology must pay attention to compliance in data processing.
In the management of training data, the primary task is to strictly examine the legality of sources; in the management of user data, the principle of minimum necessity must be adhered to; and in cross-border data transmission, the regulatory requirements of China must be strictly followed to avoid civil, criminal or administrative legal liabilities due to non-compliance.
[1] Article 13 of the Personal Information Protection Law: A personal information processor may process personal information only if one of the following circumstances is met: (1) obtaining the individual's consent; (2) necessary for the conclusion and performance of a contract where the individual is a party, or necessary for the implementation of human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts; (3) necessary for the performance of statutory duties or obligations; (4) necessary for responding to sudden public health incidents, or for protecting the life, health and property safety of natural persons in emergency situations; (5) necessary for the implementation of public interests such as news reporting and public opinion supervision, processing personal information within a reasonable scope; (6) processing personal information that has been voluntarily disclosed by the individual or otherwise legally disclosed within a reasonable scope in accordance with the provisions of this Law; (7) other circumstances prescribed by laws and administrative regulations. Pursuant to the relevant provisions of this Law, the processing of personal information shall obtain the individual's consent, except in the circumstances specified in Items (2) to (7) of the preceding paragraph, for which the individual's consent is not required.
[2] Article 14: Where personal information is processed based on the individual's consent, such consent shall be voluntarily and explicitly given by the individual on the premise of being fully informed. Where laws or administrative regulations stipulate that the processing of personal information shall obtain the individual's separate consent or written consent, such provisions shall be followed. If the purposes, methods of processing or types of personal information to be processed are changed, the individual's consent shall be obtained again.
[3] Circular of the Supreme People's Court on Issuing the 47th Batch of Guiding Cases (Fa [2025] No. 150), Guiding Case No. 265.
[4] Ibid.
[5] See Article 35 of the Guidelines for Enterprise Data Compliance in Shenzhen and Article 14 of the Guidelines for Enterprise Data Compliance in Shanghai.
[6] See Circular of the Supreme People's Court on Issuing the 47th Batch of Guiding Cases (Fa [2025] No. 150): Guiding Case No. 262 - Where an operator of a network platform suffers an infringement of its operational interests formed in respect of a data set, it may request a people's court to protect such interests in accordance with the law. For acts of obtaining and providing relevant data to the public without permission, which essentially replace the products or services of the network platform, disrupt the market competition order and damage the legitimate rights and interests of the operator of the network platform or other right holders, the people's court may apply the relevant provisions of the Anti-Unfair Competition Law of the People's Republic of China to determine that such acts constitute unfair competition; Guiding Case No. 264 - Where a data processor collects enterprise data in accordance with the law, processes it to form data products in accordance with compilation methods meeting relevant standards and makes reasonable use of such products without causing damage to the enterprise's rights and interests, if the relevant enterprise requests the data processor to bear tort liability, the people's court shall not support such request in accordance with the law.
According to Article 3 of the Data Security Law of the People's Republic of China, the term "data" as used in this Law, refers to any record of information by electronic or other means; "data processing" includes the collection, storage, use, processing, transmission, provision, and disclosure of data. Generally speaking, the problematic links in the data processing process often occur in data collection and transmission. Therefore, this article will focus on these two aspects.
I. Data Collection Compliance Risks
Regarding data collection, enterprises mainly need to consider how to ensure the compliance of data sources. Therefore, we will focus on the following four issues here:
A. What is Compliant Data Collection?
Pursuant to Article 32 of the Data Security Law and Articles 5, 6, 7 and 10 of the Personal Information Protection Law, data collection shall meet the following requirements:
1. Legitimate and proper methods shall be adopted;
2. Data shall be collected within the purposes and scope prescribed by laws and administrative regulations;
3. Methods with the least impact on personal rights and interests shall be adopted;
4. The purposes, methods and scope of processing shall be explicitly stated;
5. No illegal trading, provision or disclosure of others' personal information shall be conducted; etc.
In short, data collection shall be legitimate, proper, necessary, honest and within the minimum scope, which constitutes the compliance standards for data collection.
