I asked three questions. Are the source materials your own interviews? How much did you rewrite the AI output? Did you disclose AI assistance when you published?

He couldn’t answer any of them. That conversation is the reason I’m writing this.

I’m a China-licensed cross-border lawyer based in Guangzhou. I’ve practiced for seven years, with most of the last two years’ work touching AI in some form — copyright disputes, compliance consulting, cross-border platform takedowns, contract review for AI-augmented service providers. I also use AI daily in my own practice. So I’m writing this from both sides of the table: the lawyer who defends creators, and the creator who relies on these tools to ship faster.

This piece was prompted by Jasmine Sun’s recent Substack on the independent writer’s advantage in the AI age. Her core argument: stop racing machines on output. Ask instead which skills are being commoditized and which are getting scarcer. I agree with her completely, and I want to extend her argument into the legal layer — because the moat she describes is also the legal moat, and most creators don’t see it yet.

The AI Defense Doesn’t Exist

The single most expensive misconception I see among content creators is this: “If I disclose I used AI, or if the AI generated it, I’m not liable.”

Wrong in every jurisdiction I practice in.

You are the publisher. Under Chinese law, EU law, and US law, the entity that distributes content owns the legal exposure. AI is not a legal person. AI cannot be sued, cannot be served process, cannot be held liable. The plaintiff comes after you.

China’s Interim Measures for the Administration of Generative AI Services (effective August 15, 2023) places obligations on both providers and users. Article 12 requires conspicuous labeling of generated images, videos, and other content. The Cyberspace Administration’s Measures for Labeling AI-Generated Synthetic Content (effective September 1, 2025) further specifies explicit and implicit labeling requirements.

The EU AI Act (Regulation 2024/1689, effective August 1, 2024) imposes transparency obligations on deep synthesis content that become mandatory from August 2026. The US is fragmented — the Copyright Office’s March 2023 guidance states that purely AI-generated works are not copyrightable, but the publisher liability framework under DMCA and state defamation law applies to whoever distributes.

If you operate across all three jurisdictions — TikTok plus 小红书 plus YouTube, say — you face stacked compliance. Compliant in China doesn’t mean compliant in the EU.

The “AI wrote it” defense is a legal fiction. Treat it as one.

What Actually Gets Creators Sued

In my casework over the past eighteen months, AI-related disputes cluster into three categories. None of them is about whether AI output has copyright.

Training data infringement. A Chinese court in Guangzhou (2024 粤 0192 民初 113号) ruled in early 2024 against an AI platform that had used Ultraman images without authorization to train its model. The platform paid damages and was ordered to cease. As a creator, you may not know what data trained the model you use. But if your output is identified as closely mimicking a specific IP, you can be drawn in.

Output infringement. This is the most common one. The “AI laundering” case I handled last year: a Chinese content creator ran an English Substack piece through ChatGPT, published the rewrite, and got hit with a DMCA notice routed through to the Chinese platform. The client wanted to argue “the AI wrote it.” I told him the same thing I told you: legally, you’re the publisher, you eat the risk. We settled — apology plus modest payment. Cheaper than litigating.

Failure to disclose. The most overlooked. Both Chinese and EU rules now impose labeling obligations. Most creators I talk to don’t label. The cost of disclosure is near-zero. The cost of getting caught not disclosing — especially in a regulated content category like financial advice, legal commentary, or medical information — is significant.

The Three Things AI Cannot Do

Jasmine Sun’s framing is right, and it maps directly onto what I see in legal practice: AI commoditizes the middle, and elevates the edges.

What AI commoditizes: generic explainers, summary writing, polite emails, structured essays following common templates. The first ten Google results for any informational query are about to become indistinguishable.

What AI cannot do, and what therefore becomes scarcer and more valuable:

First-hand information. Cases I’ve actually worked. Conversations I’ve actually had with clients. Courts I’ve actually appeared in. Coffees I’ve actually had with Latin American counsel. This raw material — the unrecorded, unindexed lived experience of doing the work — is not in any training corpus and cannot be synthesized.

Judgment with a point of view. AI produces hedged, risk-averse, middle-of-the-distribution answers. Real professional opinion has a stance. “The Mexican anti-corruption statute translates accurately, but in practice the prosecutor’s evidentiary logic runs differently — here’s how the case I worked last year actually played out.” That’s the answer clients pay for. AI cannot generate it because it cannot have had the experience.

Human trust. Clients ultimately hire people they trust. AI can be helpful, articulate, even charming. It cannot build a real trust relationship over time. The lawyer who has been at the same email address for ten years, who returns calls, who remembers your last matter — that lawyer wins against the AI that has none of those properties.

The implication for creators is straightforward. Lean hard into the parts of your work that draw on first-hand experience, sharpen your stance, and build durable identity. Outsource the commoditized middle to AI if you want, but don’t compete with AI on the commoditized middle. You’ll lose.

Three Compliance Habits Every AI-Assisted Creator Should Build

If you’re using AI to assist your content workflow — and you should be — three habits keep you out of trouble.

Document the process. Save your prompts. Note the model and version. Timestamp the generation. Record what you edited. I keep a simple Notion table for this. If a dispute arises, this is your evidentiary foundation. Without it, you’re arguing your innocence with no record of what happened.

Disclose for commercial use. Paid work, sponsored content, professional advice — label AI assistance visibly. Both Chinese and EU rules now require it. Even where not strictly required, disclosure is a near-zero-cost trust signal. Audiences increasingly respect it.

