Introduction Everything is interconnected, and digital leads the way. The “Ten Questions and Answers” series is a fixed column under the digital economy topic, with each issue focusing on different topics, ultimately forming a comprehensive Q&A on the digital economy, aimed at showcasing the professional achievements of Taihe Tai Lawyers in this field. This issue’s topic is: The Top Ten Issues Companies Must Pay Attention to in Digital Transformation.Q1How to Understand Corporate Digital Transformation?
Corporate digital transformation is a transformative process that utilizes digital technologies such as big data, cloud computing, and artificial intelligence to promote changes in business models, organizational structures, and corporate culture. Specifically, it involves applying digital technologies to various aspects of an organization, including research and development, operations, etc., to optimize sales channels, marketing methods, human resource management, customer experience, and other processes and mechanisms. This is reflected in the continuous investment of resources by companies in areas such as channel digitization, marketing digitization, and human resource digitization, serving as a barometer for corporate digital transformation under the “Internet Plus” wave over the past decade.
Looking from the perspective of 2024, understanding corporate digital transformation requires not only focusing on the past digital transformation aspects of the “Internet Plus” era but also closely monitoring emerging strategic opportunities for digital transformation in the next decade under the concept of “data elements ×”. In the past decade or even longer, many companies have completed upgrades of their information infrastructure and computing capabilities, including customer relationship management (CRM) systems, enterprise resource planning (ERP) systems, financial management systems (FMS), and human resource management systems (HRMS), accumulating a large amount of data. This data can be further organized, mined, cleaned, and statistically analyzed to form the company’s data products, which can be evaluated and treated as an asset, subsequently capitalized through methods such as pledge financing and data trading. By leveraging the mechanism of data element circulation, different companies in the industry chain can also build a comprehensive and systematic data industry, maximizing the utility of data elements. Moreover, based on these data accumulations and flows, companies can also leverage emerging technologies such as artificial intelligence (e.g., AIGC) to enhance productivity. This may become a historical opportunity for companies to deepen their digital transformation in the next decade, further incentivizing or compelling more companies to complete their digital transformation.Q2What Aspects Does Channel Digitization Include? What Are the Typical Legal Risks?Channel digitization refers to the use of the Internet and digital technologies to reform and optimize traditional marketing channels. It primarily changes traditional marketing channels in two ways: first, by enhancing the push power of channels through digital means (push), second, by activating consumer-side resources to enhance the pull power of channels[1]. Before the digital era, marketing channels mainly relied on brand-driven and channel-driven methods. Brand-driven, or pull sales, typically established brand strength through mass media communication to create pull in the channel. Channel-driven, or push sales, involves a step-by-step persuasion process from manufacturer to distributor to retail terminal and finally to the consumer. Digital channels have changed this model, allowing companies to directly reach consumers (C-end) through channel digitization, activating the business side (B-end) by mobilizing consumer resources, thus forming a strong channel pull. The combination of this push and pull significantly impacts channels far beyond the effects of traditional brand-driven or channel-driven methods acting alone. For example, the traditional brand-driven model can be represented as follows: Brand owner (F) influences consumer brand perception (C) through mass media communication (F2C), leading consumers to purchase at terminals (C2b), which in turn drives terminals (b) to purchase from distributors (b2B). The digital channel model may instead appear as: Brand owner (F) directly reaches consumers (C) through the Internet, who then influence retail terminals (b) and distributors (B). Specifically, this can manifest as companies selling products directly to consumers through third-party e-commerce platforms, self-built e-commerce platforms, offline smart stores, content e-commerce (such as live streaming sales), etc.Regarding channel digitization, typical legal risks include: First, e-commerce platforms, as network operators, platform operators, and data processors, face risks of conducting business or processing data without obtaining relevant licenses and qualifications. Accordingly, e-commerce platforms, as providers of paid Internet information services, must legally obtain qualifications such as ICP licenses, EDI operation licenses, and even IDC licenses. If they are involved in food/drug operations, publication operations, payment