B. What is "Consent"?
How to prove that data collection complies with regulatory requirements? For personal information data, pursuant to Article 13 of the Personal Information Protection Law, at least one of the seven preconditions must be met [1] .
For commercial activities, the first two scenarios are generally applicable, namely: (1) obtaining personal consent; (2) necessary for the conclusion and performance of a contract where the individual is a party, or necessary for the implementation of human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts.
Obtaining personal consent is not simply a matter of getting a click of agreement. According to Articles 14, 15 and 16 of the Personal Information Protection Law [2] , obtaining consent must meet at least the following conditions:
1. Sufficient notification;
2. Voluntary and explicit expression;
3. Withdrawal of consent permitted;
4. Provision of services or products shall not be refused on the grounds of non-consent or withdrawal of consent, unless the processing of personal information is necessary for the provision of such services or products;
5. Re-obtaining of consent is required in case of any change;
6. Separate consent or written consent is required where there are mandatory provisions.
In addition, from the perspective of judicial practice, if no options such as skip or reject are provided in the process of obtaining consent, the user's consent obtained in form may still be deemed as not actually obtained.
For example, in the case of Luo v. a Technology Co., Ltd., concerning the right to privacy and protection of personal information [3] , the court held that where the collection of user profile information is not necessary for the provision of network services, if a website or software does not provide other login methods for users who refuse to submit such information on its login and registration interface, it shall be deemed that the user provided personal information without voluntary consent, and the effect of having obtained personal consent shall not be established.
C. What is "Necessary for the Performance of a Contract"?
In determining whether the processing of personal information is "necessary for the conclusion and performance of a contract where the individual is a party", according to the interpretation of the Supreme People's Court [4] , the determination may be made by combining the provisions of relevant laws, administrative regulations, rules and normative documents on the scope of necessary personal information, and by considering the type and content of the contract.
If the failure to process the relevant information would make it impossible to realize the basic functional services agreed upon in the contract or the additional functional services independently selected by the user, the act of processing personal information may be deemed necessary for the conclusion and performance of the contract; otherwise, it shall not be deemed as such.
In terms of legal provisions, the Cyberspace Administration of China has issued the Provisions on the Scope of Necessary Personal Information for Common Types of Mobile Internet Applications, which enterprises may refer to if they involve the collection of personal information.
D. Is Data Crawling Legal?
In addition to directly obtaining data in commercial activities, enterprises sometimes use technical means to crawl data from the internet. Is such obtained data legal?
From the perspective of some local regulations [5] and judicial practice [6] , legality depends on various factors such as whether the data is collected from legally public channels, whether industry self-regulatory conventions are observed, whether the crawler protocols and rules of the crawled target websites are respected, whether a prior assessment is conducted on the possible impact on the performance and functions of network services, whether the normal functions of network services are interfered with or the normal operation of computer information systems is hindered, whether others' intellectual property rights are infringed, and whether unfair competition is caused. It is difficult to draw a general conclusion.
II. Data Transmission Compliance Risks
Regarding data transmission, the main issue involves cross-border transmission. According to existing legal provisions, data can be transmitted cross-border, but such transmission must comply with legal requirements. Therefore, we will mainly discuss the following issues here:
A. What is Cross-border Data Transfer?
According to the Guidelines for the Declaration of Cross-border Data Transfer Security Assessment (3rd Edition), the following three situations all constitute acts of cross-border data transfer:
1. A data processor transmits data collected and generated in domestic operations overseas;
2. Data collected and generated by a data processor is stored domestically, and overseas institutions, organizations or individuals may inquire about, retrieve, download or export such data;
3. Other data processing activities such as the processing of personal information of natural persons in China overseas, in accordance with the provisions of Paragraph 2 of Article 3 of the Personal Information Protection Law.