Verify every legal citation manually. AI hallucinates statutes and case numbers routinely. Last month a major model handed me a Supreme People’s Court judicial interpretation as if it were current law. It had been repealed in 2021. Had I published it in a client memo, my professional reputation would have taken a hit. For every specific citation — statute number, case number, quote, regulatory reference — verify at the official source. Westlaw, 威科先行, 北大法宝, court websites. No exceptions.

What This Means for You

If you’re an independent writer or creator: AI is not a threat to your moat if you understand where the moat actually is. It’s in your first-hand experience, your stance, and the trust you’ve built. Use AI to handle the commodity layer faster, then invest the time saved into deepening the parts AI can’t touch.

If you’re running a content business across borders: stop assuming compliance in one jurisdiction equals compliance elsewhere. Map your distribution footprint to the disclosure regimes. Build the documentation habits before you need them.

If you’re a lawyer or professional advisor watching AI eat your industry: the same logic applies. The commodity layer of legal work — basic research, first-draft contracts, summary memos — is being commoditized. The high-margin work — judgment, strategy, courtroom presence, relationship — is becoming scarcer and more valuable.

I help cross-border content businesses and creators structure AI compliance frameworks, draft platform-specific disclosure policies, and handle copyright disputes that touch AI-assisted work. If that’s a fit for what you need, book a consultation at wzklaw.com?src=ss.

The independent creator’s advantage is real. Use it.

———
Mike Wu, China-licensed Attorney · Cross-border practice
4 languages (CN/EN/ES/JA)
Site: wzklaw.com/contact.php?source=substack&src=ss · Book consultation: wzklaw.com/contact.php?source=substack&src=ss

The same week, two regulators on opposite sides of the Pacific issued new rules. They look unrelated. They’re not.

I’m Mike Wu, a China-licensed cross-border attorney based in Guangzhou. I spend most of my week structuring outbound deals for Chinese manufacturers going to Latin America, Southeast Asia, and increasingly North America’s nearshoring corridor. What I’m about to describe has rearranged my desk over the past 30 days.

The Coincidence That Isn’t

In late May 2026, China’s State Council released its updated Outbound Investment rules. Within days, the US Bureau of Industry and Security (BIS) updated its chip licensing guidance.

Read individually, each is a routine regulatory update. Read together, they reveal that Beijing and Washington — for entirely different reasons — have converged on the same enforcement technique: piercing through corporate structures to identify the real actor on the other side.

China wants to know: where is your money actually going, and what sensitive industry will it serve?

The US wants to know: is this entity, regardless of where it’s registered, ultimately controlled by Chinese interests, and could the technology reach a controlled end-use?

For decades, Chinese outbound structures relied on intermediary jurisdictions — Hong Kong, Singapore, BVI, Cayman, increasingly UAE — to provide a layer of separation between the home company and the offshore operation. That separation worked because each regulator stayed in its own lane.

That lane is gone. The intermediary layer is now the most scrutinized layer.

A Case That Crystallized It For Me

In March 2026, an industrial equipment manufacturer engaged me after signing a letter of intent for an assembly plant in Baja California, Mexico. The plan was textbook nearshoring: produce in Mexico under USMCA, supply US clients, use the Mexican entity for tariff and tax efficiency.

The original structure: Shenzhen parent → Hong Kong holding → Mexican operating entity. Chips sourced from China. Assembled products exported to the US.

Under 2024 rules, clean. Under the rules in effect when they came to me, three landmines:

Landmine one — Capital outflow disclosure. The new outbound rules require disclosure of ultimate use of funds and sensitive-industry classification. “General investment” no longer works as a description. We had to file accurately: equipment assembly serving US end customers. That triggered a higher-tier review.

Landmine two — BIS coverage. The updated BIS guidance treats overseas subsidiaries of Chinese-controlled entities as “covered entities” for chip licensing purposes. Even though the Mexican factory was a Mexican legal entity with Mexican employees and Mexican operations, piercing through ownership made it Chinese-controlled. Their planned chip supplier became unusable for any product destined for US end-use.

Landmine three — Re-export as circumvention. Assembled products containing controlled chips, re-exported to the US, can be deemed a circumvention pattern. The penalty for being deemed a circumventor isn’t a fine — it’s entity list designation, which kills the entire group’s US market access.

The solution required two structural changes. We introduced a Mexican strategic investor with US ties to dilute Chinese control below 50%, removing the entity from “Chinese-controlled” treatment. We swapped the chip supplier to a BIS-whitelisted alternative. The project lost four months and added compliance cost equivalent to roughly 3% of total project investment.

What it gained: it didn’t get investigated from both sides simultaneously.

Why Intermediary Jurisdictions Stopped Working

I want to dwell on this because most outbound playbooks still assume the old logic.

The traditional intermediary structure works on a simple premise: the regulator at each end can only see what’s directly in front of it. China sees Shenzhen sending money to Hong Kong. The US sees a Mexican company doing business with US customers. Neither sees the full chain.

That premise just died. Both regulators now require, by rule, that ultimate beneficial ownership be disclosed and considered. Both have developed enforcement tools — financial intelligence sharing, supply chain mapping, AI-assisted entity resolution — that make piercing through five-layer structures routine rather than exceptional.

Worse: complex structures now create their own risk. The more layers a transaction passes through, the higher the probability of being characterized as “designed to obscure” or “circumvention by design.” That characterization carries punitive treatment in both jurisdictions.

My current advice to clients: simplify ruthlessly. If the deal is genuinely Chinese-controlled, structure it as Chinese-controlled and accept the regulatory burden. If you genuinely want non-Chinese control for operational reasons, make it real — give up actual decision rights, not just paper ones. The half-measure of “diluted on paper, controlled in practice” is the worst of all worlds in 2026.