services, etc., they must also legally obtain corresponding third-party platform filing for online food transactions, Internet drug information service qualifications, drug operation licenses, broadcasting and television program production operation licenses, publication operation licenses, payment business licenses, single-purpose prepaid card business filings, etc. Otherwise, they may violate relevant laws and regulations due to the lack of corresponding qualifications.Second, there are compliance risks in the entire lifecycle of data processing on e-commerce platforms. E-commerce platforms involve different roles, including platform operators, internal operators, third-party logistics, third-party payment, and third-party advertising service providers. In various stages such as user registration, login, browsing products, favoriting, adding to cart, ordering, payment, delivery, and after-sales service, personal information processing is involved, covering the entire lifecycle of data from collection, transmission, storage, computation analysis, processing use, external provision, deletion, and even cross-border transmission. At each stage, data collectors, senders, and receivers may process data as processors or entrusted processors, posing risks of violating laws and regulations regarding data processing.Third, during the data processing process, whether through third-party e-commerce platforms or self-built e-commerce platforms (such as proprietary apps, mini-programs, web pages, etc.), there is a risk of violating legal regulations regarding consumer device permissions and personal information. For instance, there may be violations such as illegally collecting personal information, coercively, frequently, or excessively requesting permissions, illegally using personal information, deceiving, misleading, or forcing users, and difficulties in account cancellation.Q3How to Understand Marketing Digitization? What Are the Typical Legal Risks?Marketing digitization is a strategy that utilizes digital technologies and online platforms to promote the sales of products or services. It involves using various digital channels such as social media, search engine optimization (SEO), content marketing, data analysis, and algorithmic recommendations to connect with target audiences and drive sales. Marketing digitization plays a crucial role as it enables companies to interact more directly with target audiences, accurately target and meet customer needs, thus increasing sales and building brand loyalty. A typical scenario of marketing digitization is precision marketing, which refers to the process of calculating and analyzing user characteristics and behavior to form specific labels and user profiles, allowing marketing content to accurately reach users, thereby spreading brand influence and attracting users to make purchasing decisions.Regarding marketing digitization, typical legal risks include: First, in algorithm recommendation scenarios, algorithms push information to users based on user labels and preferences, which can lead to users receiving information limited to their viewpoints, interests, and cognitions, potentially resulting in the negative effects of information cocoons, ultimately leading to serious ethical risks.Second, in algorithm recommendation scenarios, pushing information to users based on their characteristics can lead to algorithmic discrimination against individuals, including well-known issues such as big data killing familiarity. For example, merely judging a person’s professional capabilities based on algorithmic calculations may result in algorithmic discrimination in employment, affecting workers’ rights to fair employment due to biases in algorithm design.Third, in algorithm recommendation scenarios, personal information used for algorithm recommendations may be collected and used without user consent, constituting an infringement of personal information or privacy. For instance, collecting a user’s consumption transaction records without their consent and using it to recommend products of interest constitutes an infringement of personal rights.Q4How to Understand Human Resource Digitization? What Are the Typical Legal Risks?Human resource digitization refers to applying digital technologies to various aspects of human resource management to improve efficiency, optimize employee experience, enhance decision quality, and promote the achievement of organizational strategic goals. This includes digital transformation across all stages from recruitment to onboarding, from in-work management to job adjustments, and from departure to the destruction of records and employee data.Regarding human resource digitization, typical legal risks include: First, in the recruitment phase, conducting background checks may infringe on the personal information rights of workers. Specifically, companies may request personal information from a worker’s previous employer without the worker’s consent or may request information that exceeds what is necessary for signing an employment contract, both of which pose risks of infringing on workers’ legitimate rights.Second, in labor monitoring scenarios, companies conducting digital monitoring (including facial recognition clocking, fingerprint clocking, installing monitoring software on