Due to the complexity of China’s regulatory environment, the business community is showing strong interest not only in the fast development of the Artificial Intelligence (AI) industry in China, but also in the potential legal implications of the application of AI in the course of its business involving China.

Recent discussions have focused on the Interim Measures for the Administration of Generative Artificial Intelligence Services on July 10, 2023 (Measures), which were jointly promulgated by seven powerful national-level ministries led by the Cyberspace Administration of China (CAC), and that take effect as of August 15, 2023. The Measures have been described by the media as a landmark step by China to regulate AI. However, it is worth taking a deep dive into what exactly the legal implications and relevance of these Measures are for international companies. 

China’s approach

To better interpret what the Measures will mean for business, it is helpful to first understand the Chinese government’s stance on AI. There is no doubt that China is a major player in this field. China already has a leading position in certain fields, which in turn results in many AI-based technologies such as speech synthesis, interaction interface, speech evaluation, exam paper marking and customized information push service being classified as export restricted. Behind this is a very ambitious plan of the country to become a major AI power in the world, as reflected in the earlier Next Generation Artificial Intelligence Development Plan published by the State Council on July 20, 2017, which provides a three-step roadmap. The very first step by 2020 is to catch up with global development while making AI a driver of economic growth. The second step (by 2025) is to achieve a major breakthrough while making AI a major driver of industrial and economic upgrading. The third step (by 2030) is to play a leading role in the world and become a major AI innovation center of the world. Compared with the ambition on the business side, the policy tone on the regulatory side appears comparatively more moderate. The goals for the same three steps were set out as “building up good ethical norms and regulatory frameworks in certain areas by 2020, establishing a preliminary legal, ethical and policy framework for AI regulation by 2025, and further improving the legal, ethical and policy framework for AI regulation by 2030”.

The same tone can be read in the Measures. Article 3 of the Measures stresses that equal attention shall be paid to development and security, while innovation promotion and lawful regulation shall be combined to encourage the innovative development of generative AI through effective measures. The initial part of any Chinese laws and regulations will usually refer to higher-level laws and regulations, including the policy basis or tone, which may reveal more meaning behind the scenes and should not be overlooked. The same “encouragement and promotion” tone is repeated under Articles 5 and 6 of the same Measures, where certain specific business goals are also mentioned. The limited content of the Measures, i.e. only 24 articles, which regulate only generative AI, and the existence of the previous Provisions on the Administration of Deep Synthesis Internet Information Services (effective on January 10, 2023), which have some overlap with the Measures, seem to indicate that instead of taking a comprehensive approach, China is taking a more fragmented and vertical approach to the issue of AI governance and regulation. 

Scope of application

A first reading of the Measures gives the impression that they may not be that relevant to traditional business, particularly those serving corporate customers like manufacturing. Instead, the Measures seem to be aimed more at technology companies that provide solutions to the public, i.e. serving individual customers.

Article 2 of the Measures stipulates that only those who provide generative AI services to the public in the PRC shall be subject to the Measures. The same article explicitly excludes industrial organizations, enterprises, educational and scientific research institutions, public cultural institutions, relevant professional institutions, etc. that conduct research and development work by applying generative AI technology, but do not provide generative AI services to the public in the PRC. 

However, confusion arises when Article 4 of the same Measures outlines the general principles for not only the offering of, but also the use of generative AI technologies. These general principles bear the same meaning as addressed under the EU AI Act, as well as other general AI governance principles applicable throughout the world. In addition to general requirements to follow laws and regulations and to respect public morals and ethics, generative AI service providers and users are subject to (among others) the following obligations:

• Non-discrimination: Taking effective measures to prevent discrimination on the basis of ethnicity, faith, country, region, gender, age, occupation, health and other aspects in the design of algorithms, selection of training data, creation and optimization of models, and provision of services. 
• Fair competition: Respecting intellectual property rights and business ethics, keeping trade secrets confidential, and not taking advantage of algorithms, data, platforms, etc., to create monopolies and/or conduct unfair competition.
• Rights of others: Respecting the legitimate rights and interests of others, and not endangering the physical and mental health of others, nor infringing upon others’ right of portrait, reputation, honor, privacy and personal information.
• Transparency and trust: Based on the features of the service concerned, taking effective measures to enhance the transparency of the generated AI services and improve the accuracy and reliability of the generated content.

