DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
Back
§ 017 · AI-GOVERNANCE

AI Agents and the Limits of Consent — When 'Authorisation' Stops Being One Click

Li Wenlong (科技利维坦) takes the Doubao phone assistant — an AI that 'reads your screen' and acts across apps — and asks whether the consent/authorisation mechanism that traditional data law leans on can survive the agent era. His four challenges: the app-bounded 'private' environment dissolves as data and permissions move across apps (with Nissenbaum's Contextual Integrity as the only real conceptual anchor, and far from operational); agents that *act* (not just retrieve) push informed consent past the point of failure already reached by personalised ads; purpose limitation collapses because an agent chooses its own path, means and decisions from a low-information instruction, edging into automated decision-making; and ultra vires agency shifts liability from user to platform, with China's 'hallucination case' and the Air Canada case as the only thin precedents. For overseas counsel building or advising on agentic AI in China: a map of why 'authorisation' is becoming a problem of agency, system control, liability allocation and autonomy — not a checkbox — and why transparency is now a prerequisite, not a feature.

DCC Editorial SOURCE · ZH .MD ↓

Editor’s Note — DCC.

This brief summarises 《当AI能”阅读”你的屏幕:用户授权能否化解跨端 智能体的隐私风险》by Li Wenlong (李汶龙) on the 科技利维坦 channel — the privacy/authorisation companion to his reverse-interoperability piece on the same Doubao phone assistant. Where that piece asked a competition-law question (should the law restrict an agent that over-interoperates), this one asks a personal-information question: can the consent/authorisation mechanism that PIPL and every other digital-privacy regime depend on survive an AI that reads your screen and acts across your apps? Li leaves the question deliberately open — he flags it as the place real theory-building is needed — so this brief maps his four challenges to the existing framework rather than a settled answer. DCC runs it because it states, more clearly than most, why “agentic AI” is not just a new feature on top of the old consent model but a stress test the old model may fail.

The setup

The Doubao assistant can “read the screen” and carry out tasks across applications on the user’s behalf. That capability, Li argues, breaks a series of assumptions baked into pre-agent data law. He identifies four.

1. The app boundary — the unit of “privacy” — dissolves

Existing data compliance is built inside a stable, clearly bounded app: the application is the unit within which a relatively settled “private” environment is maintained. Agents reshape that. Data, permissions and behaviour now move between apps, and there is — on Li’s reading — no mature cross-app privacy or liability system to govern the movement. Helen Nissenbaum’s Contextual Integrity offers a sense of direction and a conceptual basis, but turning it into workable institutional design is still far off, and requires rethinking the public/private dichotomy that most privacy law silently assumes.

Traditional personalised advertising and recommendation already pushed informed consent close to ineffective — users click through notices they do not read or understand. An agent that does not merely collect and present information but performs acts with legal effect is a different order of magnitude. The user neither knows in advance how the agent will act, nor can predict what cross-app calls and stacked capabilities will produce. Li’s blunt question: has the authorisation mechanism that traditional digital governance relied on already failed completely?

3. Purpose limitation collapses into automated decision-making

Traditional data law manages expectation through purpose limitation — specify the purpose, restrict re-use for a changed purpose — and the path there has been relatively uncontroversial. Agents break this in two ways. First, much of what an agent does is infer human intent from language, an information-poor carrier. Second, in executing a command the agent’s decision space is enormous — which path, which carrier, which service, which decision — and absent a clear upfront specification (which ordinary users cannot give), the agent is effectively performing automated decision-making. Purpose limitation becomes near- ineffective, because we cannot get the user to state each purpose and its scope in advance. Expectation-violating events become inevitable — and because neither the user nor the platform may know how a given decision was reached, transparency becomes a prerequisite compliance question, not a downstream nicety.

4. Ultra vires agency shifts liability to the platform

The hardest problem is the agent that exceeds its authority (越权代理). To contain it, platforms want authorisation that is far more precise than the coarse traditional privacy policy — and the incentive is structural. Previously, a content problem could be attributed to the user, with the platform merely mediating. Once an agent takes on decisions, liability shifts to the platform — something that did not exist before. Platforms will therefore try to draw the boundaries ever more sharply at the authorisation stage. But how to draw them well, and where liability actually lands when something goes wrong, is entirely exploratory: China’s so-called “hallucination case” is, in Li’s view, too unrepresentative to anchor anything, and the Air Canada chatbot case abroad is an isolated example.

The upshot

Stacked together, these shifts mean “authorisation” is no longer a one-click confirmation. It becomes a complex problem spanning the agency relationship, system control, liability allocation and individual autonomy — one that, Li suggests, needs inputs from legal agency theory, AI-ethics/alignment work, and the philosophy of autonomy. Whether the traditional starting point of consent can still be used at all is the open question he sets himself to answer.

Why overseas counsel should care

  • Consent records won’t carry the weight. If purpose limitation cannot be specified ex ante for an agent, the PIPL-style consent artefact you collect at install will not, by itself, authorise what the agent later does. Expect pressure toward narrower, task-scoped, re-confirmable authorisation.
  • Automated-decision-making rules are in play. Once an agent chooses its own execution path from a vague instruction, PIPL’s automated-decision-making provisions become live — including the transparency and explanation expectations that come with them.
  • Liability is migrating to the platform/deployer. The party running the agent inherits exposure that the old “user did it, we just mediated” posture deflected. Logging and explainability are the controls that make that exposure manageable.

This brief pairs with Li’s reverse-interoperability analysis of the same product, and connects to DCC’s coverage of China’s AI-agent governance framework and AI-agent risk taxonomy, as well as Li’s piece on system prompts as a regulatory instrument.

DCC sources

  • Original: 李汶龙 (Li Wenlong), 《当AI能”阅读”你的屏幕:用户授权能否 化解跨端智能体的隐私风险》, 科技利维坦 WeChat Official Account (source).
  • Conceptual anchor named by the author: Helen Nissenbaum, Privacy in Context (Contextual Integrity).
  • Precedents referenced: the Chinese “hallucination case” (treated as unrepresentative) and the Air Canada chatbot case (Canada).
  • Chinese framework in the background: the Personal Information Protection Law (consent, purpose limitation, automated decision-making) and the Generative AI Services Interim Measures.

This is an editorial summary, not a translation. The framing and the open questions are Li Wenlong’s; any simplification or error of emphasis is DCC’s. Not legal advice.

FILED UNDER

— Not legal advice.

§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.