The Cybersecurity Administration of China ("CAC") and six other agencies jointly promulgated Interim Measures for the Administration of Generative Artificial Intelligence Services ("Generative AI Measures" or "Rules"), that will regulate the development and provision of generative artificial intelligence ("Generative AI") services to the domestic public in China. The new Rules go into effect August 15, 2023.
The final version of the Generative AI Measures follows the draft rules released in April 2023. In comparing the two versions, the new Rules tone down a number of obligations for Generative AI Service Providers. For example, the new Rules attach "equal importance to development and security" and "encourage the innovation and development" of Generative AI. The Rules dropped proposed prohibitions on user profiling, user real-name verification, and a requirement to take measures within three months through model optimization training to prevent illegal content from being generated again. (Note that Generative AI Service Providers may be still subject to the requirements of verifying user's real identity under the Cybersecurity Law of the People's Republic of China (see English version here)). In addition, while the new Rules retained a directive that "providers who violate the provisions" of the new Rules "shall be punished by the relevant competent authorities" and possibly investigated for criminal responsibility, the new Rules deleted a provision allowing for fines for non-compliance with orders for correcting violations.
Short Time Horizon for Compliance
Companies providing Generative AI services in China will need to act quickly to get into compliance with the Generative AI Measures since they are scheduled to take effect on August 15, 2023. According to Article 19 of the Generative AI Measures, Generative AI Service Providers subject to the new Rules must cooperate with state regulators who are empowered to supervise and inspect, and Generative AI Service Providers must "explain the source, scale and type of training data, labeling rules and algorithmic mechanism[s]" to regulators in addition to providing "necessary support and assistance" during inspection. Regulators are also required to "keep state secrets, commercial secrets, personal privacy and personal information known in the performance of their duties confidential in accordance with law, and shall not disclose or illegally provide them to others."
Scope and Definitions of Key Terms Within the Generative AI Measures
Article 2 of the Generative AI Measures details the scope of the regulations while Article 22 sets forth key definitions. Article 2 states that the Rules apply to "the use of generative artificial intelligence technology to provide services for generating text, pictures, audio, video, and other content to the public within the territory of the People's Republic of China," and that "industrial associations, enterprises, educational and scientific research institutions, public cultural institutions and, relevant professional institutions that develop and apply generative artificial intelligence technology, but do not provide generative artificial intelligence services to the domestic public, shall not be subject to the provisions of these Measures" (emphasis added). Thus entities utilizing generative AI to develop enterprise-facing products, security tools, scientific research, etc., may be exempt from the Generative AI Measures.
In addition, Article 17 of the Generative AI Measures states that "providers of generative artificial intelligence services with public opinion attributes or social mobilization capabilities shall conduct security assessments" that comply with relevant national regulations, and "perform algorithm filing, modification, and cancellation filing procedures" that comply with "Internet Information Service Algorithmic Recommendation Management Provisions " (see English version here).
In regards to key definitions, they can be found in Article 22 of the Generative AI Measures and include the following:
- Generative AI Service Provider: Organizations and individuals that use generative artificial intelligence technology to provide generative artificial intelligence services (including providing generative artificial intelligence services by providing programmable interfaces, etc.).
- Generative AI Service Users: Organizations and individuals who use generative artificial intelligence services to generate content.
- Generative AI Technology: Models and related technologies that have the ability to generate content such as text, picture, audio and video.
No specific provision in the Generative AI Measures expressly prohibits individuals or organizations in China from utilizing "offshore" Generative AI Service Providers. Though, Article 20 of the Generative AI Measures states "where the provision of generative artificial intelligence services originating from outside the territory of the People's Republic of China does not comply with laws, administrative regulations, and the provisions of these Measures, the national network information department shall notify relevant institutions to take technical measures and other necessary measures to deal with them" (emphasis added).
While this provision does not grant state authorities in China the oversight power to regulate offshore Generative AI Service Providers, it may nevertheless pressure such service providers to take steps to comply with the Generative AI Measures to maintain access to the Chinese market.
