The regulation of AI in China and the risk for foreign business

In China, there are two regulations that already regulate AI.  These are the Provisions on Administration of Algorithmic Recommendation in Internet Information Services  《互联网信息服务算法推荐管理规定》(AI Regulation 1) and the Provisions on Administration of Deep Synthesis in Internet Information Services《互联网信息服务深度合成管理规定》 (AI Regulation 2).  

AI Regulation 1 deals with algorithms for information generation and synthesis.  It requires that information generated by algorithms must be prominently marked and no online news provider may generate fake news (which is very broadly defined).

AI Regulation 2 deals with requirements on those who engage in “deep synthesis” (commonly referred to in UK media as ‘deep fake’) for generating content such as copy-writing and facial image generation/manipulation.  Those engaging in such activities need to specifically state in a prominent position where content has been artificially synthesized and whether or not they think it matters.  There are also requirements to establish management rules regarding user registration and even scientific and technological ethics.  They need to review information released, data security, protection of personal information and policies on response to fraud and emergencies.  Lastly, there is a requirement to manage data training technology.

This year, like legislators in many other countries, China’s law-makers were encouraged by the emergence of Chat GTP, to speed up legislation intended to meet the challenge posed by AI.  On 11 April, the Cyberspace Administration of China中华人民共和国互联网信息办公室 (CAC) issued draft measures on this subject, entitled Measures for Administration of Generative Artificial Intelligence Services (Draft for Comment) 《生成式人工智能服务管理办法（征求意见稿）》.  The new measures require any AI services used in China to meet the requirements of various existing laws and regulations.  They also need to meet “social mores, public order and good customs.”

The draft measures also provide that the government will supervise AI by applying pursuant to three basic People’s Republic of China (PRC) laws that were all promulgated in the last six years.  These are the Cyber Security Law《网络安全法》, the Data Security Law 《数据安全法》and the Personal Information Protection Law《个人信息保护法》.  These laws should not be viewed simply as China’s version of GDPR because they restrict general information circulation, not just personal privacy. Ultimately, they place more emphasis on nationally-protected information such as state secrets, important economic information, and many other categories that are restricted for circulation by the Chinese government – especially the transmission of such information overseas.

We discussed these laws in detail last year, HERE. In summary: any company with a subsidiary or a counterparty in China needs to have a basic understanding of China’s rules on information control.   The PRC Cybersecurity Law lays the general tone for Chinese cyberspace, while building a compliance framework for cyberspace.  The PRC Data Security Law deals particularly with the protection of “important data” and “national core data”, which is much broader than a typical British or American idea of what is important or of national significance.  And the PRC Personal Information Protection Law focuses on the refinement of personal information processing criteria and protection.

In conclusion, foreign enterprises that engage in AI should guard against the risks presented by China’s AI, cybersecurity and data protection legal systems. The risk of non-compliance in China involves potential criminal as well as civil sanction.