Dear Professor Gu, Professor Hao, and各位 experts and colleagues:

Standing here today, it’s clear that we’re not just discussing technological innovation—this is, in fact, a profound transformation that touches the very essence of criminal defense. Digital and AI technologies are far more than mere tool upgrades; they act as powerful solvents, rapidly eroding the once-relatively distinct barriers between traditional legal domains. As a result, civil, administrative, and criminal legal relationships are becoming intertwined, increasingly overlapping—and even merging—in ways never seen before. Meanwhile, the introduction of the "Law on Promoting the Private Economy" reflects the complex, multifaceted risks and challenges faced by both users and businesses in today’s evolving landscape, calling for systematic, comprehensive, and integrated solutions.

The challenges we face aren’t just the sheer volume of case files and big data—or the increasing digitization and sophistication of criminal methods, which compel us to adopt a big-data-driven approach to defense. We also confront the intricate complexities of legal relationships, which manifest in three key areas: the multifaceted nature of the underlying facts in each case, the intertwined and nested layers of legal responsibility, and the groundbreaking transformation in the forms evidence takes.

First is the complexity of the case's underlying facts.

A case involving the suspected crime of illegally obtaining data from computer information systems may originate from an employee violating the confidentiality clauses in their employment contract (a civil breach of contract), compounded by the company’s failure to implement the classification and tiered protection measures mandated by the Data Security Law (an administrative offense), ultimately triggering criminal risks.

Second, there is an intricate interplay and overlapping of legal responsibilities.

A seemingly simple act of "data scraping"—such as illegally extracting backend data in violation of platform rules, storing it, and then selling it to third parties—constitutes a civil infringement. This behavior not only violates Article 2 of the Anti-Unfair Competition Law, exposing perpetrators to hefty compensation claims and costly legal defense expenses (e.g., undermining Weibo’s control over its data, thereby increasing the risk of the platform being replaced)—but also breaches mandatory provisions under the Data Security Law, the Personal Information Protection Law, and the Anti-Unfair Competition Law, leading to severe administrative penalties like substantial fines or even license revocation. In cases where the offense is particularly serious or pursued with illicit intent, it could escalate into criminal charges such as the crime of infringing on citizens’ personal information, the crime of illegally obtaining data from computer information systems, the crime of disrupting production and business operations, or the crime of infringing on trade secrets.

For instance, a company providing AI face-swapping technology recently faced a civil infringement lawsuit filed by users alleging violations of portrait rights and privacy rights. In response, the Cyberspace Administration imposed a hefty fine under the "Provisional Measures for the Administration of Generative AI Services"—a form of administrative penalty. If the circumstances are deemed particularly serious, the actions could even amount to criminal offenses. Take, for example, a case from Xiaoshan District in Hangzhou, Zhejiang Province: the defendant, Yu Molong, allegedly collected facial data from over 100 individuals and used this information to create and sell explicit face-swapped videos in social media groups. As a result, the local procuratorate not only brought criminal charges against him for profiting from the production and distribution of obscene materials but also initiated a public interest civil lawsuit. The court ordered Yu to immediately cease all infringing activities, delete all personal information related to the case stored in a particular social media group, and pay compensation of 60,000 yuan, along with issuing a public apology.

Third, a disruptive transformation in the form of evidence.

When it comes to expert opinions or investigative conclusions based on big data analysis, lacking a deep understanding of relevant technical standards—such as recommended national standards and industry guidelines—and the legality of data sources (which must be assessed in conjunction with administrative regulatory requirements) can lead to superficial challenges that fail to undermine the core evidentiary strength of such evidence. For instance, when evaluating the admissibility of an intelligent contract record in a criminal case, it’s not enough to simply examine the contract’s validity from a civil perspective; one must also grasp its underlying technical principles, verify whether its creation and storage comply with administrative compliance requirements like the "Electronic Signature Law" and the "Regulations on Blockchain Information Service Management (2019)." Only after these steps should the evidence undergo a thorough review for legality and authenticity within the context of criminal proceedings.

This means that relying solely on the Criminal Code and the Criminal Procedure Law to tackle the intricate web woven by technology proves insufficient, leaving us scrambling to keep up—and even risking falling into cognitive blind spots like "failing to see the forest for the trees," strategic weaknesses such as treating symptoms rather than addressing root causes, and evidentiary challenges that feel like scratching an itch through your boot. Ultimately, this approach undermines the solidity of our defense strategies and may cause us to miss opportunities for addressing the issue at its very core.

Therefore, criminal defense in the digital and intelligent era requires even more To build an integrated civil-criminal thinking approach, here are four recommendations:

First, Consider the case within the legal ecosystem where civil and criminal laws intersect. For instance, consider a case involving the scraping of publicly available data: First, from a civil perspective, examine the legality of the data source and its authorization status—specifically, whether violating the Robots Protocol constitutes an infringement. Next, assess whether the scraping activity itself, as well as its subsequent use, complies with administrative regulations such as the Data Security Law, the Cyber Data Security Management Regulations, and the Personal Information Protection Law. Only then should we determine whether the actions meet the legal criteria for offenses like illegally obtaining data from computer information systems or infringing upon citizens' personal information. This comprehensive, panoramic approach is essential for mounting a precise defense.