Notable Requirements in the CAC's Generative AI Measures for Service Providers
The Generative AI Measures impose an array of obligations on Generative AI Service Providers based in China. Some of the most notable regulatory obligations imposed by the Generative AI Measures include:
- Content Moderation: According to Article 9, Generative AI Service Providers assume the responsibility of "producers of network information content" and, "if personal information is involved [in the generation of network information content]", also assume "the responsibility of processors of personal information." Pursuant to Article 14, Generative AI Service Providers are tasked with identifying and managing producers engaged in "illegal content" as articulated in Article 4. If a Generative AI Service Provider discovers a content producer engaging in illegal content, they are obligated to take remedial measures, including:
- Warning and limiting functions;
- Suspending or terminating the content generation and transmission of the particular producer;
- Taking down the illegal content; and
- Rectifying through model optimization and reporting the issue to regulators.
- Intellectual Property Rights: According to Article 7(2) of the Generative AI Measures, where intellectual property rights are involved in generative AI services, the "intellectual property rights enjoyed by others shall not be infringed" (this provision is, most likely, intentionally vague with no additional context or clarity contained in the Generative AI Measures).
- Licensing Requirement: Article 23 of the Generative AI Measures indicates that Generative AI Service Providers shall obtain "relevant administrative licenses" where "laws and administrative regulations stipulate." In addition, if foreign entities invest in generative artificial intelligence services in China, they shall also "comply with the provisions of foreign investment-related laws and administrative regulations."
- Qualitative Aspects of AI Training Data: According to Article 7(4) of the Generative AI Measures, there is a requirement that Generative AI Service Providers take "effective measures to improve the quality of training data, and enhance the authenticity, accuracy, objectivity, and diversity of training data."
- Labeling Requirements for Training Data: Article 8 of the Generative AI Measures requires Generative AI Service Providers to (1) develop "clear, specific and operable" AI labelling rules, (2) provide supervision of and necessary training for the personnel engaged in labeling activities, (3) "improve awareness of respecting and abiding by the law," and (4) verify the accuracy of the labeling through sampling.
- Consent Required to Use Personal Information in AI Training Data: Article 7(3) of the Generative AI Measures states that Generative AI Service Providers must obtain "the consent of the individual" to use their personal information in "training data processing activities." This provision does allow Generative AI Service Providers to rely on "other legal bases" that comply with Chinese "laws and administrative regulations" to process personal information in its training data.
- Protections for Personal Information: Article 11 of the Generative AI Measures states that Generative AI Service Providers shall "protect the user's input information and use records" and "shall not collect non-essential personal information." In addition, Article 11 states that Generative AI Service Providers shall not "illegally retain input information and use records that can identify users, and shall not illegally provide the user's input information and use records to others."
- Required Redress Mechanism for User Complaints: According to Articles 11 and 15 of the Generative AI Measures, there are requirements for Generative AI Service Providers to establish a "mechanism for receiving and handling complaints from users" and to address and process user requests for access, copies, correction, supplementation, or deletion of personal information in a timely manner.
Takeaways from the New Rules
The contents of the CAC's Generative AI Measures indicate that information control and oversight by the Chinese government remain a top priority. The CAC even declares in Article 4 of the Generative AI Measures that the use of generative AI services shall adhere to the socialist core values and must not generate anti-government content. Another example is the fact that providers of Generative AI services with public opinion attributes or social mobilization capabilities are required to fulfill a security assessment and filing obligations pursuant to China's "Internet Information Service Algorithmic Recommendation Management Provisions" (see English version here).
China's issuance of the Generative AI Measures in combination with the regulatory efforts taken by the European Union to enact an Artificial Intelligence Act reflect a growing interest by nation states to exert a level of control over the development and progress of AI technologies, services, and tools, and to establish a set of rules governing how companies utilize generative AI and distribute content.
DWT's Artificial Intelligence team will continue to monitor and report on the legal and policy developments impacting AI, machine learning, privacy and cybersecurity issues.
 Article 4 of the Rules requires that providers "shall abide by laws and administrative regulations, respect social morality and ethics," including "adher[ance] to the socialist core values, and must not generate content that incites subversion of state power and overthrowing the socialist system, endangers national security and interests, damages national image, incites secession, undermines national unity and social stability, promotes terrorism, extremism, promotes ethnic hatred, ethnic discrimination, violence, obscenity, and false and harmful information prohibited by laws and administrative regulations."