AI Watch: Global regulatory tracker – China | White & Case LLP
The Interim AI Measures is China’s first specific, administrative regulation on the management of generative AI services.
Laws/Regulations directly regulating AI (the “AI Regulations”)
The Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Education, the Ministry of Science and Technology, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the National Radio and Television Administration jointly released the Interim Measures for the Management of Generative Artificial Intelligence Services (the “AI Measures”), which is the first administrative regulation on the management of Generative AI services, which came into effect on August 15, 2023.2
Status of the AI Regulations
The AI Measures came into effect on August 15, 2023.
Other laws affecting AI
There are various other laws and regulations in China that do not directly seek to regulate AI, but that may affect the development or use of AI:
- The Administrative Provisions on Deep Synthesis in Internet-based Information Services (the “Deep Synthesis Provisions”) which came into effect on January 10, 20233
- The Administrative Provisions on Recommendation Algorithms in Internet-based Information Services (the “Recommendation Algorithms Provisions”) which came into effect on March 1, 20224
- Data-related laws, such as the Cybersecurity Law, the Personal Information Protection Law (the PIPL), and the Data Security Law may affect several aspects of AI development and use in connection with data privacy and security
- Intellectual property laws, including the Copyright Law of China, that may affect several aspects of AI development and use
- Both the Civil Code of China and the Criminal Law of China may affect several aspects of AI development and use in connection with the protection of privacy rights, portrait rights and other related rights from being violated by the improper use of AI
- The Measures for Review of Scientific and Technological Ethics (for Trial Implementation), which came into effect on December 1, 2023, provide that enterprises engaged in AI and certain other technology activities should undergo scientific and technological ethics reviews5
- The relevant national standards and recommended guidelines set out relevant rules and guidance regarding the use of AI technology, such as the Practical Guidelines for Cybersecurity Standards – Method for Tagging Content in Generative Artificial Intelligence Services6
Definition of “AI”
The current Chinese laws and regulations do not provide a clear definition of “AI.” Under the AI Measures, “generative AI technology” refers to models and related technology that have the ability to generate text, images, audios, videos, or other content.7
Territorial scope
The AI Measures apply to companies when they provide Generative AI services to the public within China regardless of where they are incorporated.8 For the purpose of this document, “China” refers to the People’s Republic of China excluding the Hong Kong Special Administrative Region of the People’s Republic of China, the Macau Special Administrative Region of the People’s Republic of China and Taiwan. Specifically, the Cybersecurity Administration of China has the authority to take technical and other necessary measures against foreign companies if the provision of Generative AI services (originating from outside of China) to China violates relevant laws and regulations.9
Sectoral scope
In general, the AI Measures do not adopt a sector-specific approach, while the Deep Synthesis Provisions and Recommendation Algorithms Provisions focus on internet-based information service providers. In addition, some industry sectors, such as the financial, healthcare and automobile sectors, have their own sector-specific regulations relating to the use of AI technology.
- Financial sector:
- Guiding Opinions on Regulating the Asset Management Business of Financial Institutions10
- Evaluation Specification of Artificial Intelligence Algorithm in Financial Applications11
- Guidance on Information Disclosure for Financial Applications Based on Artificial Intelligence Algorithms12
- Healthcare sector: Guidance for the Classification and Definition of AI-Based Medical Software Products13
- Automobile sector: Opinions on Strengthening the Management of Manufacturing Enterprises and Product Access of Smart Internet-Connected-Vehicles14
Compliance roles
The key roles under the AI Measures are Generative AI service providers and users.