Second, effectively leverage proactive civil liability to defuse or dilute criminal responsibility. The biggest misconception in defending against data-related criminal charges lies in isolating the elements of the criminal offense while ignoring underlying civil ownership disputes and the absence of necessary administrative permits—preliminary issues that often lie at the heart of the case. When these fundamental legal relationships are flawed, the very basis of the criminal allegations can be significantly weakened or even completely undermined. For instance, we can argue that an act’s legality in a civil context may effectively negate its criminal illegality. Or consider a scenario where a senior corporate executive is implicated in a criminal case: If it can be demonstrated that the critical decision triggering criminal liability was rooted in the company’s failure to comply with mandatory administrative regulations—or, more specifically, in the lack of an effective compliance system—the defense might successfully separate individual accountability from organizational responsibility. By highlighting the multifaceted nature of the risk factors involved, this approach could create opportunities for the individual to avoid prosecution altogether or secure a lighter sentence.

For instance, the suspect allegedly collected over 10,000 pieces of citizens' personal information—gathered through exchanges at work—and sent them via a "customer service list" to an internal WeChat group shared among company employees, who then used this data to expand their business operations. However, upon further investigation, it was revealed that Zhang and his company had obtained participants' information as the event organizer and had clearly disclosed the purpose of data collection on their official public account. Moreover, participants voluntarily provided their information, which constitutes informed consent under civil law. The information-gathering process did not violate the "lawful, legitimate, and necessary" principles stipulated in Article 1035 of the Civil Code. Therefore, if the data is obtained from the fulfillment of contracts (such as user registration agreements) or through informed consent, and is used for legitimate business activities, Article 111, Article 1034, and Article 1035 of the Civil Code must be cited to demonstrate how the lawful handling of personal information can serve as a defense against criminal liability.

For instance, in a financial data-crawling scenario, if the target of the crawl is customer data from a licensed financial institution that hasn’t yet achieved Level 3 certification under the Network Security Protection Scheme, Article 27 of the Data Security Law stipulates that organizations handling important data must implement the "Security Protection System." In such cases, the legitimacy of their data control rights may come into question. However, one can invoke Article 21 of the Data Security Law, which addresses data classification and grading, to argue that administrative compliance deficiencies have weakened the organization’s data protection measures—potentially mitigating criminal charges and creating room for a more lenient sentencing during defense proceedings.

Third, leverage civil and administrative law standards along with similar civil and administrative cases to build a more robust defense system, ultimately enhancing the effectiveness of your legal strategy.

For instance, in cases involving the infringement of trade secrets, it’s essential not only to apply relevant criminal judicial interpretations but also to study the "Provisions on Several Issues Concerning the Application of Law in Civil Cases Involving Infringement of Commercial Secrets." Key principles derived from civil court rulings—such as those addressing the determination of non-public knowledge and the assessment of identity—can provide valuable insights that are equally applicable and enlightening when representing clients in criminal cases.

For instance, when authenticating the authenticity of electronic evidence, it is essential not only to refer to and apply relevant criminal regulations such as the "Provisions of the Supreme People's Court, Supreme People's Procuratorate, and Ministry of Public Security on Several Issues Concerning the Collection, Extraction, and Examination & Adjudication of Electronic Data in Criminal Cases," but also to draw upon Articles 93 and 94 of the "Several Provisions on Evidence in Civil Litigation (2020)," which provide detailed guidelines specifically tailored for assessing the credibility of electronic evidence, thereby aiding the authentication process.

Fourth, the role of defense lawyers needs to evolve from "putting out fires after they happen" to "providing early warnings." Leveraging integrated thinking to help corporate or individual clients establish comprehensive risk management solutions that cover the entire lifecycle—ranging from civil and commercial contract reviews (such as data licensing agreements) to building administrative compliance frameworks (including data security management systems and algorithmic ethics review mechanisms), as well as identifying and assessing criminal risks.

Facing the challenges of our time, criminal lawyers must step out of their comfort zones—so how can they truly embrace integrated thinking? Forging a "multi-faceted" knowledge system and an "Technology+" mindset, Break down professional barriers by forming integrated service teams tailored to each case, bringing together experts in civil and commercial law, administrative law, intellectual property, data compliance, and more—collaborating closely with technical specialists should become the new norm. For instance, in the high-profile case involving a corporate group suspected of organized crime—handled by Xinglai—our team assembled a comprehensive legal services group integrating criminal, civil, and compliance expertise during the investigation phase. After four years of intense legal maneuvering, we thoroughly assessed the group’s operational risks, provided tailored recommendations for improvement, and ultimately succeeded in removing the "black hat" label as well as addressing four enterprise-related criminal charges during the investigative stage, while safeguarding the company’s core assets.

In the age of digital technology and AI, criminal defense lawyers must embrace an integrated civil-criminal- administrative mindset—not to blur the boundaries of legal domains, but rather to transcend the barriers between specialized areas of law. This approach will enhance their ability to grasp the unity of the legal system, enabling them to break free from the constraints of traditional criminal legal services and advocate more effectively for their clients across a broader legal landscape. Only then can criminal defense truly thrive, unlocking new and even greater vitality in the face of unprecedented challenges posed by today’s evolving legal environment!

Thank you, everyone!