What to Know about China’s Basic Safety Requirements for Generative Artificial Intelligence Services

I. Introduction

On 29 February 2024, the National Information Security Standardization Technical Committee (TC260) released the Technical Document on Basic Safety Requirements for Generative Artificial Intelligence Services (Technical Document). This Technical Document follows an extensive public consultation in October 2023.

Intended to serve as a critical reference for service providers as well as oversight authorities, this Technical Document provides information on how to conduct security assessments and evaluate the overall security level of the GenAI services being used. The Technical Document is also meant to support the Interim Measures for the Management of Generative Artificial Intelligence Services (Interim Measures) that the Cyberspace Administration of China published on 13 July 2023 and took effect from 15 August 2023.

The Technical Document places several obligations and requirements upon service providers. These are meant to ensure that any GenAI services being adapted and deployed for public use have minimal risks while also preventing the generation of content that may violate China's other national regulations.

Read on to learn more about the Technical Document's requirements for service providers and how to adhere to them.

II. Who Needs to Comply with These Requirements

These requirements will apply to any and all GenAI service providers that carry out safety assessments and are consistently obligated to improve their safety levels. Additionally, the Technical Document serves as a reference for the relevant main oversight departments to judge the safety levels of GenAI services. Thus, it contains specifications related to basic requirements regarding the safety aspects of GenAI services, such as safety of training data, model safety, safety measures, and safety assessment requirements.

III. Definitions of Key Terms

Here are some definitions of key terms mentioned within this Technical Document:

a. Generative Artificial Intelligence Services

The use of Generative Artificial Intelligence (GenAI) to provide textual, graphic, audio, visual, and other forms of content generated via the use of extensive datasets and made publicly available within China.

b. Service Provider

An individual, organization, or entity that provides GenAI services in the form of programmable or interactive interfaces.

c. Training Data

All data an organization includes as part of its input dataset for model training and during the pre-training and optimization training processes.

d. Sampling Qualified Rate

The percentage of samples that do not contain any of the 31 safety risks identified within the Technical Document, such as promoting violence, ethnic hatred, or false information.

e. Foundation Model

A deep neural network model that has been trained on large amounts of data for generic goals and purposes, allowing for it to be optimized and adapted for multiple tasks.

f. Illegal and Unhealthy Information

The Provisions on the Governance of the Online Information Content Ecosystem lists nine types of harmful information and eleven categories of illegal information collectively. This information is principally related to any of the 29 categories of safety risks described in Appendices A.1 through A.4 as Illegal and Unhealthy information.

IV. Obligations for Organizations

The Technical Document places several obligations and requirements on those subject to its provisions. These include the following:

1. General Provisions

The purpose of the Technical Document is to outline the fundamental safety requirements that organizations must adhere to.

Service providers that perform filing procedures per their obligations must conduct assessments according to the requirements established in the Technical Document and submit any relevant reports generated as a consequence of these assessments.

Based on other regulatory requirements in China, additional safety work must be carried out related to the service providers’ own cybersecurity, data security, personal data protection, etc.

Special attention must be paid to understanding the long term risks and dangers posed by GenAI while adopting a cautionary approach to any GenAI services that may replicate human behavior or can be used in creating malware or biological and chemical weapons.

2. Corpus Safety Requirements

Corpus refers to a large and unstructured collection of texts or datasets. It is essential to have safety requirements to safeguard sensitive information and uphold ethical and legal standards.

Corpus Source Safety Requirements

The corpus source  safety requirements for service providers are as follows:

Management

• Before collecting data from a specific source, a safety assessment must be conducted on the corpora of that source. In case the source contains over 5% illegal and unhealthy information, corpora from that source cannot be collected;
• After collecting data from a specific corpus source, the corpora of the source must be verified. If more than 5% of the content is illegal or unhealthy, the dataset cannot be used for training.

Matching

Service providers must take appropriate measures to increase the overall diversity of the corpus sources, with multiple corpus sources for each language and different corpus types such as text, images, audio, and video. Usage of foreign corpora (including Hong Kong, Macao and Taiwan), if necessary, must be matched with domestic corpora sources.

Traceability

When utilizing an open-source corpus, ensure to obtain an open-source license agreement or an equivalent licensing document specific to that corpus source. Moreover, in such situations, the service provider must have collected records and must not have collected corpus that have been determined to be unfit for collection;

When collecting commercial corpora:

• A legally valid transaction contract or cooperation agreement must be in place;
• If a counterparty or partner cannot provide assurances related to the source, quality, or security of the corpus, the corpus in question cannot be used;
• Any supporting materials and documents submitted by a counterparty must be thoroughly reviewed.

