On July 13, 2023, the Cyberspace Administration of China (CAC) and six other Chinese government agencies jointly released the final version of the Interim Administrative Measures for Generative Artificial Intelligence Services (see the Chinese version here). These measures will enter into force on August 15, 2023.
For background, the CAC released a draft version of the measures for public comments in April 2023. This final version introduces notable changes, including removing certain prescriptive obligations on service providers, defined below, (e.g., restriction on user profiling and a requirement for authenticating users’ real identity) and highlighting the importance of balancing industry innovation and development with the regulation of generative AI services. As China’s first regulation specifically addressing generative AI, the measures set out key principles on generative AI regulation, impose compliance obligations on relevant service providers and establish an enforcement framework in the generative AI space.
1. Scope of the measures
The measures apply to the provision of services of generating texts, pictures, audios, videos or other content to the public in China by using generative AI technologies (generative AI services). However, “to the public” is not defined under the measures (Article 2). Therefore, it is possible that this may cover services provided to both individuals and enterprise users, unless the CAC issues further guidance. Further, the measures clarify that, to the extent that no generative AI services are provided to the public, the research and use of generative AI technologies for internal purposes are not subject to the measures (Article 2).
Notably, the measures do not explicitly prohibit Chinese users from using generative AI services provided by overseas providers from outside China, but the CAC has the power to request competent regulators to take technical or other necessary measures on such services that violate Chinese laws and regulations (Article 20).
2. Key obligations of service providers
The measures create a regulatory framework that imposes a number of compliance obligations on providers of generative AI services (service providers). Among others, these service providers must comply with the following key requirements:
- Training data. Article 7 of the measures requires service providers to carry out training activities (such as pre-training and training optimization) in a lawful manner and ensure that:
- The data and foundational models are from lawful sources.
- The training activities do not infringe the intellectual property rights of others.
- To the extent that personal information is processed, the service provider has obtained consent from relevant individuals, or it may rely on another legal basis for the processing of personal information.
- Effective measures have been taken to improve the training data quality and increase the authenticity, accuracy, objectivity and diversity of the training data.
- The training activities are conducted in compliance with China’s Cybersecurity Law (CSL), Data Security Law (DSL), Personal Information Protection Law (PIPL), and other applicable laws and regulations.
Further, if service providers may conduct data labeling in the technology research and development phase, the measures also mandate them to:
- Formulate clear, specific and feasible labeling rules in compliance with the measures.
- Carry out assessment on labeling quality and spot-check the labeling accuracy.
- Provide trainings to personnel responsible for labeling work (Article 8).
- Personal information protection. In addition to the consent requirement mentioned above, the measures generally require service providers to comply with personal information protection obligations (Article 9). In particular, service providers must not collect unnecessary personal information when providing services. For information input by users and users’ service usage records, service providers are further prohibited from:
- Illegally retaining such information and records in a way that could identify users.
- Illegally sharing such information and records with third parties.
Service providers also must respond to requests when users exercise their rights to access, correct, supplement, delete and/or obtain a copy of their personal information (Article 11).
- Content moderation. Where illegal content is discovered by a service provider, the measures mandate it to:
- Take immediate actions to address it by suspending the generation and transmission and removing the illegal content from its services.
- Implement AI model optimization training.
- Report the issue to a competent regulator.
If a service provider is aware that its users are using the generative AI services to conduct illegal activities, it must:
- Issue warnings to such users and limit their use of relevant features.
- Suspend or terminate its services to such users.
In addition, the service provider must retain relevant records and report the above to a competent regulator (Article 14).
- Security assessment and algorithm filing. Specifically for generative AI services with “public opinion attributes or the capacity for social mobilization”, Article 17 of the measures mandates relevant service providers to go through a security assessment to be conducted by the CAC and other relevant regulators, along with conducting a filing of their algorithm in accordance with China’s Internet Information Service Algorithmic Recommendation Management Provisions, which require the filing to be conducted within 10 business days after the services are launched.
Violations under the measures will be subject to penalties imposed in accordance with the CSL, DSL, PIPL and the Law on Scientific and Technological Progress (Article 21). Competent regulators are empowered under the measures to require service providers to cooperate with their “supervision and inspection” by explaining the sources, scale, and types of training data, labeling rules, and algorithmic mechanisms, as well as providing necessary technical and data supports and assistance (Article 19).
Cooley LLP is not licensed to practice the law of the People’s Republic of China (PRC) and nothing herein constitutes an opinion or legal advice by Cooley with respect to PRC laws or otherwise. This blog may not be relied upon, construed as or used as an opinion, interpretation of or legal advice in any respect relating to or arising out of PRC laws or otherwise. This blog, and our review of the information referenced in this blog, is based solely upon our general familiarity with matters of the type referenced in this blog and the consultation with PRC counsel with respect to certain matters of PRC law or practice, as referenced in the blog, provided that notwithstanding such consultation, no opinions or legal advice with respect to PRC law are made herein. Any analysis, conclusion, advice or opinion with regard to PRC laws, or otherwise with regard to any of the matters referenced in this blog, must be obtained from PRC local counsel.