What This Means For You

If you’re a Chinese company with outbound operations, or considering them, here’s what I’d do this quarter:

First, audit your existing structures. Any deal closed before 2025 that relies on intermediary jurisdictions for substantive separation needs a fresh look. Grandfathering is narrow.

Second, move compliance upstream. About 60% of the inquiries I get arrive after an MOU is signed and key structural decisions are locked. Reverse that order. Counsel goes in before site selection and equity design, not after.

Third, recognize that “cross-border” is no longer one skill. It’s two — fluency in Chinese national-security framing AND fluency in US end-use and circumvention framing. They use different vocabulary, different presumptions, and different evidentiary standards. Counsel who can only speak one of these languages can only get you halfway.

Fourth, if your business touches semiconductors, AI, biotech, new energy, or critical minerals, double your compliance budget for 2026. This isn’t conservatism. It’s the realistic cost of operating across the new fault line.

If you’re navigating any of this and want a working session, I take a limited number of cross-border structuring consultations per month. Reach me at wzklaw.com?src=ss.

———
Mike Wu, China-licensed Attorney · Cross-border practice
4 languages (CN/EN/ES/JA)
Site: wzklaw.com/contact.php?source=substack&src=ss · Book consultation: wzklaw.com/contact.php?source=substack&src=ss

For 20 years, China governed outbound investment through ministry-level rules. That era ended on June 1, 2026.

I’m Mike Wu, a cross-border lawyer based in Guangdong. On June 1, Xinhua officially released the full text of the **Regulations of the State Council on Outbound Investment** (State Council Order No. 837), together with a joint Q&A from the Ministry of Justice (MOJ), the National Development and Reform Commission (NDRC), and the Ministry of Commerce (MOFCOM). The regulation enters into force on **July 1, 2026**.

I read the 34 articles and the Q&A three times before writing this. Below is my working analysis for international clients, overseas Chinese, and fellow cross-border practitioners.

## The Four Dates You Cannot Confuse

Lawyers reading Chinese regulations often mix up the dates of passage, signing, publication, and effectiveness. For Order No. 837:

- **April 17, 2026** — passed at the 83rd State Council Executive Meeting

- **May 5, 2026** — signed by Premier Li Qiang as State Council Order No. 837

- **June 1, 2026** — full text + Q&A published by Xinhua

- **July 1, 2026** — effective date

When citing the regulation in due diligence memoranda or compliance opinions, the proper form is: *Regulations of the State Council on Outbound Investment (State Council Order No. 837, effective July 1, 2026).*

## Why Now?

The Q&A opens with one telling sentence: the model of governing outbound investment through “departmental rules and normative documents” no longer fits reality.

That’s bureaucratic language for a real structural shift. Over the past three years, three pressure points have built up in cross-border practice:

1. Individual Chinese residents using offshore SPVs, trusts, and real estate structures occupied a legal grey zone — neither clearly inside nor outside ODI compliance.

2. The line between “outbound investment” and “export of controlled technology, data, or services” became increasingly blurred as Chinese tech companies internationalized.

3. When Chinese investors faced discriminatory measures abroad, there was no direct domestic legal basis for countermeasures.

The new regulation addresses all three.

The drafting process itself signals seriousness: the MOJ ran **three rounds** of consultation with **more than 100 central and local entities**, plus expert panels and field research. This regulation will shape ODI compliance for years.

## Signal One: Individuals Are Now “Investors”

The Q&A is explicit: *”Investors include enterprises, organizations, and resident individuals.”*

This single sentence reshapes the planning landscape for high-net-worth Chinese residents. Cross-border structures that have lived in compliance grey zones — offshore SPVs, family trusts, foreign real estate held for investment purposes — now sit squarely inside the ODI regulatory perimeter.

For my international clients, this matters in two ways. First, Chinese partners structuring joint ventures abroad may face additional individual-level filing requirements. Second, M&A targets controlled by Chinese individuals through offshore vehicles need to be diligence with this regulation in mind, particularly for projects closing after July 1.

## Signal Two: A Hard Link to Export Controls

The regulation prohibits using outbound investment to:

- Export or use goods, technology, services, or data that China prohibits from export

- Use, without license, items subject to export licensing

- Transfer the above indirectly via cross-border personnel dispatch or technical guidance

That last clause is the one tech companies need to read twice. The historic workaround — “we’re not exporting the technology, we’re just sending engineers abroad to provide guidance” — is now explicitly closed.

Going forward, ODI projects involving technology transfer, cross-border SaaS, or sensitive data flows will likely need to clear **two parallel approvals**: the ODI filing/approval, and the export control license. Compliance teams should build this dual-track review into deal timelines.

## Signal Three: Penalties Scale With Investment Size

Article 27 is the teeth of this regulation. The penalty structure:

| Violation | Investor Fine | Personal Fine |

|---|---|---|

| Prohibited investment, refusal to comply | Confiscation + **5‰–10‰** of investment amount | **RMB 50,000–100,000** |

| Failure to file for approval/recordation | **1‰–5‰** of investment amount | **RMB 20,000–50,000** |

| Refusal to cure | Escalates to **5‰–10‰** | — |

Plus: **1–3 year ban on new outbound investment**; applications not accepted for up to 3 years.

The key word is *percentage*. ODI projects routinely involve hundreds of millions to billions of RMB. A 10‰ fine on a USD 200M project is USD 2M. This level of exposure forces GCs and CCOs to take the regulation seriously in a way fixed-amount fines never did.