Most importantly, any information blocked per the requirements of China’s cybersecurity-related laws, policies, and regulations must not be used as corpora. Additionally, when users provide information to be used in the corpus, keeping detailed records of user authorization is crucial.

Corpus Content Safety Requirements

The corpus content safety requirements are as follows:

Filtering

Service providers must adopt methods such as keywords, classification models, and manual spot checks to filter out any illegal and unhealthy information in the corpora.

Intellectual Property Rights

• All service providers must have dedicated personnel in charge of all intellectual property rights (IPR) of the corpora as well as any AI-generated content in line with the provider’s IPR management strategy;
• Before using a corpus for training, potential risks of intellectual property rights (IPR) infringement must be determined. If such risks are discovered, the provider should not use such a dataset for training;
• Service providers must establish clear channels for reporting complaints related to IPR issues;
• Users should be appropriately informed of the IPR-related issues in the user service agreement as well as the responsibilities and obligations of the service providers;
• The IPR strategy must be updated in a timely manner and compliant with the national policy requirements as well as third-party complaints;
• The following IPR measures must be in place:
  • Disclosure of summary information related to IPR-related parts of the corpora;
  • Support in complaint reporting channels for third-party inquiries about the corpus usage and any IPR related issues as well.

Personal Information

• Before using a corpus containing personal information can be used, it is important to have the consent of the individuals the information belongs to as well as compliance with any other relevant laws and regulations;
• Before using a corpus containing sensitive personal information, it is important to obtain the separate consent of each individual to whom the information belongs, as well as comply with any other relevant laws and regulations.

Corpus Annotation Safety Requirements

The corpus annotation safety requirements are as follows:

Annotators

• Service providers are tasked to provide in-house safety training for annotators. The training should include annotation task rules, annotation tool usage methods, annotation content quality verification methods, as well as annotation data security management requirements;
• Service providers must conduct in-house examinations of their annotators with mechanisms in place for regular retraining and reassessment, along with suspension and revocation of annotator eligibility when necessary;
• The annotators’ functions must be divided into at least two parts, i.e., data annotation and data review, with no annotator holding both roles simultaneously;
• Annotators must be provided with appropriate time and resources to perform each task.

Annotation Rules

• The annotation rules must, at minimum, contain annotation objectives, data formats, annotation methods, and quality indicators;
• Rules for functional annotation and safety annotation must developed separately, with each covering data annotation and data review at a minimum;
• Functional annotation rules must guide annotators on how to produce annotated corpora that are authentic, accurate, objective, and diverse per market and regulatory requirements;
• The safety annotation rules must guide annotators on how to annotate while avoiding the main safety risks around the corpus and generating content with corresponding annotation rules for the 31 types of risks identified in the Technical Document.

Annotated Data Accuracy

When annotating for functional purposes, each batch is to undergo a manual review. If it is inaccurate, illegal, or unhealthy, it is either re-annotated or invalidated. Moreover, to ensure safety, at least one auditor must review and approve each annotated corpus.

All safety-related annotation data must be stored in a segregated manner.

3. Model Safety Requirements

The model safety requirements for service providers are as follows:

Third-Party Foundation Model

If a service provider provides a service based on a third party’s foundation model, they must ensure the foundation model has been appropriately filed with the relevant oversight department.

Model-generated Content Safety

• The safety of the generated content must be made one of the main indicators for consideration in the generation results’ evaluation during the training process;
• Safety testing must be conducted on all information provided by the users to guide the model to generate positive content;
• Regularized measures must be put in place for monitoring and evaluation, and any issues identified must be dealt with promptly and appropriately through targeted instruction, fine-tuning, and reinforcement learning.

Accuracy of Generated Content

Appropriate technical measures must be taken to improve the ability of the generated content’s responsiveness to the intent of the users’ input. Simultaneously, steps should be taken to ensure that the expressions in the content align with scientific knowledge and mainstream perception, while minimizing errors in the content.

Reliability of Generated Content

Efforts should be focused on implementing appropriate technical measures that enhance the coherence and validity of generated content, thereby increasing its utility and value to users.

4. Safety Measure Requirements

The safety measure requirements are as follows:

Suitability

• The service providers must demonstrate the necessity, applicability, and safety of the GenAI services to be deployed;
• If the GenAI services are to be used for critical information infrastructure or any other important situations such as automatic control, medical information services, psychological counseling, and financial information services, appropriate protective measures must be in place to counter the risks;
• If the service is deemed appropriate for children:
  • Parents or guardians must be allowed to set up anti-addiction measures;
  • Minors must not be provided paid services that are inconsistent with their ability to act as adults;
  • Content deemed beneficial to minors' physical and mental health must be actively displayed.