“Generative AI service provider” refers to any organization or individual that utilizes generative AI technology to provide generative AI services (including providing such services through the provision of a programmable interface or other means).15
“User of Generative AI services” refers to any organization or individual that uses Generative AI services to generate content.16 The AI Measures do not apply if an organization or institution engages in research, development, or application of generative AI technology but does not offer Generative AI services to the domestic public in China.17
Core issues that the AI Regulations seek to address
The AI Measures are formulated to “promote a healthy development and regulated application of generative artificial intelligence, safeguard national security and social public interests, and protect the lawful rights and interests of citizens, legal persons and other organizations.”18
Risk categorization
The AI Measures provide that the government will implement “categorical and hierarchal regulation of Generative AI services.”19 Further, the AI Measures provide that the relevant competent departments shall enhance scientific supervision methods compatible with innovative development for Generative AI technology. They shall also create classification and grading-based supervision rules, or guidelines based on the technology’s characteristics and its application in relevant industries and fields.20
However, the AI Measures do not provide for the risk categorizations of AI services, although some provisions suggest that some categories of AI services are subject to stricter scrutiny by the regulators. For example, Generative AI service providers with “public opinion attributes or the capacity for social mobilization” are required to carry out a security assessment and undergo a regulatory filing before launching such services, in addition to complying with generally applicable requirements like content moderation and tagging.21
Key compliance requirements
Under the AI Measures, the key compliance requirements for a Generative AI service provider include:
Lawful use: Processing data lawfully, respecting intellectual property rights and obtaining consent for personal information use22
- Clarify and disclose the applicable groups, occasions and uses of their services, guide users to scientifically and rationally understand and use Generative AI technology in accordance with the law and take effective measures to prevent children from overly relying on or being addicted to generative artificial intelligence services23
- Assume responsibility for online information content and personal information protection24
- Guide users in the lawful and responsible use of Generative AI technology, protect user information and handle user requests for (among other rights) accessing, copying, correcting, supplementing and deleting their personal information25
- Take measures to ensure secure and stable services, promptly address illegal content, and establish a complaints and reporting mechanism for user feedback26
- Cooperate with relevant authorities during supervisory inspections, providing necessary technical, data, and other support and assistance27
Data labeling rules: Establish clear labeling rules, ensure accurate labeling and provide training for labeling staff.28 In addition, the AI Measures specifically require that a Generative AI service provider comply with the following:
- “Upholding socialist core values” – including not generating any prohibited content, such as content that incites “subversion of the state power or the overthrow of the socialist system, endangers national security and interests, damages the national image, incites splitting the country, undermines national unity and social stability, advocates terrorism, extremism, ethnic hatred and discrimination, violence, pornography, and false and harmful information”29
- Taking effective measures to “prevent discrimination based on nationality, religion, country, region, gender, occupation and health in the design of the algorithm, training data set, model generation, optimization and service provision”30
- Respecting intellectual property rights and business ethics – including keeping confidential trade secrets and refraining from “carrying out acts of monopoly and unfair competition by taking advantage of proprietary algorithms, data and platforms”31
- Respecting others’ legitimate rights and interests – refraining from endangering others’ physical and mental health and respecting their “rights of portrait, reputation, honor, privacy and personal information”32
Taking effective measures to “enhance the transparency, accuracy and reliability of the contents generated by Generative AI services”
Data training: The AI Measures also introduce requirements related to training data. Generative AI service providers must use data and models from legitimate sources, respect intellectual property rights and personal information, and strive to improve the quality, authenticity, accuracy, objectivity and diversity of the training data they utilize.34
Content moderation: Generative AI service providers are required to promptly remove any illegal content, employ measures for model optimization training, and report cases to the relevant authorities.35
Reporting mechanism: Generative AI service providers must establish a complaints and reporting mechanism, where they accept and handle complaints and reports from the public and provide feedback on the outcome of these cases.36
Regulators
The Cyberspace Administration of China is the lead regulator for Generative AI technology. The cyberspace, development and reform, education, science and technology, industry and information technology, public security, radio and television, press and publication, and other relevant authorities shall strengthen the management of Generative AI services in accordance with the law based on their respective functions and responsibilities.37
Enforcement powers and penalties
To effectively manage Generative AI services, Chinese regulators have been granted regulatory powers. These regulators are responsible for strengthening the management of these services based on their respective functions and responsibilities.38 They have the authority to conduct security assessments, supervisory inspections, and impose penalties for any violations in accordance with relevant laws and regulations.39
Article 21 of the AI Measures outlines the liability provisions for violations and non-compliance.
- If Generative AI service providers violate the AI Measures or any other relevant laws, the relevant authorities will impose penalties in accordance with the Cybersecurity Law, the Data Security Law, the PIPL, the Law on the Progress of Science and Technology, or other applicable laws and regulations. In cases where the laws or administrative regulations are silent, the relevant authorities, based on their functions and responsibilities, may issue a warning or reprimand, order corrections within a specified time limit, or suspend the provision of related services if corrections are refused or the violation is severe.