## Signal Four: Sanctions Toolkit Formally Linked

The regulation addresses foreign discriminatory measures: China may conduct investigations, adjust country-specific investment policies, and exercise countermeasures under the **Anti-Foreign Sanctions Law**, including restrictions on foreign entities and individuals investing in or entering China.

For international clients, this means the political risk dimension of cross-border investment is now formally codified on the Chinese side. Cross-default scenarios — where measures by one government trigger countermeasures by another — have a clearer legal architecture.

## What This Means for You

If you have ODI projects in flight, offshore structures held by Chinese individuals, or technology/data flows between China and abroad, the next 30 days matter. My suggested checklist:

1. **Audit existing projects** against the new framework before July 1.

2. **Run an export control overlay** on any technology, data, or service flows.

3. **Restructure individual offshore holdings** where Chinese-resident individuals are ultimate beneficiaries.

4. **Anticipate security review** for sensitive sector or sensitive region projects.

5. **Front-load dispute resolution clauses** — the regulation explicitly endorses arbitration, mediation, and litigation. Pick your seat and rules deliberately (HKIAC, SIAC, ICC).

Cross-border legal work isn’t translation. It’s path-finding between two systems. State Council Order No. 837 just redrew the Chinese-side map. Make sure your structures still fit.

For specific questions on your outbound investment structure, joint venture, or cross-border tech transfer, you can reach me directly at mike@wzklaw.com or book a consultation at wzklaw.com/contact.php?source=substack&src=ss. I practice in Chinese, English, Spanish, and Japanese.

———

Mike Wu, Attorney-at-Law · Guangdong Jinglang Law Firm · License 144012510953782

Cross-border practice · 4 languages (CN/EN/ES/JA)

Site: wzklaw.com/contact.php?source=substack&src=ss · Book consultation: wzklaw.com/contact.php?source=substack&src=ss

Bar verification: credit.acla.org.cn

Asia’s first comprehensive AI law is live. Here’s what changes — and what I’m advising my clients to do in the next 90 days.

I’m Mike Wu, a cross-border attorney based in Guangdong, China. I advise Chinese enterprises expanding into Asia, Europe, and Latin America on AI compliance, data protection, and cross-border contracts. I work in Chinese, English, Spanish, and Japanese.

Yesterday, Korea’s AI Basic Act officially entered into force — Asia’s first comprehensive AI regulation. In the last three months alone, I’ve fielded preliminary inquiries from five Chinese e-commerce and AI companies with Korean exposure. The conversations all started the same way: “We thought we had time.”

They don’t.

This newsletter is my honest read on what just changed, the most common compliance blind spots I’m seeing, and a 90-day roadmap for Chinese enterprises that already have — or plan to build — Korean operations.

## What Korea’s AI Basic Act Actually Does

The Act follows the structural template of the EU AI Act but with three uniquely Asian wrinkles.

**First**, the high-impact AI category — covering hiring, healthcare, credit scoring, energy, and public services — comes with mandatory pre-deployment obligations. If you’re a Chinese company offering AI recruitment software, AI credit scoring, or AI medical decision support to Korean users, you’re captured the moment the system goes live.

**Second**, generative AI content carries a hard labeling requirement. Every AI-generated image, every virtual influencer video, every AI chatbot interaction must carry an explicit “AI-generated” marker. This hits Chinese cross-border e-commerce particularly hard because virtual influencer livestreaming has become a dominant sales channel in Korea over the past 18 months.

**Third**, and most critically: the law applies extraterritorially. Your company can be incorporated in Shenzhen, your servers can be in Hangzhou, your team can be entirely in mainland China — if your AI services touch Korean users, Korean regulators have jurisdiction. The era of “we’re a Chinese company, we follow Chinese law” is over.

## The Real Risk Stack I’m Seeing

When clients come to me, I make them draw their data flow on paper before we talk law. Here’s what shows up most often.

A typical Chinese cross-border AI company has data flowing in four directions: Korean user data flowing back to China for model training, Chinese training data flowing to Korean cloud deployments, third-party API calls (often to US-based LLM providers), and inter-affiliate data sharing with the Korean subsidiary if one exists.

Every single one of these arrows now needs a legal basis under three regimes simultaneously: China’s PIPL plus Cross-Border Data Transfer Security Assessment, Korea’s PIPA, and the new Korean AI Act. The same byte of data crosses three regulatory gates.

The most common defense I hear from clients is: “But we’re just using OpenAI/Anthropic’s API — we don’t actually build AI models.” The Korean AI Act closes this door. Any entity that builds a public-facing service on top of a general-purpose AI model is classified as an AI service provider with full transparency, risk assessment, and user notification obligations. SaaS shielding doesn’t work anymore.

## A Case I Worked Last Quarter

A Guangzhou-based cross-border e-commerce company doing roughly USD 24 million in GMV through Korean AI virtual livestreamers came to me in Q4 2025. Their model: train AI models in China, deploy via cloud to Korea, run Korean-language virtual influencers on Coupang and Naver Shopping, and feed user behavior data back to Guangzhou for model iteration.

Their CEO opened with: “Should we set up a Korean entity?”

My answer: “You’re at least a year late — but we can still salvage this.”

Three problems jumped out immediately. Data flowing back from Korea to China was running through zero formal channels — non-compliant under China’s outbound transfer regime and clearly violating PIPA on cross-border personal information transfers. Their virtual influencers carried no AI-generated labeling, which is now a punishable violation under the new Korean AI Act. And the company had zero Korean legal presence, meaning no compliance contact point during any regulatory inquiry.