office computers, etc.) may collect and process sensitive personal information such as workers’ biometric information, internet browsing records, and location tracking beyond what is legal, legitimate, and necessary, thereby infringing on workers’ legitimate rights.Third, in multinational companies transmitting workers’ personal information across borders, companies may fail to conduct personal information protection impact assessments, compliance audits, or fulfill the duty of sufficient notification, or the data security protection measures between the sender and receiver do not meet the legal requirements of the applicable jurisdiction, thereby infringing on workers’ personal information rights and violating mandatory obligations under relevant laws and regulations.Q5What Are the Ways Companies Use AIGC? What Are the Typical Risks?Currently, companies primarily use AIGC in two ways: one is the RAG model, and the other is the fine-tuning model. RAG (Retriever-Augmented Generation) is a natural language processing technique that combines information retrieval and text generation capabilities. In this technology, a retriever is used to extract information relevant to the current task from a large amount of text data, which is then used to guide the text generation model to produce more accurate and rich responses. Fine-tuning is a machine learning technique that involves using a pre-trained model as a starting point to improve its performance or adapt it to new tasks.This application model is an important technical means in the application of large models. In practical applications, the choice between RAG and fine-tuning mainly depends on specific needs. If the output needs to be generated based on a customized knowledge base while maintaining the vocabulary and writing style of the large language model, RAG is a better choice. Conversely, if it is necessary to change the model’s behavior or adapt it to specific tasks or scenarios, fine-tuning is more appropriate. In some cases, a mixed approach of RAG and fine-tuning may also be considered to fully leverage the advantages of both.Regarding the use of AIGC by companies, typical legal risks include: First, using AIGC with illegal data sources. When companies use AIGC, whether in fine-tuning mode or RAG mode, massive training data is usually required. This data may be collected by the company itself, purchased from third parties, or harvested through automation tools. Self-collection refers to companies directly collecting data from data subjects through websites, apps, mini-programs, SDKs, etc.; purchasing from third parties refers to directly procuring data from data suppliers; and harvesting through automation tools refers to using web crawlers and other technologies to scrape existing data online. The first two methods of data acquisition have relatively certain sources, but obtaining data through automation tools can easily infringe on the civil rights of other entities due to the vast amount of data and wide range of sources, potentially leading to copyright infringement and unfair competition risks.Second, AIGC content may infringe copyrights. When companies use AIGC, during the output phase of AIGC, the generated content may be restructured and integrated with the labor value of the algorithm designer, potentially obtaining copyright protection due to its originality. However, it may also fail to gain copyright protection if the generated work lacks originality. Conversely, AIGC-generated content may constitute copyright infringement if it is substantially similar to existing works.Third, AIGC content may involve illegal and harmful information. When companies use AIGC, the technology can also be used to generate illegal content and fraudulent content. A typical scenario is that others can use AIGC technology to synthesize specific individuals’ voices or facial data with others’ biological data, thereby disguising that person as a specific individual and committing fraud under the guise of that specific individual’s identity.Fourth, there are legal risks of disclosing trade secrets and personal privacy during the use of AIGC by company personnel. During the use of AIGC, whether in RAG mode, fine-tuning mode, or even directly using the large model mode, there may be instances where data is provided to the large model, which may contain sensitive information related to the company’s technical information and operational information, such as trade secrets and personal privacy data. Providing such data externally may lead to the leakage of the company’s trade secrets and the personal privacy data of relevant personnel. According to media reports, employees of a well-known company have previously used a large model for semiconductor testing, inputting existing code into the large model for generating chip yield optimization plans, and using the large model for meeting minutes, ultimately resulting in the leakage of confidential data related to semiconductor testing, chip yield codes, and meeting guest information.Q6How Do Companies Accumulate Data Assets? What Are the Typical Legal Risks?After a decade of preparation for digital transformation in the “Internet Plus” era, many companies have completed digital changes and accumulated a large amount of data. However, this