Embracing the new era of AI regulation: Interim Measures for the Management of Generative AI Services

With the rising significance of rapidly advancing AI technology, which heavily relies on data and algorithms, countries worldwide have been consistently improving their regulations on the application of AI technology.

China’s relevant regulators have also taken swift action. On July 13, 2023, the Cyberspace Administration of China (CAC) jointly with six departments issued the Interim Measures for the Management of Generative Artificial Intelligence Services (“Interim Measures”), which officially came into effect on August 15, 2023. As the first regulatory document on Generative AI (GenAI) in China, the Interim Measures provide a policy framework in China for the rapid development of GenAI technology.

In line with the provisions of higher-level laws, such as the Cybersecurity Law, the Data Security Law, the Personal Information Protection Law, and the Law of the People’s Republic of China on Science and Technology Progress, the Interim Measures are subject to multiple regulations by different regulators. The Interim Measures are consistent with the existing data and cybersecurity compliance system, both at the legislative and law enforcement levels, and their implementation marks the start of China’s systematic AI governance. As more specialized legislation and implementation rules on AI are introduced, the systematic governance framework for GenAI will gradually take shape in the future.

Interpretation of the highlights of the Interim Measures

1. Application scope

The Interim Measures specifically apply to “the provision of services that use generative AI technology to the domestic public in the People’s Republic of China with generated text, images, audio, video, and other content.”

Definition of “domestic public”
The Interim Measures apply to services for the domestic public in China, while the provision of services for the public outside the country does not fall within its scope of application. In addition, with respect to public,” the Interim Measures clarify that GenAI services do not need to comply with the relevant provisions of the Interim Measures if they are limited to certain persons or for internal use, such as research, development, and application of GenAI services by a company.

Identification of “provision”
The provision of relevant services by GenAI service providers (“service providers”), either directly or through API interfaces, large language models outside China, or otherwise, must comply with the relevant provisions of the Interim Measures. In addition, if a company’s use of offshore technology to provide services involves outbound data transfer, it must comply with China’s outbound data transfer requirements.

2. Compliance obligations of relevant entities

The entire process of GenAI system development and application and model optimization involves many entities such as GenAI service developers (“developers”), service providers, and service users.
The Interim Measures specify that service providers shall mainly perform the following obligations:

Content compliance
Service providers must take the necessary steps to ensure that the content they provide is legally compliant. They must regularly monitor and promptly deal with illegal and harmful information. They must also provide users with instructions on how to use their services and take additional and effective measures to protect minors from excessive reliance on or addiction to their services.

Data processing and labeling obligations
Service providers must use data and underlying models from legal sources, with a focus on improving the quality of training data and enhancing the authenticity, accuracy, objectivity, and diversity of such data. They must also implement data labeling rules and improve the accuracy of labeled data by conducting quality assessments and providing staff training.

Privacy data compliance obligations
Service providers must protect the relevant rights of the owners of the information they use. For example, if they need to use personal information for GenAI training, they must obtain permission from the owners of such information in advance. They must also take measures to safeguard information owners’ rights and assess the risks to which the information is exposed.

Security assessment and algorithm filing obligations
If the services they provide possess attributes related to public opinion or social mobilization capabilities, the service providers must assess the security of their services and comply with administrative procedures such as algorithm filing. In accordance with relevant laws and administrative regulations, service providers involved in news, social media, live streaming, educational, and chat services are more likely to be subject to security assessments and algorithm filing obligations.

The Interim Measures specify that developers and service users must meet the following obligations
When developing and using GenAI products and services, developers and service users are not permitted to produce, copy, or disseminate information that may jeopardize national interests, public interests, and the legitimate rights and interests of others. They may not disseminate information on pornography, violence, sedition, incitement, vulgarity, and other harmful information.

3. Compliance requirements for intellectual property and unfair competition

GenAI technology is based on the mining and training of mass data, including images, audio, and documents. Most of such data is not original but collected from content providers or web crawlers. As a result, it is subject to laws and regulations related to intellectual property and unfair competition.

Compliance risk alerts for different market entities when using GenAI

As developers are heavily involved in the development and optimization of GenAI models, they are primarily exposed to the following compliance risks:

Data crawling risk
Developers typically use web crawlers to collect data for model training. Improper data crawling can cause damage to other IT systems and result in criminal penalties. It can also cause unfair competition by harming the interests of website providers, leading to civil damages, administrative fines, and other legal penalties.

Data security risks
Since data may be shared with third parties such as suppliers and service providers, data may be accessed and stolen by unauthorized attackers during the data sharing process. The lack of necessary data security measures can lead to data security risks such as data leakage and theft of user data.

Risk of division of rights and obligations between partners
Although service providers are regarded as the primary entity held accountable under the Interim Measures, they need support and assistance from developers to fulfill their obligations, such as managing and labeling data. If the rights and obligations of the partners are not clearly defined in the cooperation, they will not be able to react quickly, which will further increase their respective risks.

As the entities shouldering the primary responsibility under the Interim Measures, service providers have more compliance obligations than other entities. In particular:

Content control risks
Service providers shall manage content, deal with illegal information, manage user activities, and respond to intellectual property rights infringements and unfair competition. If a service provider fails to properly control its content, resulting in its products infringing public interests and the legitimate rights of others, the service provider will bear primary responsibility and assume the relevant civil, administrative, and criminal liabilities caused by the content infringement.