The fix took shape in three phases: immediate AI-content labeling deployment, Korean subsidiary plus local representative within 60 days, and a fundamental data architecture rebuild — training data localized in Korea, with only model weights (not raw user data) flowing back to China.

## What This Means for You

If you’re a Chinese company with any Korean exposure — direct sales, AI deployment, data processing, or even just Korean users hitting your service — you need to act in 2026, not 2027.

My 90-day playbook for clients:

**Weeks 1-2**: Map every Korea-touching business line and draw the data flow on paper. You cannot fix what you cannot see.

**Month 1**: Korean-language privacy policy, user agreement, and AI disclosure. AI-generated content labeling system deployed across all consumer-facing surfaces.

**Month 2-3**: Bilateral cross-border data review — China outbound assessment plus Korean PIPA evaluation. Establish or confirm a Korean local representative.

**Beyond Day 90**: For high-impact AI systems, prepare an Algorithmic Impact Assessment ahead of launch. Korea requires this *before* deployment, not after — unlike the EU’s audit-based regime.

## My Forecast

Korea is the first domino. Japan’s AI Promotion Basic Act draft will likely move through the Diet by mid-2027. India’s Digital India Act is in late-stage consultation. Singapore’s Model AI Governance Framework will harden into binding rules within 24 months.

The “one global compliance framework” approach that Chinese companies relied on through 2024 is dead. Asian AI regulatory fragmentation is the new baseline, and the cost of cross-border AI compliance will become a material P&L line for any Chinese company with serious international ambitions.

For Chinese clients planning Asian expansion in 2026-2027, I’m currently advising on Korea-Japan-Southeast Asia AI compliance playbooks in four languages. If your company has Korean exposure and you’d like to think through your compliance posture, you can book a consultation directly at wzklaw.com?src=ss.

The 2026 window is closing fast. Build the architecture now, while it’s still cheap.

———

Mike Wu, Attorney-at-Law · Guangdong Jinglang Law Firm · License 144012510953782

Cross-border practice · 4 languages (CN/EN/ES/JA)

Site: wzklaw.com/contact.php?source=substack&src=ss · Book consultation: wzklaw.com/contact.php?source=substack&src=ss

Bar verification: credit.acla.org.cn

Most companies do not need a CAC Security Assessment. The real trap is the middle tier — and that’s exactly where in-house teams keep falling.

I am a cross-border lawyer based in Guangzhou. Roughly eight out of ten data compliance inquiries I receive begin with the same anxious question: “Do we need to file a Security Assessment with the Cyberspace Administration of China?”

The honest answer, for the majority, is no. But many of those same companies *do* fall under the Standard Contract Filing or PI Protection Certification track — and that obligation is routinely overlooked, sometimes for years, until a counterparty’s legal team or a regulator’s spot check forces a panicked retrofit.

This newsletter walks you through the framework as it stands today under China’s *Regulations on Promoting and Standardizing Cross-Border Data Flows* (effective March 22, 2024), the *Personal Information Protection Law* (PIPL) Article 38, and the *Measures for Security Assessment of Outbound Data Transfer* (effective September 2022). I’ll also flag three blind spots I see in nearly every audit I run.

## The Three-Tier Framework

Think of cross-border data transfer obligations in China as three concentric circles. The smallest, innermost circle is the most regulated; the outermost is exempt.

**Tier 1 — Mandatory CAC Security Assessment.** This is triggered if any one of the following applies:

- A Critical Information Infrastructure Operator (CIIO) transfers personal information or important data abroad;

- Any data handler transfers **important data** abroad;

- A non-CIIO transfers **personal information of one million or more individuals** (non-sensitive) cumulatively, counted from January 1 of the current year;

- A data handler transfers **sensitive personal information of ten thousand or more individuals** cumulatively, counted from January 1 of the current year.

A key piece of regulatory relief in the 2024 update: if your data has not been formally designated as “important data” by an authority or publicly announced as such, you are *not* required to file as such. That said, I advise clients to maintain internal classification records anyway — if an industry catalog is later released, or if you receive a notification, you need to pivot quickly.

**Tier 2 — Standard Contract Filing or PI Protection Certification.** For non-CIIOs, the thresholds are:

- Non-sensitive personal information of **one hundred thousand to under one million** individuals; or

- Sensitive personal information of **fewer than ten thousand** individuals.

The legal basis sits in PIPL Article 38, which provides three lawful pathways for transferring personal information abroad: Security Assessment, PI Protection Certification, and the CAC Standard Contract. Tier 2 covers the latter two.

**Tier 3 — Exempt.** Transfers falling into the following categories do not require any of the above formal procedures:

- Non-CIIO transfers of non-sensitive PI involving **fewer than one hundred thousand** individuals;

- Transfers necessary to perform a contract with the individual (cross-border purchase, remittance, ticketing, hotel booking, visa application);

- Cross-border HR management conducted under lawful internal rules or collective agreements;

- International trade, cross-border logistics, academic cooperation, and global manufacturing/marketing activities where no personal information or important data is involved;

- Emergency transfers to protect a natural person’s life, health, or property.

## What the 45 Working Days Really Mean

The statutory review timeline for a Security Assessment is 45 working days, extendable. Clients ask me, almost reflexively, “So we can have approval in 45 days?”

In practice, the bottleneck is rarely the formal review window. It’s the intake completeness check, the supplemental submission rounds, and the informal pre-filing alignment with provincial cyberspace authorities. I generally counsel clients to decouple their compliance timeline from product launch timelines — building a generous buffer is cheaper than the alternative.