If the service is not deemed appropriate for children, technical and management measures must be in place to prevent them from using it.

Service Transparency

In situations where a service relies on an interactive interface, it is important to clearly disclose on the homepage information such as who can benefit from the service, when it is useful, and the foundational model it is based on. This helps the users understand how and when to use the service effectively.

Moreover, the aforementioned disclosure will also contain the following information:

• Limitations of the service;
• Summary information on the models and algorithms being used;
• The personal information being collected and their uses.

If the service being provided relies on a programmable interface, all the aforementioned information must be disclosed in a descriptive document.

User Information in Training

• Users must be provided with a way to opt out of their entered information being used for training purposes. This could be achieved through selectable options, voice commands, or other convenient methods. For instance, the opt-out option should be easily reachable from the main service interface.
• As described in the aforementioned point, users should be clearly informed about the status of user input collection and the available method(s) for opting out.

Annotation

All annotations of image, audio, and video content must meet the relevant requirements of national regulations and standards.

Computing Systems in Training

• A comprehensive assessment of the supply continuity and stability must be conducted to properly evaluate the supply chain security of the chips, software, tools, and computing power being used in the system;
• Any chips being used must support hardware-based secure boot, a trusted boot process, and security verification.

Complaints/Reports From Public

• Appropriate ways and mechanisms must be established to allow the public and the users to launch complaints and reports through mechanisms including but not limited to phone, email, interactive windows, and text messages;
• Rules must be established for handling public complaints and reports.

Provisions of Services to Users

• Appropriate methods must be adopted where information provided by users can be assessed, and if illegal or unhealthy information is provided more than five times per user in one day, or three consecutive times, their account may be suspended;
• Answers to questions that are obviously extreme, including those that induce the generation of illegal and unhealthy information, shall be refused. All other questions will be answered normally.
• Monitoring personnel must be put into place along with quality and safety improvement measures per the circumstances.

Model Updates

• A safety management strategy must be established for the timely upgrade and update  of models;
• A management mechanism must be formed to organize all in-house safety assessments after the upgrade of models.

Service Suitability & Continuity

• It is necessary to divide the training and inference environments to prevent data leaks and problems with access;
• Continuous monitoring of model input content to prevent input attacks;
• Regular security audits to identify and fix potential security vulnerabilities;
• Appropriate backup mechanisms must be established for data, models, frameworks, tools, and recovery strategies focused on business continuity.

5. Other Requirements

Keyword Library

Keyword library requirements are as follows:

• The keyword library must be comprehensive, not being less than 10,000;
• The keyword library must be appropriately representative and cover the 17 safety risks identified in the Technical Document with no less than 200 keywords for each safety risk in Appendix A.1 and no less than 100 for each risk in Appendix A.2;
• The keyword library must be updated at least once per week, according to the relevant cybersecurity requirements.

Generated Content Test Question Bank

A Test Question bank for generated content should be made as follows:

• The generated content test question bank must be comprehensive, with no less than 2,000 questions;
• The generated content test question bank must be appropriately representative and cover the 31 safety risks identified in the Technical Document with no less than 50 questions for each safety risk in Appendix A.1 and A.2 and not less than 20 for the remaining safety risks;
• The generated content test question bank must be updated at least once a month, in a timely manner according to the relevant cybersecurity requirements.

Refusal To Answer Test Question Bank

The relevant requirements are as follows:

• A test question bank must be built around questions that the model should refuse to answer:
• The bank of the test questions that the model refuses to answer must be comprehensive, with no less than 500 questions;
• The bank of test questions must be appropriately representative and cover the 17 safety risks identified in the Technical Document within Appendices A.1 and A.2, with at least 20 questions for each identified safety risk.

A test question bank should be built around questions that the model should not refuse to answer:

• The bank of test questions that the model should not refuse to answer should be comprehensive and not less than 500 questions;
• The bank of test questions that the model should not refuse to answer must be representative, covering aspects of China’s system, beliefs, image, culture, ethnicity, geography, history, and heroic martyrs, as well as relevant questions on gender, age, occupation, health, with no less than 20 instances of each type of test question;
• If some aspects mentioned above are not involved in a specialized model for a specific field, it is unnecessary to include test questions for those parts in the bank of questions that should not be refused. However, those parts should be reflected in the bank of test questions that should be refused.