Data security risk
Service providers should ensure legitimate sources of data and models, improve the authenticity, accuracy, objectivity, and diversity of training data, and fulfill compliance obligations such as data labeling. Improper handling of training data not only affects product function and service quality but also poses the risk of data leakage in the event of a malicious attack.

Compliance risk in the processing of personal information
Service providers may use the GenAI model to directly or indirectly process personal information. Such personal information processing activities are subject to compliance requirements related to personal information protection. Failure to meet the related obligations will result in warnings, confiscation of illegal gains, orders to suspend or terminate the provision of services, and other administrative penalties.

Users are mainly involved in the utilization and optimization of the GenAI model. As the technology matures, an increasing number of companies will access the GenAI technology as users and may share trade secrets or other sensitive data (e.g., sensitive personal information of employees). If such information is used for model training without proper protection measures, sensitive data may be compromised, resulting in a direct loss of property and damage to the reputation of users and companies.

GenAI application and service compliance recommendations and responses

GenAI models involve various entities such as data providers, developers, service providers, and users in their development, use, and optimization. Each entity is exposed to different compliance risks. Therefore, we suggest that enterprises take the following actions to effectively manage these risks:

Efforts should be made to ensure that data sources are legitimate as the development and use of the GenAI model may involve the collection and processing of personal information or other important data. Even if the training data acquired by the service providers come from open channels such as the Internet, the inappropriate use of technical methods such as crawlers to collect training data should be avoided. In addition, given the unpredictability of the GenAI technology and the risk of data leakage due to improper use, data leakage prevention should be strengthened.

Service providers whose services possess attributes related to public opinion or social mobilization capabilities should comply with the administrative procedures of security assessment and filing in accordance with the law. Due to the absence of unified and clear standards for “generative AI services which possess attributes related to public opinion or social mobilization capabilities” in legislation or law enforcement practices, enterprises should stay updated and informed about legal developments and determine whether they need to carry out the assessment and filing procedures based on their specific business operations

Services to domestic users by domestic service providers via offshore API interfaces and the direct provision of services to the domestic public by overseas developers may entail outbound data transfer that could potentially trigger relevant regulations. Service providers should understand the data flows, identify the cross-border data scenarios, fulfill the assessment and declaration and contract filing obligations under relevant regulations, and conduct outbound data transfers in accordance with the relevant law.

Enterprises should conduct security assessments of AI models, including network security assessments and content security assessments. Network security assessments are conducted to detect security vulnerabilities in AI applications and plug-ins by means of penetration testing and other security testing methods, and to promptly address these vulnerabilities and prevent cyber-attacks and data leakage. Content security assessment focuses on detecting whether the model generates harmful, biased, infringing, or false content, and further identifies security issues in the training dataset, model, security module, or secondary development call interface.

In view of the complexity of AI application scenarios, it is essential to provide training for teams and personnel involved with AI technology. AI workers should improve their knowledge and risk awareness, use AI technology properly and legally, and avoid triggering regulatory risks, as human bias and discrimination can affect the reliability, transparency, interpretability, fairness, and privacy of AI models.

Conclusion

As the new wave of AI creation driven by GenAI technology has arrived, there are increasingly stringent regulatory requirements for AI. To meet the compliance needs of various market participants, PwC teams have been actively engaged in areas such as global data security and privacy compliance, cross-border data compliance, content and algorithm governance, intellectual property rights protection, unfair competition and trade secret protection, and protection of users’ rights and interests. We are committed to working with enterprises to address GenAI compliance risks.

Further, as China is in the process of drafting a separate law for AI (“AI Law”) and the EU approved its AI Act in May 2024, China may speed up the legislation process. Chinese legislators are also likely to consider and benchmark to their EU counterpart when they finalize the AI Law. At PwC China, we will be monitoring the legislation process closely and keeping readers up date on the progress of the legislation.

Further information

According to the Regulation on Security Assessment of Internet Information Services Having Public-Opinion Attributes or Social Mobilization Effects, internet information services having public-opinion attributes or social mobilization effects include: (1) BBS, blogs, micro-blogs, chat rooms, chat groups, public accounts, short videos, live video streaming, information sharing, applets and other information services or corresponding functions; and (2) other internet information services allowing the public to voice their opinions or capable of mobilizing the public to engage in certain activities.

The above article has been published in a longer version in Chinese and can be accessed here.

Chun Yin Cheung

Chun Yin Cheung is a partner in PwC Risk Assurance practice based in Shanghai with over 23 years of experience, including five years in Hong Kong. He is the lead partner of PwC China’s Responsible AI (“RAI”) services. He is also the lead partner of PwC’s Central China Cybersecurity and Privacy services and specializes in IT regulatory compliance, cross-border data transfer (“CBDT”) issues and technology risk consulting. He has led a series of PIPL assessment and SCC filing advisory engagements, which include clients from the retail, pharmaceutical and manufacturing sectors.

Tel: +86 21 2323 3927
Email

Interested in knowing more?

Make sure you get the latest information and subscribe. As a subscriber to the digital edition, you will receive an information update three times a year.

To register