## Three Blind Spots I See in Almost Every Audit

**Blind spot 1: confusing the 100k threshold with the Security Assessment trigger.**

The 100,000-individual threshold for non-sensitive PI sits inside Tier 2 (Standard Contract Filing). The Security Assessment trigger for non-sensitive PI is **one million**. Treating 100k as the assessment trigger over-reports your obligations and burns legal budget on the wrong pathway.

**Blind spot 2: mixing sensitive and non-sensitive PI in a single headcount.**

PIPL defines sensitive PI specifically: biometrics, religious beliefs, specific identity, medical health, financial accounts, location tracking, and information of minors under 14. The thresholds are counted *separately*:

- Non-sensitive: 100k / 1M

- Sensitive: 10k

A company with 8,000 sensitive records and 50,000 non-sensitive records lands in Tier 3 (exempt on both counts). A company with 12,000 sensitive records lands in Tier 2 regardless of non-sensitive volume. The two lines never merge.

**Blind spot 3: starting the cumulative count from the wrong date.**

The regulation says “cumulatively since January 1 of the current year.” Not since company incorporation. Not since contract execution. Not a rolling 12-month window. **Every January 1, the counter resets.**

For cross-border e-commerce and SaaS companies, this matters enormously. A single peak season — Black Friday, Singles’ Day, year-end sales — can push the cumulative volume past a tier boundary. Smart legal teams run a quarterly reconciliation in April, July, and October, with a final check before December 31.

## What This Means for You

If you run cross-border operations touching China — whether as a multinational with a Chinese subsidiary, an outbound Chinese company sharing data with overseas affiliates, or a foreign SaaS vendor serving Chinese enterprise customers — three actions belong on your roadmap this quarter:

1. **Run a baseline classification.** Inventory your data flows by sensitivity, headcount, and destination jurisdiction.

2. **Map your tier honestly.** Don’t over-file. Don’t under-file. Document the rationale.

3. **Maintain an internal “important data” identification log**, even if you currently fall outside the formal trigger.

If you’d like a tailored review for your specific data flows, I work with cross-border counsel and in-house teams in English, Chinese, Spanish, and Japanese. Reach out at wzklaw.com/contact.php?source=substack&src=ss — happy to compare notes on your specific scenario.

———

Mike Wu, Attorney-at-Law · Guangdong Jinglang Law Firm · License 144012510953782

Cross-border practice · 4 languages (CN/EN/ES/JA)

Site: wzklaw.com/contact.php?source=substack&src=ss · Book consultation: wzklaw.com/contact.php?source=substack&src=ss

Bar verification: credit.acla.org.cn

It’s not about security. Here’s the real reason.

I’m a cross-border lawyer based in Guangzhou. I spent 15 years in computer science before entering the legal profession, and the last 8 years in international practice across Latin America, Japan, and the English-speaking world. I work in four languages.

When clients first contact me, one question comes up a lot — especially from fellow lawyers: “Mike, why are you running your own email domain? Isn’t Gmail safer? Isn’t it easier?”

Today I want to answer that honestly, because most of the answers I see online are, frankly, dishonest.

## The Uncomfortable Admission Most Lawyers Won’t Make

Let me start with something most “self-hosted email evangelists” refuse to say out loud:

**A self-hosted email is NOT more secure than Gmail.**

Google’s security team has thousands of engineers. They have decades of adversarial experience, global anti-phishing infrastructure, and threat intelligence I will never match as a solo lawyer running my own mail server. Even with 2FA, DKIM, SPF, DMARC properly configured — and I do configure them, my CS background helps — I’m at best close to Gmail’s baseline. I’m not “beating” Google on raw attack resistance.

So if you ever see a lawyer-blogger telling you “self-hosted email is safer, hire me to set it up” — please close that tab. That pitch isn’t honest.

Then why bother? Because the real question is not “will it be hacked?” The real question is: **where does the data physically live, which jurisdiction governs it, and who ultimately controls access to it?**

That question has three answers, and all three matter for a cross-border lawyer.

## Reason One: The Lawyer’s Duty of Confidentiality

China’s Lawyers Law imposes a statutory duty of confidentiality on lawyers regarding client information acquired in practice.

This duty doesn’t say “use a specific email provider.” It says: protect client information. Period.

Now think about what happens when a client sends me sensitive material — banking records, share structures, family dispute details — over Gmail. The moment that email is transmitted, a copy lives on Google’s servers, physically located offshore. If Google ever accesses, scans, retains, or hands over that data — whether for compliance, internal audit, lawful request, or any other reason — I have **zero control** over the process. I won’t even know.

Strictly speaking, this isn’t a “violation” of that duty. Chinese law doesn’t dictate email providers. But it does sit at the edge of the duty. When I physically hand client data to a third party I cannot constrain — especially one outside Chinese jurisdiction — my ability to fulfill my confidentiality duty is structurally weakened.

A custom domain doesn’t make data invisible. It puts the question of “where does this live, who can access it” back into the lawyer’s hands. That’s the first reason.

## Reason Two: PIPL Cross-Border Data Transfer (The Decisive One)

This is the reason that actually made me commit.

China’s Personal Information Protection Law (PIPL), Articles 38–43, governs the cross-border transfer of personal information. Lawful pathways include: a government security assessment, certification by a designated body, signing the standard contractual clauses, or — critically — obtaining **separate, specific consent** from the individual.

So here’s the operative question: **when a Chinese lawyer uses Gmail to handle Chinese clients’ personal data, is that a cross-border transfer?**

My professional judgment: **yes.**

Gmail’s servers are physically offshore — primarily in the United States and other non-China nodes. When a Chinese lawyer sends or receives client personal data (names, ID numbers, addresses, contracts, dispute facts) through Gmail, the data crosses the border at the moment of storage. Legally, this is no different from exporting a database from a domestic server to an offshore one.