data is often stored in a scattered and independent manner across different servers or databases, and much of the storage is chaotic with unclear management responsibilities. Data that has not been audited and organized is difficult to realize its economic utility. This necessitates companies to establish dedicated data governance bodies to organize, mine, clean, statistically analyze, and process these data, designing different data products based on application scenarios and needs. Such data products, like other products, have the characteristic of being tradable. These data products can be applied to different scenarios and uses. For instance, identical data fields and content in the supply chain can be used for data sharing among supply chain enterprises to enhance overall collaboration efficiency or for evaluating the credit of partners in terms of production capacity and delivery capability. This is the process of transforming data resources into data products, which is also the process of data productization. Upon completing data productization, data can be listed as an asset in the company’s asset list through evaluation and pricing, and managed properly according to lifecycle management strategies including asset identification and inventory, asset confirmation, asset application, asset change, and asset disposal, establishing a corresponding data asset directory, forming a complete asset management organization and responsibilities, and clarifying the ownership status, changes in ownership, and asset sustainability. This process is the process of data assetization. After completing data assetization, companies can capitalize on data assets through pledge financing, data trading, data usage licenses, equity financing, and other means, promoting the safe circulation of data elements, realizing the economic utility of data elements, and advancing the development of new productive forces. The complete process from data resourceization, data productization, data assetization to data capitalization, as well as the full lifecycle management of data assets, constitutes the strategy for companies to accumulate data assets.Regarding the accumulation of data assets by companies, typical legal risks include: First, there may be risks of illegality in the process of forming data assets. This mainly includes illegal data sources, illegal data processing and use, and non-compliance with relevant laws and regulations regarding data transmission and storage security in the entire process of forming data assets, as well as the relevant entities lacking the necessary qualifications.Second, the process of accumulating data assets involves multiple parties, including data security management, data governance, data confirmation, data compliance, data quality assessment, data asset valuation, etc., and will also involve data processing entities for mining, labeling, cleaning, etc. In the accumulation of raw data, formation of data products, and generation of derived data, issues of unclear ownership agreements are likely to arise, making data ownership disputes relatively easy to occur.Third, the formation of data assets will also involve the circulation of data among various entities, which may lead to non-compliance with relevant laws and regulations regarding the fulfillment of obligations related to subjects, qualifications, authorizations, consent, personal information protection impact assessments, data security risk assessments, data quality assurance, and data security protection during the circulation process.Q7What Typical Risks Exist When Companies Fail to Safeguard Data Security During Digital Transformation?Poor data security protection by companies can lead to risks of administrative penalties, civil infringement, and even criminal offenses. Specifically:First, administrative penalty risks. If a company fails to protect data security and engages in illegal data processing, it may face risks of administrative penalties for failing to fulfill network security protection obligations as stipulated by the Cybersecurity Law, failing to fulfill network product and service security obligations, infringing on personal information, and other administrative penalties under the Personal Information Protection Law and the Data Security Law, as well as risks of administrative penalties for violating the Anti-Unfair Competition Law by infringing on trade secrets and obstructing or damaging the normal operation of network products or services legally provided by others.Second, civil infringement risks. Poor data processing by companies can lead to significant civil infringement liability risks. The Civil Code’s “Personality Rights” chapter stipulates that citizens’ personal information is legally protected, outlining the obligations of personal information processors, principles for processing personal information, and legal liabilities for leaking personal information. The Cybersecurity Law and the Personal Information Protection Law provide detailed regulations on fulfilling network security protection obligations and personal information protection, while the Data Security Law offers comprehensive regulations on data security, including personal information. Violating these laws and causing losses to others may expose companies to