China’s Interim Measures on Generative AI: The Basics to Know

On July 13, 2023, the Cyberspace Administration of China (CAC) and six other central government regulators issued the Interim Measures for the Management of Generative Artificial Intelligence Services (AI Measures). The issuance of the final AI Measures has followed the CAC’s publication of the draft measures for public consultation on April 11, 2023.

Set to take effect on August 15, 2023, the AI Measures have been formulated in accordance with existing laws and regulations such as the Cyber ​​Security Law (CSL), the Data Security Law (DSL), the Personal Information Protection Law (PIPL), and the Science and Technology Progress Law (STPL).

The AI Measures aim to ensure that a healthy environment can be fostered within China that allows for the responsible use of generative artificial intelligence (GenAI) without causing undue harm to the national security, social and public interest, and the legitimate rights and interests of the citizens, including legal persons and organizations.

Definitions of Key Terms

a) GenAI Technology

GenAI technology refers to models and related technologies that have the ability to generate content such as text, pictures, audio, and video.

b) GenAI Service Providers

GenAI service providers (Providers) refer to organizations and individuals that use GenAI technology to provide GenAI services (including providing GenAI services by providing programmable interfaces, etc.).

c) GenAI Service Users

GenAI service users (Users) refer to organizations and individuals who use generative artificial intelligence services to generate content.

Scope

The AI Measures apply to the use of GenAI technology to provide GenAI services to the public within the territory of the People’s Republic of China (PRC). However, in case specific regulations are in force concerning the use of GenAI services to engage in activities such as news publishing, film and television production, and literary and artistic creation, the relevant specific regulations will prevail over the AI Measures.

Furthermore, industry associations, enterprises, educational and research institutions, cultural institutions, and certain professional institutions that develop and apply the GenAI technology but do not provide GenAI services to the public are exempt from the application of the AI Measures. Notably, the first draft of the AI Measures did not provide for such a carve-out and applied to all sorts of uses of GenAI technology.

Principles of Usage

As per the AI Measures, the provision and use of the GenAI services must comply with the existing laws and regulations as well as uphold social morality and ethics. Organizations using generative AI to deliver products or services to the public within China must adhere to the following principles:

1. Uphold the Core Socialist Values - Organizations are required to undertake strict measures to eliminate chances of the creation of any content that might:
   1. Incite subversion of national sovereignty;
   2. Endanger national security;
   3. Harm the nation's image;
   4. Advocate separatism;
   5. Undermine social stability;
   6. Advocate terrorism;
   7. Promote ethnic hatred and discrimination;
   8. Proliferate fake and harmful misinformation;
   9. Suggest overturning the socialist system.
2. Minimize Discrimination - Organizations must carefully curate processes such as algorithm design, the selection of training data, model generation, and optimization to proactively prevent the creation and proliferation of any unintended discrimination.
3. Respect IP Rights - Organizations must implement rigorous internal measures to respect and protect all commercial secrets and intellectual property rights while also minimizing the possibility of monopolies or unfair competition.
4. Respect Rights & Interests - Organizations must ensure the lawful rights and interests of individuals and organizations, such as their image, reputation, honor, privacy, and personal information, are not endangered in any way,
5. Ensure Transparency - Organizations must undertake strict and effective measures to increase the transparency of their generative AI services and the overall accuracy and reliability of any content generated via generative AI services.

Obligations for GenAI Service Providers

Following are some obligations under the AI Measures that the Providers must comply with:

Training Data Processing Activities

The Providers must carry out training data processing activities, including pre-training and optimization training, in accordance with the law and must ensure to:

• Use data and basic models with legitimate sources;
• Avoid infringing on pre-existing IP rights of other individuals and organizations;
• Obtain willful consent of individuals when using their personal information;
• Take effective measures to improve the quality of training data, and enhance the authenticity, accuracy, objectivity, and diversity of training data;
• Comply with the requirements of the CSL, DSL, PIPL, and other relevant laws and regulations.

Data Labeling

The providers must ensure the following while carrying out data labeling during the research and development of the GenAI technology:

• formulate clear, specific, and operable labeling rules;
• carry out data labeling quality assessment and conduct sampling verification of the accuracy of the labeling content;
• conduct necessary training for labeling personnel as well as improve awareness of respecting and abiding by the law, and
• supervise and guide labeling personnel to standardize labeling work.