The bank of test questions that should be refused must be updated at least once a month, in a timely manner according to the relevant cybersecurity requirements.

Classification Models

Classification models used for content filtering of the training corpus and for assessing the safety of generated content must cover all 31 safety risks identified in the Technical Document.

6. Safety Assessment Requirements

Assessment Methods

Assessment method requirements are as follows:

• The safety assessment arranged in-house per the requirements of the Technical Document can be carried out by the service provider themselves or via a third party;
• The safety assessment must cover the necessary provisions that have been specified in the document. Moreover, a separate assessment should be conducted for each provision, the results of which must be classified as “conforms”, “does not conform”, or “not applicable”:

If the result conforms, there should be sufficient supporting material for it. If the result does not conform, the reasons will be explained along with supplementary explanations in the following circumstances:

• Technical or management measures that are inconsistent with the requirements of the Technical Document but are able to achieve the same safety effect, along with a detailed explanation of their effectiveness.
• Technical or management measures taken that fail to satisfy the requirements and subsequent measures to be taken.

The reasons for non-applicability should be explained if the result is not applicable.

• The assessment results for each provision, as well as other necessary supporting documents, must be included in the assessment report:
  • The assessment report must comply with the requirements of the filing procedures;
  • During the writing of the assessment report, if the conclusions of the assessment report cannot be written down due to the report format, they can be added as attachments.
• An overall assessment conclusion must be included in the assessment report:
  • If the assessment results for all provisions are either conform or not applicable, the overall conclusion of the assessment will be that the requirements have been met;
  • If the assessment results for some of the provisions are “does not conform”, the overall assessment requirements will be partially met;
  • If non-conformity is found for all provisions, the overall assessment conclusion will be that none of the requirements were met;
  • The assessment results of the provisions in Chapters 5 to 8 of the Technical Document will not affect the overall assessment conclusion.
• If the safety assessment is carried out in-house, the assessment reports must have the signature of at least personnel in positions of responsibility:
  • The legal representative of the work unit;
  • The person in charge of conducting the safety assessment work;
  • The person in charge of ensuring the legality assessment of the safety assessment or the person in charge of legal affairs.

Corpus Safety Assessment

The following guidelines must be followed by service providers while performing a corpus safety assessment:

• The qualifying rate must be at least 96% through manual spot checks and random selection of at least 4,000 datasets from the whole training database.
• The sampling qualification rate must be at least 98% through the use of keywords, classification models, and other technical spot checks, as well as random sampling of at least 10% of the entire training dataset.
• The keyword library and classification model used for evaluation must meet the requirements laid down in Chapter 8 of the Technical Document.

Generated Content Safety Assessment

The requirements for service providers when assessing the safety of generated content are as follows:

• A generated content test question bank that meets the requirements in section 8.2 of the Technical Document will be construed;
• Using manual spot checks and random sampling with no less than 1000 test questions from the generated content test question bank, the sampling qualified rate of model-generated content must not be less than 90%;
• Using classification model-based spot checks and random sampling of at least 1000 test questions from the generated content test question bank, the sampling qualified rate of model-generated content must be at least 90%.

Assessment of Refusal to Answer Questions

The requirements for service providers when assessing question refusals are as follows:

• Refusal policy: Service providers must create a question refusal policy that complies with the requirements outlined in section 8.3 of the Technical Document.
• Refusal rate: Random sampling of no less than 300 test questions from the bank of test questions that the model should refuse to answer. The refusal rate of the model must not be less than 95%;
• Non-refusal rate: A random sampling of no less than 300 test questions from the bank of test questions that the model should not refuse to answer; the refusal rate of the model must not be more than 5%.

V. How Securiti Can Help

China has cemented its reputation as one of the global leaders in GenAI innovation.

At the same time, it has taken a highly proactive approach to regulating the use of GenAI services to ensure organizations can continue leveraging such tools to their maximum potential without posing significant privacy or other risks to their users.

Securiti is the pioneer of the Data Command Center, a centralized platform that enables the safe use of data and GenAI. It provides unified data intelligence, controls, and orchestration across hybrid multi-cloud environments. Large global enterprises rely on Securiti's Data Command Center for data security, privacy, governance, and compliance.

The Data Command Center is an enterprise solution based on a Data Command Center framework that allows organizations to optimize their oversight and compliance with China's extensive AI and data regulatory obligations seamlessly via a centralized dashboard through numerous integrated modules and solutions.

Request a demo today to learn more about how Securiti can help your organization comply with China's various AI and data-related regulations.