The above might result in a potential conflict with the exclusion under Article 2 of the Measures, which could, for example, expose research and development activities using AI solutions to potential regulatory risks under PRC laws, even if such activities are not meant to become services offered to the public in China. It also remains unclear whether the application can be further extended to an overseas AI solution that is not directly targeting the Chinese market, but is used to create another product serving the Chinese market. Irrespective of any inconsistencies or open questions on the scope of the Measures, it is reasonable to expect that the application of the Measures will likely be interpreted in a broad rather than a narrow sense. 

Content and data

Generative AI is data-rich and will generate substantial content. In China’s regulatory environment, this will create two aspects of risk, in particular, for companies deploying AI technologies.

The first one comes from the strict content control requirement, as can be seen in many other Chinese laws and regulations. Article 4 of the Measures repeats the same principle that generative AI service providers – as well as users – shall not jeopardize national security and state interests (among many other requirements). Particularly, they shall not generate content that incites political tension, e.g., subversion of state power, overthrow of the socialist system, tarnishing the country’s image, inciting division of the country, undermining national unity and social stability, or promoting terrorism, extremism, ethnic hatred, ethnic discrimination, violence, obscenity and pornography. In case of any illegal content, a service provider shall take timely measures to stop the generation and transmission of the content, delete the respective content, correct it by optimizing the training of models, and report it to the competent authorities. It shall have a good service agreement with the users, which includes the right to stop the services and report the case to the regulators if it discovers any illegal activities of the users.

The second regulatory risk is closely related to the recently fast-growing data protection regime of the PRC, which has already brought quite a regulatory burden for international companies, particularly those that need to manage global data flows and aggregation. In this aspect, the Measures tend to point to an AI service provider whose AI training activities shall be conducted in accordance with laws and follow the requirements below:

• Use data and base models where the sources are legitimate.
• Not infringe upon the IP rights of others relating to the concerned data.
• Obtain the consent of the data subjects when personal information is involved, unless there is a sound legal reason not to do so.
• Take effective measures to improve the quality of training data and to enhance the authenticity, accuracy, objectivity and diversity of training data.
• Comply with other statutory requirements, e.g., the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law (PIPL), as well as other regulatory requirements.

Article 9 of the Measures stipulates that a service provider will be deemed as a personal information handler (akin to a controller under EU law) under the PIPL. A service provider is further required to protect the information uploaded by a data subject, including her/his use record, to minimize the data collection, to retain the data in a legally allowed way, and not to illegally share personal data with others. Any request by a data subject for review, copying, correction, supplement, or deletion shall also be respected and satisfied.

In short, generative AI is subject to existing privacy and data protection legal frameworks such as the PIPL, which means that a good and transparent data governance structure is highly recommended to ensure compliance in this aspect. 

Key considerations

Different from the EU AI Act, where the concept is solution/product-based, i.e. “what”, and a risk classification system is introduced, the Measures focus more on the question of “who” (service providers and users), while the same risk classification approach is only mentioned in a very general way without details and practical guidance. A strong “do and learn” feature can be seen under the Measures. For those conducting traditional businesses, e.g., German manufacturing industry, we see the Measures as a positive indication rather than a real hurdle. The Measures – if read together with other policy papers – do not appear to be more restrictive towards the use of AI technologies, as many regulatory requirements are already present under the existing legal framework (data protection and IP protection regime). Irrespective of certain confusion, the explicit limitation of the scope of application to service providers, as well as many clauses stressing the encouragement of “innovation” and “development”, rather indicate the beginning of a race by China to create an environment that is ultimately favorable to more AI services and products. Instead of worrying about the existing regulatory hurdles, which are already known anyway, companies and institutions should focus their energy on how to further explore and benefit from this sizeable market with great potential. 

This article was originally published in the German Chamber’s business magazine – the Ticker Fall 2023 edition.