On July 10, 2023, the Cyberspace Administration of China (the “CAC”) and seven other departments jointly released the Provisional Measures for the Administration of Generative Artificial Intelligence Services (the “GAI Measures”), which will take effect on August 15, 2023. Previously, the CAC had published the draft version for public comment on April 11, 2023. The forthcoming GAI Measures delete several highly controversial provisions from the draft version, such as real-name registration of users and the prohibition of drawing user portraits. The GAI Measures are the first regulatory document on generative artificial intelligence (the “GAI”) in China, showing the authority’s prudent while open-minded attitude toward this cutting-edge technology.
The GAI Measures, together with the Administrative Provisions on Algorithm Recommendation for Internet Information Services (effective on March 1, 2022) and the Administrative Provisions on Deep Synthesis of Internet-based Information Services (effective on January 10, 2023), form the basic regulations in the field of AI and algorithm in China before the introduction of the forthcoming Law of Artificial Intelligence (the Law of Artificial Intelligence has been included in the State Council’s Legislative Work Plan for 2023).
1. Application scope of the GAI Measures
The GAI Measures target the GAI services provided to the domestic public. Furthermore, it expressly excludes its application to research and development and use of GAI technologies by entities such as scientific and educational institutions, and services provided to domestic non-public sectors and overseas.
This means that, for example, the GAI Measures will apply to an overseas artificial intelligence (AI) developer who licenses its Application Programming Interface (API) to a domestic company that further provides the relevant AI services to domestic customers (such as overseas ChatGPT embedded in a domestic Application). The GAI Measures will not apply to GAI services provided for enterprises’ internal management and operation.
2. Supervision rules of GAI: supervision according to different categories or risk levels
The GAI Measures set forth that in view of the characteristics of GAI technologies and their application of services in relevant industries and fields, corresponding supervision rules or guidelines as per different categories or risk levels should be formulated.
The GAI Measures do not contain specific provisions concerning such supervision rules. However, it is expected that the specific provisions will be further stipulated in the forthcoming Law of AI or other supporting regulations. It is very likely that the level ranking would be similar to that in the AI Act promulgated by the European Union, in which obligations for AI technologies’ providers and users were provided depending on the level of risk from AI (there are four levels, i.e., unacceptable risk, high risk, limited risk, and low and minimal risk).
3. Obligations of GAI service providers in the development stage
4. Obligations and responsibilities of GAI services provider in the service performance stage
1. Undertaking its responsibilities as a producer of network information content and performing the obligations of network information security.
2. Concluding a service agreement with its users, specifying both parties’ rights and obligations.
3. Specifying and disclosing the applicable users, scenarios and purposes of its services, guiding its users to rationally understand and lawfully use GAI services, and adopting effective measures to prevent underage users from over-relying on or addicting to GAI services.
4. Protecting the input information and usage records of its users, especially those relating to users’ personal information, and not providing such information and records to others.
5. When finding out illegal content or illegal activities, carrying out corresponding measures such as optimizing training models, limiting the use by the targeted user, and reporting such content or activities to the authority.
6. Establishing a sound complaint and whistleblowing mechanism.
5. Supervision by the authority
The GAI Measures require that security assessment and algorithm filing should be conducted when GAI services with opinion attributes or social mobilization capabilities are provided. With reference to the Provisions on the Security Assessment of Internet-based Information Services with Attribute of Public Opinions or Capable of Social Mobilization, GAI providing information services such as microblogs, chat rooms, communication groups, public accounts, short videos, online streaming, information sharing, and mini-programs, etc. is likely to fall within the scope of such requirements of assessment and filing. Although the GAI Measures do not require all the GAI service providers to conduct such assessment and filing, in practice, it has been observed that most Application stores require Application operators to submit algorithm security assessment reports and filing records for approval prior to launch on the Application stores.
Meanwhile, GAI service providers are required to cooperate with the competent authorities when they supervise and inspect the GAI services, including explaining the source, scale, type, annotation rules, and algorithm mechanism of training data, and providing necessary technical and digital support and assistance.
As for overseas GAI services, even though they are not directly under the supervision of the Chinese authorities, overseas service providers should still pay attention to their compliance obligations when cooperating with Chinese operators through embedded integration technologies or APIs, especially when data transfer or sharing is involved. Failure to do so may result in the termination of service performance as required by the authorities as well as joint and server liabilities with the Chinese operators.