civil infringement liability risks.Third, criminal offense risks. If illegal data processing occurs during the digital transformation process, companies and responsible individuals may face criminal offense risks. These risks can be divided into two categories: one involves direct violations of data rights, while the other involves infringing upon the security of computer information systems and network security during the data acquisition process. For instance, direct violations of data rights may involve criminal offenses such as illegally obtaining data from computer information systems and infringing on citizens’ personal information. If the security of computer information systems and networks is violated during data acquisition, it may involve criminal offenses such as illegally intruding into computer information systems, illegally controlling computer information systems, providing programs/tools for illegal intrusion/control of computer information systems, illegally using information networks, assisting in information network criminal activities, failing to fulfill network security management obligations, and damaging computer information systems.Q8What Are the Implications of Companies Fulfilling Data Compliance Obligations for Their Digital Transformation? For companies, fulfilling data compliance obligations has at least the benefits of avoiding administrative penalties and not assuming infringement liability when proving reasonable obligations. This can reduce the costs of illegal activities during the digital transformation process. Specifically:First, avoiding administrative penalties. By fulfilling data compliance obligations during digital transformation, if companies face administrative penalties for violating relevant laws and regulations, they may be subject to leniency, reduction, or even exemption from penalties under certain conditions. Specifically, according to the Administrative Penalty Law, “If the party has one of the following circumstances, the administrative penalty should be reduced or exempted: (1) Actively eliminating or reducing the harmful consequences of the illegal act; (2) Being coerced or deceived by others into committing illegal acts; (3) Actively confessing to illegal acts that have not been grasped by the administrative authority; (4) Cooperating with the administrative authority in investigating illegal acts and demonstrating meritorious behavior; (5) Other circumstances that should be reduced or exempted by law, regulations, or rules.” Furthermore, the law states that “If the illegal act is minor and promptly corrected without causing harm, no administrative penalty shall be imposed. For first-time violations with minor harm that are promptly corrected, no penalty may be imposed.” In November 2023, the Ministry of Industry and Information Technology issued the “Draft for Comment on Administrative Penalty Discretion Guidelines in the Field of Industrial and Information Technology Data Security (Trial)”, which states that if there are circumstances where the illegal act is minor and promptly corrected without causing harm, no administrative penalty shall be imposed.Second, proving reasonable obligations to avoid infringement liability. The Cybersecurity Law, the Personal Information Protection Law, the Data Security Law, and other laws and regulations stipulate the legal obligations that companies must fulfill, covering network security level protection, personal information protection impact assessments, personal information protection compliance audits, data classification and grading, data security risk assessments, data encryption storage and transmission, access control, emergency plans and drills, data security education and training, and legal compliance with the retention of network/data security incident logs. In the event of civil disputes arising from infringements, courts will generally presume that companies have fault, requiring them to prove their lack of fault to be exempt from liability. If companies establish a data compliance risk management system, fulfill relevant safety and compliance obligations, and maintain detailed records of the compliance management process, they can prove that they have fulfilled reasonable obligations in civil disputes, thus exempting them from corresponding civil legal liabilities.Q9How Should Companies Fulfill Their Data Security Compliance Management Obligations to Ensure Smooth Digital Transformation? We recommend that companies fulfill their data security compliance management obligations in the following ways: First, clarify compliance obligations. Companies should clarify compliance obligations related to personal information protection and data security, forming a corresponding compliance obligations checklist.Second, improve the compliance management system. Companies should establish a sound data security compliance management system, building corresponding responsibility organizational structures, system documents, workflows, and communication mechanisms.Third, adhere to privacy by design. Adhere to the concept of privacy by design, integrating personal information protection into the product development process from the outset.Fourth, establish a full lifecycle security and compliance management mechanism and