To do this compliantly under PIPL, the lawyer would need to:

1. Inform the client of the overseas recipient’s identity, contact, purpose, and methods

2. Obtain the client’s **separate consent** (not a checkbox in a privacy policy — separate, specific consent)

3. Depending on volume and classification, potentially undergo a Cyberspace Administration of China security assessment

Realistically — does any solo practitioner run that workflow for every client? **Almost no one.**

What about Tencent’s QQ Mail or NetEase 163? Data stays domestic, so PIPL’s cross-border issue is sidestepped. But a different problem appears: the lawyer still cannot constrain Tencent’s or NetEase’s access. Highly sensitive client data sits in a provider’s domestic data center, and the law firm’s emails are not on any “confidentiality exemption list” when the provider runs internal audits or responds to regulatory inquiries.

The real value of a custom domain on compliant in-country infrastructure is that I can choose:

- **Data residency** — I host on a compliant in-country provider; PIPL cross-border issue does not arise

- **Access rules** — beyond me and authorized ops, no third party scans or retains email content

- **Auditability** — I can show clients a complete, explainable data-handling chain

This isn’t “more secure.” It’s **more compliant.** Those are different words and they matter.

## Reason Three: The Lowest-Cost Step in Building Cross-Border Trust

The third reason is the most practical.

My clients write in English, Spanish, and Japanese. When an overseas client first contacts me, seeing `someone1987@gmail.com` versus `mike@wzklaw.com` produces meaningfully different professional impressions. The latter:

- Matches the firm’s domain (wzklaw.com/contact.php?source=substack&src=ss)

- Can be cross-verified against the Chinese bar registry (credit.acla.org.cn, license 144012510953782)

- Reliably reaches enterprise inboxes (Outlook, Gmail) with proper SPF/DKIM/DMARC, avoiding spam folders

I’ve had Mexican, Chilean, and Japanese clients tell me — explicitly — that their first due-diligence step was matching my email domain against the firm’s website. For cross-border work, this is table stakes.

## What This Means For You

If you’re a lawyer — especially a cross-border lawyer — here are three concrete steps:

1. **Get a custom domain.** A few hundred RMB or USD a year. No technical barrier.

2. **Enforce SSL/TLS and 2FA.** Never use POP 110 or IMAP 143 in plaintext. 2FA is a floor, not a choice.

3. **Know where your provider physically stores the data.** Many “business email” services use a custom domain but store data in Google Workspace or Microsoft 365 offshore servers. **Domain ownership and data residency are two different things.** PIPL looks at the second.

And if you’re a client — overseas, in China, or doing cross-border work — it’s a fair question to ask any lawyer you hire: “Where does my data live? Can you explain the path?” A lawyer who can answer that clearly is a lawyer who’s thought about it.

## One Last Honest Line

There is no absolutely secure system. Not Gmail. Not Tencent. Not self-hosted. Anyone telling you otherwise is selling something.

I made this choice not because I’m “better.” I made it because, as a cross-border lawyer, I want my data-handling path to be fully explainable to every client, and defensible under PIPL, the Lawyers Law, and a foreign client’s scrutiny.

That’s the whole reason.

If this resonates, I write here every week or two — on cross-border legal practice, PIPL, Latin American compliance, AI and the law, and what an actual practicing China lawyer thinks about all of it. No courses, no funnels, just honest field notes.

If you have a cross-border matter, you can reach me through wzklaw.com/contact.php?source=substack&src=ss or book a consultation at wzklaw.com/contact.php?source=substack&src=ss.

———

Mike Wu, Attorney-at-Law · Guangdong Jinglang Law Firm · License 144012510953782

Cross-border practice · 4 languages (CN/EN/ES/JA)

Site: wzklaw.com/contact.php?source=substack&src=ss · Book consultation: wzklaw.com/contact.php?source=substack&src=ss

Bar verification: credit.acla.org.cn

A Teochew-language film opened at 9.0 on Douban this month. Here’s why a cross-border lawyer cried in the theater — and what it means for any Chinese family with assets abroad.

I’m Mike Wu. I practice cross-border law out of Guangdong, China, in four languages (Chinese, English, Spanish, Japanese). I’m also Teochew (Chaoshan) by origin — a small region in southern China with an outsized diaspora across Southeast Asia, and lately, across Latin America.

This week I watched *Letters to Grandma* (《给阿嬷的情书》), the third Teochew-language film by director Lan Hongchun, released nationally on May 3, 2026. The film opened at 9.0 on Douban. Ninety-five percent of the dialogue is in Teochew. It was shot on location in Shantou’s old quarter and at the Thai-style temple in Chaozhou.

The plot, in one sentence: a grandmother in Shantou has lived her whole life believing her husband — who fled south during the civil war to escape conscription — would one day return. Her grandson secretly travels to Thailand to look for him. He discovers the grandfather died in 1960. The stranger registered as the gravetender is a woman the family has never heard of.

The director has said over 90% of the plot comes from real overseas Chinese stories he gathered while filming the documentary *Flavors of the Four Seas*.

It is, on the surface, a film about memory, separation, and the silent griefs of a generation that left home and never returned.

It is also, for someone in my profession, the most concise lecture on cross-border legal risk I have ever sat through.