Vendor Agreements

Under the AI Measures, the providers are responsible for the conduct of the network information content producers as well as the network information security obligations under applicable laws. To protect personal information and ensure compliance with the applicable laws, the Providers should enter into binding agreements with their vendors laying out their obligations and regularly monitor compliance on the part of the vendors.

User Agreements

The AI Measures require the Providers to enter into service agreements with the Users. Such agreements must clarify the rights and obligations of both the Providers as well as the Users.

Disclosure Requirements

The Providers must clarify and disclose the applicable groups, occasions, and uses of their services to the Users. The Providers must guide the Users to scientifically and rationally use the GenAI technology in accordance with the law and take effective measures to prevent minors from excessive reliance or indulgence in the GenAI services.

In addition, the Providers must also mark pictures, videos, and other generated content in accordance with the Regulations on the Administration of Deep Synthesis of Internet Information Services.

Handling Users’ Input Information

The Providers must protect the Users’ input information and maintain records as per the applicable laws and regulations. The Providers must refrain from:

• Collecting unnecessary personal information;
• Illegally retaining input information and using records to identify the User; and
• Illegally disclosing the users’ input information and using records to third parties.

Rights of the Users

The AI Measures provide several rights to the Users. The Providers must accept and process in a timely manner the requests from the Users, who are individuals, to exercise the following rights:

• Right to review personal information;
• Right to obtain a copy of personal information;
• Right to correct the personal information;
• Right to supplement personal information; and
• Right to delete personal information.

Furthermore, the Users have the right to file complaints and report any GenAI services which do not comply with the applicable laws, regulations and AI Measures.

Monitoring

The Providers must ensure regular monitoring of their GenAI services and must comply with the following requirements:

• Where a Provider discovers illegal content, it must promptly take appropriate measures such as stopping generation, stopping transmission, and elimination, take measures such as model optimization training for rectification, and report to the relevant competent authority; and
• Where the Provider discovers that the User is using the GenAI service to engage in illegal activity, it must take measures such as warning, restricting functions, suspending or terminating the provision of services to it in accordance with the law, keep relevant records, and report to the relevant competent authority.

Complaint and Report Mechanism

The AI Measures require the Providers to establish and maintain a complaint and report mechanism. The Providers must also publish the complaint handling process and feedback time limit, accept and handle the public complaints and reports in a timely manner and provide feedback on the handling results.

Security Assessments

The Providers with public opinion attributes or social mobilization capabilities must conduct security assessments in accordance with the relevant state regulations. In addition, such Providers must also perform algorithm filing, modification, and cancellation filing procedures in accordance with the Internet Information Service Algorithm Recommendation Management Regulations.

Supervisory Authorities

Different central government departments are responsible under the AI Measures to supervise and inspect the GenAI services in accordance with their respective duties and responsibilities. These departments include the following:

• Departments of Cybersecurity and Informatization
• Department of Development and Reform
• Department of Education, Science and Technology
• Department of Industry and Informatization
• Department of Public Security
• Department of Radio and Television
• Department of Press and Publication

Further, the National Network Information Department is responsible for notifying the relevant institutions to take technical and other necessary measures where the provision of GenAI services originating from outside of the PRC does not comply with the AI Measures.

Penalties for Non-Compliance

The Providers who violate the provisions of AI Measures shall be liable for penalties as per the applicable laws, including CSL, DSL, PIPL, STPL, etc. Further, depending on the nature of the violation, the contravenes may also be subject to criminal prosecution.

How Can Securiti Help

China is quickly gaining a reputation for being extensively proactive in formulating and adapting AI-related regulations.

These measures, alongside its already established data privacy regulations, make China a complex jurisdiction for organizations aiming to comply with their regulatory obligations completely.

This is where Securiti can be of great help.

A global leader in providing enterprise data privacy, security, compliance, and governance solutions, Securiti's DataControls Cloud™ is an enterprise solution based on a Unified Data Controls framework that allows organizations to optimize their oversight and compliance with China's extensive AI and data regulatory regulations.

Request a demo today and learn more about how Securiti can help your organization comply with China's data privacy and AI-related regulations today.