- If a violation constitutes a breach of public security management, public security administrative sanctions will be imposed in accordance with the law. If a violation constitutes a crime, criminal liability will be pursued in accordance with the law.
According to Articles 253 and 291 of the Criminal Law of China, when individuals or organizations illegally obtain personal information or disseminate false information through information networks or media platforms with the intention of disturbing public order or causing severe consequences, they can face penalties of up to seven years in prison or fines.
According to the PIPL, failure to comply with the PIPL can result in penalties such as fines up to 50 million RMB, revenue confiscation (up to 5 percent of annual revenue), and even business cessation.40
1 For the purpose of this document, “China” refers to the People’s Republic of China excluding the Hong Kong Special Administrative Region of the People’s Republic of China, the Macau Special Administrative Region of the People’s Republic of China and Taiwan.
2 See the Interim Measures for the Management of Generative Artificial Intelligence Services, promulgated on July 10, 2023 by the Cyberspace Administration of China, National Development and Reform Commission; Ministry of Education, Ministry of Science and Technology, Ministry of Industry and Information Technology, Ministry of Public Security, National Radio and Television Administration.
3 See the Administrative Provisions on Deep Synthesis in Internet-based Information Services, promulgated on November 25, 2022, by Cyberspace Administration of China, Ministry of Industry and Information Technology, and Ministry of Public Security.
4 See the Administrative Provisions on Recommendation Algorithms in Internet-based Information Services, promulgated on December 31, 2021 by Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration for Market Regulation.
5 See the Measures for Review of Scientific and Technological Ethics (for Trial Implementation), promulgated on December 1, 2023 by the Ministry of Science and Technology, the Ministry of Education, the Ministry of Industry and Information Technology, the Ministry of Agriculture and Rural Affairs, the National Health Commission, the Chinese Academy of Sciences, the Chinese Academy of Social Sciences, the Chinese Academy of Engineering, the China Association for Science and Technology, and the Science and Technology Commission of the Central Military Commission
6 See e.g., the Practical Guidelines for Cybersecurity Standards – Method for Tagging Content in Generative Artificial Intelligence Services, released by the China’s National Information Security Standardization Technical Committee on August 25, 2023.
7 The AI Measures, Article 22(1).
8 Id. Articles 2 and 20.
9 Id. Articles 20.
10 See the Guiding Opinions on Regulating the Asset Management Business of Financial Institutions, promulgated by the People’s Bank of China, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, and the State Administration of Foreign Exchange on April 27, 2018.
11 See the Evaluation Specification of Artificial Intelligence Algorithm in Financial Application, promulgated by the People’s Bank of China on March 26, 2021.
12 See the Guidance on Information Disclosure for Financial Applications Based on Artificial Intelligence Algorithms, promulgated by the People’s Bank of China on November 8, 2023.
13 See the Guidance for the Classification Defining of AI-Based Medical Software Products, promulgated by the National Medical Products Administration on July 1, 2021.
14 See the Opinions on Strengthening the Management of Intelligent and Connected Vehicles Manufacturing Enterprises and Product Access, promulgated by the Ministry of Industry and Information Technology on July 30,2021.
15 The AI Measures, Article 22(2).
16 Id, Article 22(3).
17 Id. Article 2.
18 Id. Article 1.
19 Id. Article 3.
20 Id. Article 16.
21 Id. Article 17.
22 Id. Articles 4 and 7.
23 Id. Article 10.
24 Id. Article 9.
25 Id. Article 11.
26 Id. Articles 13-15.
27 Id. Article 19.
28 Id. Article 8.
29 Id. Article 4(1).
30 Id. Article 4(2).
31 Id. Article 4(3).
32 Id. Article 4(4).
33 Id. Article 4(5).
34 Id. Article 7.
35 Id. Article14.
36 Id. Article 15.
37 Id. Article 16.
38 Id.
39 Id. Articles 19-21.
40 See the PIPL, Article 66.
Jeffrey Shin (Trainee Solicitor, White & Case, London) contributed to this publication.
[View source.]