B. Which Cross-Border Data Transfers Are Subject to Review?
Pursuant to Article 37 of the Cybersecurity Law, operators of critical information infrastructure (CIIO) must store personal information and important data collected and generated in China within the territory of China; if such data really needs to be transferred overseas, a security assessment shall be conducted in accordance with the measures formulated by the Cyberspace Administration of China.
According to Article 31 of the Data Security Law, the administration of the security of cross-border transfer of important data collected and generated in China by operators of critical information infrastructure shall apply the provisions of the Cybersecurity Law of the People's Republic of China; the measures for the administration of the security of cross-border transfer of important data collected and generated in China by other data processors shall be formulated by the national cyberspace administration department in conjunction with the relevant departments of the State Council.
In addition, Article 41 of the Personal Information Protection Law stipulates that the competent authorities of the People's Republic of China shall handle requests from foreign judicial or law enforcement agencies for the provision of personal information stored in China in accordance with relevant laws and the international treaties or agreements concluded or acceded to by the People's Republic of China, or in accordance with the principle of equality and reciprocity. Without the approval of the competent authorities of the People's Republic of China, no personal information processor shall provide personal information stored in China to foreign judicial or law enforcement agencies.
In short, in cases involving the cross-border transfer of personal information and important data collected and generated by operators of critical information infrastructure (CIIO), important data collected and generated in China by other data processors, and personal information, a review is generally required.
C. What Conditions Must Be Met for Cross-Border Data Transfer?
According to Article 35 of the Regulations on the Administration of Network Data Security, cross-border data transfers under different situations must meet different conditions. A network data processor may provide personal information to overseas parties if one of the following conditions is met:
1. Passing the cross-border data transfer security assessment organized by the national cyberspace administration department;
2. Obtaining personal information protection certification from a professional institution in accordance with the provisions of the national cyberspace administration department;
3. Complying with the provisions of the standard contract for cross-border transfer of personal information formulated by the national cyberspace administration department;
4. Really necessary to provide personal information to overseas parties for the conclusion and performance of a contract where the individual is a party;
5. Really necessary to provide employees' personal information to overseas parties for the implementation of cross-border human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts;
6. Really necessary to provide personal information to overseas parties for the performance of statutory duties or obligations;
7. Really necessary to provide personal information to overseas parties in emergency situations to protect the life, health and property safety of natural persons;
8. Other conditions prescribed by laws, administrative regulations or the national cyberspace administration department.
As for which situations require security assessment, which require personal information protection certification, and which require the signing of standard contracts, such judgments shall be made in accordance with the relevant provisions of the Data Security Law, the Personal Information Protection Law, the Regulations on the Administration of Network Data Security, the Measures for the Security Assessment of Cross-border Data Transfer, the Provisions on Promoting and Regulating Cross-border Data Flow, the Measures for the Certification of Cross-border Transfer of Personal Information, the Measures for Standard Contracts for Cross-border Transfer of Personal Information, the Guidelines for the Filing of Standard Contracts for Cross-border Transfer of Personal Information, etc. Due to space limitations, this article will not elaborate on them here.
D. In Which Situations Is Review Not Required?
In addition to the situations requiring review, the Provisions on Promoting and Regulating Cross-border Data Flow also stipulate some exempt situations. For example, a data processor that provides personal information to overseas parties may be exempted from declaring a cross-border data transfer security assessment, concluding standard contracts for the cross-border transfer of personal information, and obtaining personal information protection certification if one of the following conditions is met:
1. Really necessary to provide personal information to overseas parties for the conclusion and performance of a contract, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel booking, visa application, examination services, etc.;
2. Really necessary to provide employees' personal information to overseas parties for the implementation of cross-border human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts;
3. Really necessary to provide personal information to overseas parties in emergency situations to protect the life, health and property safety of natural persons;
4. A data processor other than an operator of critical information infrastructure has cumulatively provided personal information (excluding sensitive personal information) to overseas parties for less than 100,000 individuals since January 1 of the current year. Of course, the personal information provided to overseas parties, as referred to herein, does not include important data.
III. Compliance Recommendations
In general, the compliance boundaries of data processing have become relatively clear under the current legal provisions. At a time when it has become a consensus that data should be used legally, the application of artificial intelligence technology must pay attention to compliance in data processing.