## I. The Qiaopi System Was Brilliant — and Insufficient

Between 1864 and 1911, roughly 2.94 million Teochew people emigrated to Southeast Asia. Their lifeline to home was the **qiaopi** (侨批) — a “letter-and-remittance-in-one” delivered by a private network of water-couriers, remittance houses, and door-to-door messengers. There was no SWIFT, no central bank clearing, no foreign exchange license. The whole system ran on Teochew clan reputation. In 2013, UNESCO inscribed the qiaopi archives on the Memory of the World Register.

I have enormous respect for what qiaopi accomplished. As a piece of pre-modern financial infrastructure built by an ethnic minority across multiple jurisdictions, it was extraordinary.

But it could not solve three things:

1. When a family member died abroad, the family back home often didn’t know.

2. The family rarely knew what assets, business interests, or new relationships existed overseas.

3. Even when they eventually found out, no one knew which country’s law applied, who to call, or how many years it would take.

The grandmother in the film lives her entire life never learning her husband died in 1960. This is not dramatic license. This is what was statistically normal for diaspora families of that era.

## II. The Modern Form of the Same Problem

Fast-forward to today. The Chinese — and particularly the Teochew — diaspora is no longer just in Southeast Asia. It is in Mexico, Brazil, Peru, Spain, Japan, the United States. The capital flows are larger. The legal complexity is greater. The family structures are more cross-jurisdictional than ever.

And yet, three patterns keep landing on my desk:

### Pattern One: Scattered overseas assets, no inventory

A founder dies. The family knows there’s “something” in Malaysia, “some shares” in Mexico, “an account” in Bangkok, and “maybe some crypto.” No spreadsheet. No list. No designated successor.

In my experience, **cross-border probate starts at one year per jurisdiction**. Three-country estates routinely take three years. Add a contested overseas marriage or an unacknowledged child, and five to eight years is realistic. Legal fees compound the pain.

### Pattern Two: Handshake deals still run the diaspora economy

Teochew business networks operate on extraordinary levels of in-group trust. A few sentences in Teochew dialect and both sides know whether the other is “one of us.” This trust has built fortunes.

But the same trust, applied to cross-border deals without paperwork, has destroyed them.

I have seen cases where a Chinese investor put up the entire capital for a Southeast Asian factory, registered the shares in a “trusted villager’s” name, and ten years later discovered:

- No nominee shareholding agreement was ever signed

- No capital contribution records exist in writing

- The nominee got married locally, and under local law the spouse now claims community property in the company

What started as a simple favor between fellow villagers becomes a multi-year cross-border family-and-commercial litigation across two or three jurisdictions.

### Pattern Three: Zero planning for residency, marriage, and succession

The typical mature-stage configuration of a Chinese entrepreneur who has been overseas for fifteen years: physically resident in Kuala Lumpur or Bangkok, a local family, assets in four or five countries, unclear tax residency, no will, no trust, no insurance-based succession structure.

When something happens, **every jurisdiction takes its own cut according to its own rules**. China applies its conflict-of-laws rules. Malaysia may apply both civil and religious inheritance law if a Muslim spouse is involved. Thailand applies its own civil and commercial code. Add U.S. green card status or a European residency, and estate tax exposure stacks up fast.

## III. What I Tell My Clients

When a Chinese entrepreneur — Teochew or otherwise — sits across from me planning an outbound investment, I push the same checklist:

**Before going out:**

- Holding structure and tax residency designed with both lawyer and accountant before the first dollar moves

- Cross-border capital flow compliance (to avoid later characterization as illicit outflow)

**While operating overseas:**

- All material contracts bilingual; governing law, jurisdiction, and arbitration seat explicit

- Key transactions documented in writing, email, and bank records

- Every share transfer, capital increase, and dividend formalized through corporate resolutions

**Family layer:**

- Pre-marital property agreements for cross-border marriages (and ideally signed *before* the wedding — many jurisdictions don’t enforce post-marital agreements the same way)

- Trusts or life insurance structures for risk isolation on significant assets

**Succession layer:**

- Overseas asset inventory updated annually

- Separate wills drafted under each asset jurisdiction’s law (a single will often fails in multi-jurisdictional probate)

- Access arrangements for keys, wallets, and accounts pre-positioned with trusted parties (this matters especially for crypto)

## IV. What This Means for You

If you are a Chinese entrepreneur with assets, businesses, or family members across borders — or a Latin American, Japanese, or Western counterpart working with Chinese partners — the lesson from a small Teochew-language film with a 9.0 Douban rating is this:

A century ago, our families relied on a single qiaopi letter to hold two homes together across an ocean. The system was beautiful, and it broke families.

Today, that role belongs to a properly drafted bilingual shareholders’ agreement, a clean corporate structure, and a multi-jurisdictional estate plan. None of these are exotic. All of them are within reach of a one- to two-day engagement with the right lawyer.

**Sentiment belongs to people. Wealth and succession belong to institutions.**

The most expensive cross-border legal problems I have ever handled are problems that could have been prevented in their entirety with two or three documents drafted before the founder’s first overseas trip.

If you are sitting on a structure that “we’ll formalize later,” or if you have overseas assets without an inventory — please don’t wait. The cost of structuring before is rounding error. The cost of litigating after is generational.

I take direct consultations in Chinese, English, Spanish, and Japanese. You can book through wzklaw.com/booking.php?src=ss or reach me at mike@wzklaw.com.

———

Mike Wu, Attorney-at-Law · Guangdong Jinglang Law Firm · License 144012510953782

Cross-border practice · 4 languages (CN/EN/ES/JA)

Site: wzklaw.com Book consultation: wzklaw.com/booking.php

Bar verification: credit.acla.org.cn