China – Measures for the Management of Generative Artificial Intelligence Services
De ontwerpregels zijn van toepassing op het onderzoek, de ontwikkeling en het gebruik van producten met generatieve AI-functies en op de verlening van diensten aan Chinese burgers. De regels moeten inspelen op de snelle opkomst van bestaande generatieve AI-toepassingen zoals ChatGPT van OpenAI (verboden in China) en de verschillende aangekondigde modellen van Baidu, Tencent, Alibaba en anderen. Deze regels voegen een nieuw hoofdstuk toe aan de recente Chinese regelgeving inzake AI. In januari werden nieuwe regels voor deep synthesis-technologieën van kracht en vorig jaar nog werd wetgeving over recommender-algoritmen ingevoerd.
Volledige samenvatting - zie ENG-versie
What: Legislative proposal
Impact score: 2
For who: policymakers, regulators, businesses, researchers
Key Takeaways for Flanders
- The government imposes burdensome data governance requirements on providers of generative AI (pre-training and optimisation training). Most likely, the primary impact of these regulations will be that Chinese organizations will face difficulty compiling the massive datasets necessary to keep up with their global rivals.
- Relevant in the context of the Belgian news surrounding the Eliza chatbot is the fact that the government is also pushing strongly on end-user protection. For example, generative AI providers must provide measures that protect the user from over-reliance and addiction
Translations of the draft rules:
While previous regulations set by the Cyberspace Administration of China (CAC) were primarily concerned with harmful outcomes that posed a threat to national security, the latest draft regulation takes it a step further. It requires models to be both accurate and truthful, aligned with a specific perspective (reflect Socialist Core Values), and refrain from discriminatory practices based on factors such as race, religion, and gender. Moreover, the document introduces explicit limitations on how these models should be developed, which requires addressing challenges in AI such as hallucination, alignment, and bias that currently do not have reliable solutions.
Nevertheless, the Chinese government wants to promote the development of native innovation with generative AI and aims for widespread implementation. It is also open to global collaboration in foundational technologies, including AI algorithms and frameworks. Additionally, it advocates for the utilization of reliable and secure software, tools, computing resources, and data.
Article 4 of the document contains five core requirements to which the provision of generative AI products or services must conform:
- Comply with the Chinese government's vision
This clause stipulates that content created by generative AI must reflect the fundamental principles of socialism and not pose a risk to societal stability. The ‘Core Socialist Values’ is a propaganda effort that centres on promoting civic responsibilities and ethical behaviour, and this initiative has now become deeply ingrained in both Chinese society and its legal framework.
- Prevention of discrimination
- Protection of Intellectual Property (IP) Rights
The draft rules state that providers are responsible for ensuring that their AI training data does not include content that infringes on copyright. However, the phrasing of the rule is vague and leaves many questions unanswered. It does not specify what uses of training material by AI tools are considered an infringement. The draft rules further hold that IP rights must not be violated in the provision of generative AI services, meaning that the generated content must also not violate IP rights.
Any AI-generated content should be factual and precise in its depiction of events, individuals or situations. To achieve this,
providers have an obligation to implement safeguards against generating misleading information and verifying the authenticity of
- Privacy and data protection
The draft rules also determine that individuals or companies that use generative AI to provide services or provide access to generative AI via APIs have accountability for all issues, including those that stem from decisions made by the client company, such as app design or user behaviour limitations (Article 5). The responsibility for generating misinformation using the technology lies with the provider, not with the user who believes it.
Providers have to submit a security self-assessment
to the State Cyberspace and Information Department and get approval before the deployment of the technology. Further, procedures of algorithm filing, modification, and cancellation of filing must be carried out.
Research & Development
The document contains broad and demanding requirements for data governance (Article 7). Data used for training and optimization must be obtained by legal means and must:
- Comply with the Cybersecurity Law of China and other related regulations
- Avoid any intellectual property rights infringement
- Obtain the consent of individuals whose personal information is included in the data or follow relevant legal procedures
- Ensure the authenticity/veracity, accuracy, objectivity, and diversity of the data
- Adhere to other supervision requirements from the state cybersecurity and informatization department regarding generative AI functions and services.
The rules contain no further details, are demanding and can create a lot of uncertainty for Chinese organisations. For example, the fact that training data must be objective decimates a lot of pretraining data.
Protection of end users
Generative AI service providers are required to request accurate identification information from end users (Article 9) and adopt measures to prevent users from excessive reliance and addiction to the services (Article 10). They should also disclose information that could influence users' decisions, such as a "description of the source, scale, type, quality, and other details of pre-training and optimized-training data, rules for manual labelling, the scale and types of manually-labelled data, as well as fundamental algorithms and technical systems." (Article 17)
In terms of data security, providers must safeguard user activity logs and data that the user has submitted. User profiling and sharing of information of end users to third parties is prohibited (Article 11).
Finally, providers should foresee mechanisms for end users to report a provider and develop a system to deal with user complaints (Article 18-19).
In case providers don’t comply with the short, but comprehensive, list of requirements, they face not only the suspension of their services but also fines and potential criminal liability.