In the management of training data, the primary task is to strictly examine the legality of sources; in the management of user data, the principle of minimum necessity must be adhered to; and in cross-border data transmission, the regulatory requirements of China must be strictly followed to avoid civil, criminal or administrative legal liabilities due to non-compliance.
[1] Article 13 of the Personal Information Protection Law: A personal information processor may process personal information only if one of the following circumstances is met: (1) obtaining the individual's consent; (2) necessary for the conclusion and performance of a contract where the individual is a party, or necessary for the implementation of human resources management in accordance with legally formulated labor rules and regulations and legally concluded collective contracts; (3) necessary for the performance of statutory duties or obligations; (4) necessary for responding to sudden public health incidents, or for protecting the life, health and property safety of natural persons in emergency situations; (5) necessary for the implementation of public interests such as news reporting and public opinion supervision, processing personal information within a reasonable scope; (6) processing personal information that has been voluntarily disclosed by the individual or otherwise legally disclosed within a reasonable scope in accordance with the provisions of this Law; (7) other circumstances prescribed by laws and administrative regulations. Pursuant to the relevant provisions of this Law, the processing of personal information shall obtain the individual's consent, except in the circumstances specified in Items (2) to (7) of the preceding paragraph, for which the individual's consent is not required.
[2] Article 14: Where personal information is processed based on the individual's consent, such consent shall be voluntarily and explicitly given by the individual on the premise of being fully informed. Where laws or administrative regulations stipulate that the processing of personal information shall obtain the individual's separate consent or written consent, such provisions shall be followed. If the purposes, methods of processing or types of personal information to be processed are changed, the individual's consent shall be obtained again.
[3] Circular of the Supreme People's Court on Issuing the 47th Batch of Guiding Cases (Fa [2025] No. 150), Guiding Case No. 265.
[4] Ibid.
[5] See Article 35 of the Guidelines for Enterprise Data Compliance in Shenzhen and Article 14 of the Guidelines for Enterprise Data Compliance in Shanghai.
[6] See Circular of the Supreme People's Court on Issuing the 47th Batch of Guiding Cases (Fa [2025] No. 150): Guiding Case No. 262 - Where an operator of a network platform suffers an infringement of its operational interests formed in respect of a data set, it may request a people's court to protect such interests in accordance with the law. For acts of obtaining and providing relevant data to the public without permission, which essentially replace the products or services of the network platform, disrupt the market competition order and damage the legitimate rights and interests of the operator of the network platform or other right holders, the people's court may apply the relevant provisions of the Anti-Unfair Competition Law of the People's Republic of China to determine that such acts constitute unfair competition; Guiding Case No. 264 - Where a data processor collects enterprise data in accordance with the law, processes it to form data products in accordance with compilation methods meeting relevant standards and makes reasonable use of such products without causing damage to the enterprise's rights and interests, if the relevant enterprise requests the data processor to bear tort liability, the people's court shall not support such request in accordance with the law.
The contents of all newsletters of Shanghai Lee, Tsai & Partners (Content) available on the webpage belong to and remain with Shanghai Lee, Tsai & Partners. All rights are reserved by Shanghai Lee, Tsai & Partners, and the Content may not be reproduced, downloaded, disseminated, published, or transferred in any form or by any means, except with the prior permission of Shanghai Lee, Tsai & Partners.
The Content is for informational purposes only and is not offered as legal or professional advice on any particular issue or case. The Content may not reflect the most current legal and regulatory developments. Shanghai Lee, Tsai & Partners and the editors do not guarantee the accuracy of the Content and expressly disclaim any and all liability to any person in respect of the consequences of anything done or permitted to be done or omitted to be done wholly or partly in reliance upon the whole or any part of the Content. The contributing authors' opinions do not represent the position of Shanghai Lee, Tsai & Partners. If the reader has any suggestions or questions, please do not hesitate to contact Shanghai Lee, Tsai & Partners.