Cyberspace Administration of China (CAC), the main data regulator in China, formally regulated the business of artificial intelligence-generated content (AIGC) services on July 13, 2023. The regulation is titled Interim Administrative Measures on the AIGC Services (Measures). The Measures will come into force on August 15, 2023.
CAC released a draft version of the Measures for public comments in April. Compared to the April draft, the effective version of the Measures appeared to be more friendly to business.
For multinational companies, the following terms of the Measures are more important than others.
Definition of the AIGC and the regulated entities
The Measures defines AIGC as “models and related technologies that generate text, images, audio, video, or other content.”
The Measures apply to all entities and individuals who provide AIGC services to the public. It specified that a programmable interface constitutes the provision of AIGC service. As such, third-party API developers in the ecosystem of an existing large language model (e.g., GPT-4) will fall into the coverage of the Measures.
Interestingly, the Measures have excluded universities and scientific research institutions from its coverage, provided that they do not provide AIGC service to users located in the territory of China.
Basic principles in providing AIGC services:
The Measures uphold certain universal norms, such as:
– non-discrimination: AIGC programs shall not be biased on race, ethnicity, beliefs, nationality, region, gender, age, etc.
– protecting intellectual property and trade secrets, and
– respecting other lawful rights and interests – AIGC services shall not be used to harm users’ mental health and dignity.
Protection of personal data
The Measures have reiterated the requirement of protecting personal information under the PRC Personal Information Protection Law (PIPL). In particular, an AIGC service provider shall:
– obtain consent from data subjects before collecting their personal information, except as permitted by law;
– comply with the data minimization requirement, i.e., ensure the scope of data processing is limited to the minimum scope necessary for achieving the purpose of processing and shall not be excessive; and
– respond to data subjects’ requests timely for accessing, copying, correcting, modifying, or deleting personal data.
Protection of minors
According to the Measures, AIGC service providers must disclose the specific usage and services associated with their AIGC functions. They are required to educate minors to use the AIGC responsibly and legally.
Further, AIGC service providers shall implement preventive measures to mitigate the risk of minors being over-reliant or addicted to the AIGC services.
Where data labeling is performed during the research and development of AIGC technology, providers shall formulate clear, specific, and operable labeling rules. They must also establish a training program for the staff who perform the data labeling work.
Those found violating the Measures may face suspension/termination of business and other punishments by referring to applicable regulations.
* * * * *
Author: Donnie Hao DONG is a partner of Hylands Law Firm heading its practice of data and the internet industry. A Certified Information Privacy Manager (IAPP/CIPM), and an Adjunct Professor at the University of Hong Kong’s Academy of Senior Executives, he regularly advises MNCs, unicorns, and start-ups on cross-border intellectual property, data privacy, related investment, and contentious matters.