processes. Establish a security compliance management mechanism and management processes covering the entire lifecycle of data processing, from generation, collection, transmission, storage, use, processing, provision, deletion, and destruction, paying special attention to high-risk areas such as data collection, processing and use, external provision, cross-border circulation, personalized recommendations, and algorithmic decision-making, strictly adhering to legal, legitimate, necessary, and good faith principles, fulfilling legal obligations to inform and obtain consent from data subjects, and implementing legal requirements for personal information protection impact assessments, personal information protection audits, data export security assessments, and data security protection.Fifth, continuously monitor and fulfill data security compliance obligations. With the improvement of legislation and the continuous evolution of data utilization models, corresponding legal norms are also being issued. This requires companies to continuously monitor changes in data processing purposes, methods, scope, and scale, as well as dynamic changes in legislation and regulation, and to promptly follow up on the fulfillment of data security compliance obligations.Q10How Can Companies Ensure Data Security During Digital Transformation? We recommend that companies ensure the security of the data they process through the following methods: First, establish a security management system for the entire lifecycle of data processing, including establishing corresponding network data security management systems and organizational structures, designating security positions and data security officers, setting data classification and grading protection mechanisms, fulfilling management obligations such as hiring security personnel, confidentiality, exit audits, and security training, and establishing comprehensive management mechanisms and systems for managing network data security partners, along with security threat prevention, monitoring, early warning, and emergency response plans.Second, implement effective security technical measures to ensure the security of data throughout its lifecycle, from collection, transmission, storage, use, processing, entrusted processing, external provision, deletion, and destruction. For instance, during data transmission, employ encryption methods, encrypted content, encryption algorithms, transmission channels, and transmission media that comply with legal requirements; during data storage, ensure encrypted storage, classified and graded storage, timely disaster recovery backups, and database intrusion prevention measures; during data use and processing, ensure access permission management, access log recording, database auditing, and API interface anomaly detection.Third, companies should conduct relevant security certifications and assessments, introducing third-party security technical service providers and legal service providers to test, assess, and audit the effectiveness of their security management capabilities and technical measures. For instance, in China, companies should complete relevant obligations regarding network security level protection according to the Cybersecurity Law, the Data Security Law, and other national standards such as GA/T1389-2017 and GB/T22239-2019. For situations involving data transmission abroad, companies are advised to conduct comprehensive assessments, monitoring, and audits of the data security capabilities of overseas recipients, and if possible, suggest that overseas recipients complete ISO27001 certification or other relevant security certifications.[1] Reference article “Digitalization Changes Marketing: Digitalization Completely Changes Channel Power”, Author: Liu Chunxiong, Article link: https://new.qq.com/rain/a/20210327A02S1H00, Access time: 2024-08-12 12:30.
Author Information

Yi HuaiJiong Partner

Business Areas: Corporate Compliance, Data Compliance, Criminal Defense

Liu Daliang Lawyer

Business Areas: Data Compliance, Equity, Intellectual Property

Hong Ruicheng Lawyer

Business Areas: Data Compliance, Corporate Compliance, Dispute Resolution

Zhao Liangyu Lawyer

Business Areas: Data Compliance, Corporate Business
Recent Article Recommendations
ARTICLE
Digital Economy Season | Six Questions and Answers (Nine) Key Points of Data Compliance in the Health Care Field
2024-08-20
Digital Economy Season | Ten Questions and Answers (Eight) Data Element Circulation Compliance in the Field of Artificial Intelligence
2024-08-16
Digital Economy Season | Ten Questions and Answers (Seven) Data Entry
2024-08-15
Digital Economy Season | Ten Questions and Answers (Six) Game Compliance
2024-07-26
Digital Economy Season | Ten Questions and Answers (Five) Data Assets from a Corporate Perspective
2024-07-23
Digital Economy Season | Ten Questions and Answers (Four) Interim Measures for the Management of Generative Artificial Intelligence Services
2024-06-18
Digital Economy Season | Ten Questions and Answers (Three) Automotive Data Compliance
2024-06-03
Digital Economy Season | Ten Questions and Answers (Two) Regulations on Promoting and Standardizing Data Cross-Border Flow
2024-05-24
Digital Economy Season | Ten Questions and Answers (One) Personal Information Protection
2024-04-11



