China's proposed regulations cover and regulate all generative AI services open to users based in mainland China.

The proposed regulations focus on the cybersecurity and data privacy risks of generative AI services.

If enacted, new regulatory requirements will be posted for generative AI providers and the underlying datasets.

With OpenAI's introduction of ChatGPT into the market, generative artificial intelligence (generative AI) has dominated the headlines across the globe. Many technology companies have followed suit and released their generative AI tools and services. Generative AI is widely expected to empower and change business models across industries and has immediately improved efficiency in many sectors. Pillsbury has been closely monitoring and advising our clients on these fast-changing AI technologies. (See our website at Artificial Intelligence (AI) Law | Pillsbury Law.)

The emergence of generative AI also brings new market opportunities to China. Leading China-based tech giants have released or plan to release their own self-developed generative AI services. Experts expect that many of them will be trained on China-specific datasets or Chinese-language datasets. Integrated chip manufacturing, cloud computing, data storage, dataset providers and other sectors along the supply chain for generative AI services may see a business boom in coming years.

The recent popularity of generative AI also alarms users and regulators who are concerned about the potential risks, including potential data breach risks, copyright infringement risks, disinformation risks, etc. These concerns were reflected in the Italian regulator's decision to temporarily block the popular AI tool ChatGPT due to alleged breaches of the EU's General Data Protection Regulation on March 30, 2023.

On April 11, 2023, China's main cybersecurity and data privacy regulator, Cyberspace Administration of China (CAC) issued its Administrative Measures on Generative Artificial Intelligence Service (Draft Generative AI Regulations) draft for public comments. The public comment period will end on May 10, 2023.

The 21-article draft cites, in its first article, the key legal basis of such draft regulations, which include the PRC Cybersecurity Law, Data Protection Law and Personal Information Protection Law. The current text of the draft regulations also shows a strong inclination towards regulating generative AI from a cybersecurity perspective.

Scope of Application

The Draft Generative AI Regulations, if enacted, will regulate the activities of those providing services to public users within mainland China through research, development and use of generative AI products. This means that generative AI developed and/or based outside of mainland China and accessible to users in mainland China will also be subject to the Draft Generative AI Regulations.

Under the draft regulations, generative AI is broadly defined as technologies that generate texts, pictures, audios, videos, codes and other content using algorithms, models and rules.

The draft regulations do not classify generative AI services into categories and impose differentiated regulatory requirements on services with different risk levels.

The Draft Generative AI Regulations apply to the organizations and individuals that use generative AI products to provide chat and text, image, sound generation and other services, including those who support others to generate text, image, sound, etc. (the Providers). The Providers shall take responsibilities of content producers, which content is generated by the generative AI product; if personal information is involved in the services, the service Provider shall bear the statutory responsibility of the personal information processor and fulfill the obligation of personal information protection.

Basic Requirements for Generative AI

The Draft Generative AI Regulations reiterates the legal requirements under the existing laws and regulations, especially those relating to cybersecurity and personal information protection.

Among others, the Providers of the generative AI products and services must fulfill the following requirements:

  • Adopt measures to avoid discrimination based on races, ethnicities, religions, nationalities, geographic regions, sex, age, occupation, etc.;
  • Respect the intellectual property rights of others and avoid using algorithms, data and platforms to conduct unfair competition;
  • Adopt measures to ensure the authenticity of the generated information and avoid generating disinformation;
  • Protect input information and user history. They are prohibited from illegally retaining any input information that may reveal the user identity, making portraits based on the user input information and usage, and providing any user input information to others;
  • Clearly state the scope of users, occasions and usage for its services, and adopt sufficient measures to avoid addiction;
  • If requested by the CAC, they must provide necessary information that impacts the trust and selection of the users, such as dataset's sources, size, nature and quality, labeling rules, size and nature of the labeled dataset, basic algorithms and technical systems, etc.;
  • Suspend or stop providing services if the services are used in a way that violates the commercial or social ethics, such as engaging in online hype, malicious posting and commenting, creating spam emails, writing malicious software, and implementing improper commercial marketing.

Requirements on Training Dataset

Providers of generative AI products must be responsible for the legitimacy of the datasets for pre-training and optimization training. The dataset must:

  • Comply with the requirements of the Cybersecurity Law and other laws and regulations of China;
  • Exclude any content that infringes on the intellectual property rights of others;
  • Have the data subjects' consent (if it includes any personal information); and
  • Ensure the authenticity, accuracy, objectivity and diversity of data.

When labeling data, generative AI Providers shall formulate clear, detailed and operable labeling rules, provide sufficient training to its staff, and verify the accuracy of labeling content through the sampling method.

Rights of Users

Generative AI Providers must establish reporting systems for users to process the individual requests for modifying, deleting and blocking relevant personal information. In case of any identified infringement of portrait rights, reputation rights, personal privacy and business secrets of others, the Providers must stop generating such information. If any generated content violates the Draft Generative AI Regulations, the Providers must optimize the AI model to avoid regeneration of such content within three months.

Legal Liability

Any violation of the Draft Generative AI Regulations will be penalized in accordance with the Cybersecurity Law, Data Protection Law and Personal Information Protection Law and other existing laws and regulations. In case there is no clear provision on the penalty, CAC and other applicable regulators may issue a warning, order corrections within a certain period of time, order suspension or termination of the services, and impose a fine of RMB 10,000 to 100,000 (approximately USD 1,470 to 14,700).

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.