In recent years, with the rapid development of artificial intelligence technology, AIGC (Artificial Intelligence Generated Content) has become an important innovative force in the field of science and technology. However, with the widespread application of AIGC technology, the legal risks of cross-border data transmission have become increasingly prominent. This article will explore the legal risks that AIGC technology companies may face in cross-border data transmission and put forward the key points for improving compliance.
1. Legal risks of cross-border data transmission of AIGC
The core of AIGC technology is to generate diversified content such as text, images, audio and video through a large amount of data training models. These data often contain users' personal privacy and sensitive information. In the process of cross-border data transmission, if data protection measures are not appropriate, it is very easy to cause privacy leakage, thereby causing legal risks. For example, when domestic users use overseas AIGC platforms, data will be transmitted to overseas servers, and they may face differences in data protection laws in different countries and regions, leading to compliance risks. Therefore, countries have increasingly stringent regulatory requirements for cross-border data flow. For example, the latest "Artificial Intelligence Act" promulgated by the European Union has made clear requirements for the use of AIGC data. Typical cases of fines for cross-border data transmission
2. Typical Case
In July 2024, the Personal Information Protection Commission (PIPC) of South Korea imposed a heavy fine on Alibaba's companies for violating the cross-border data transmission regulations.
Violation: When AliExpress, a cross-border e-commerce platform under Alibaba, was operating in South Korea, the seller transferred consumers' personal information to the shipper in China without obtaining the user's explicit consent and without specifying the relevant security measures in the contract. In addition, Alibaba increased the difficulty for users to exercise their personal information rights through complex membership withdrawal procedures and account deletion pages displayed in English.
Penalty measures: PIPC fined Alibaba 1.978 billion won and 7.8 million won in late payment fees, and required it to make rectifications and make improvement suggestions.
Although this case mainly occurred in South Korea, Alibaba, as a multinational company with extensive business in Southeast Asia, its compliance issues in cross-border data transmission are also worthy of attention from companies and regulators in Southeast Asia.
3. Prevention and improvement of AIGC cross-border data transmission
In response to these legal risks, how should AIGC technology companies improve their compliance systems?
Ensure the legality of data collection: During the model training phase, the AIGC platform should use data from legitimate sources and avoid obtaining data through illegal means such as web crawlers. Data providers must have a legal basis for providing data legally and sign a data processing agreement with the AIGC platform to clarify the rights, obligations and responsibilities of all parties.
Strengthen data protection measures: The AIGC platform should establish a user personal information protection system to ensure the user's right to know and right to choose, and clarify the user complaint handling path. The platform should avoid using the user's personal information for model optimization without the user's consent. At the same time, a data classification and grading management mechanism should be established, and a privacy policy and user service agreement should be formulated, especially when collecting personal information from children, an age verification mechanism should be added.
Establish a data security incident emergency response mechanism: The AIGC platform should formulate a data security emergency plan to prevent security incidents such as data leakage, equipment failure, and network attacks. At the same time, the platform should strengthen the management of employee usage rules to avoid entering sensitive data.
Comply with relevant laws and regulations: The AIGC platform should comply with domestic and foreign laws and regulations on cross-border data transmission, such as the Personal Information Protection Law, the Cybersecurity Law, and international data protection agreements. When cooperating with technical support parties or data providers, data ownership, processing methods and responsibility allocation should be clarified.
In summary, AIGC technology companies face many legal risks in cross-border data transmission. In order to protect user privacy and data security and promote the legal and compliant development of AIGC technology, technology companies should strengthen the construction of compliance systems, ensure the legality of data collection, strengthen data protection measures, establish emergency response mechanisms for data security incidents, and strictly abide by relevant laws and regulations.