China: Data and evolving digital regulation: algorithm regulation

Latest Developments

On 1 November 2021, the Personal Information Protection Law (PIPL) came into effect. The PIPL has a specific provision for “automated decision-making”.

On 31 December 2021, the Cyberspace Administration of China (CAC) released the Administrative Provisions on Algorithm Recommendation of Internet Information Services (Algorithm Provisions). The Algorithm Provisions came into force on 1 March 2022 and apply to the provision of Internet information services by applying recommendation algorithm technology (Recommendation Algorithm-Based Services) within the territory of China. Recommendation algorithm technology refers to generation and synthesis technology, personalised pushing technology, ranking and selection technology, retrieval and filtering technology, and dispatching and decision-making technology.

The Algorithm Provisions mainly set out technical and policy requirements, assessment and content moderation obligations, ecosystem management, user right enhancement and transparency principles, ethical requirements, and filing regime applicable to large platforms. Non-compliance with the Algorithm Provisions may lead to warning, order for rectification, suspension of business in serious cases, and a fine of up to CNY 100,000.

On August 12, 2022, the CAC issued the Filing List of Domestic Internet Information Service Algorithms (August 2022) (Algorithm Filing List), publicising the names, uses, application products, record numbers and other information of 30 algorithms from 24 companies that have registered for algorithms. This important law enforcement action also plays an important role in the understanding and application of the Algorithm Provisions.

Notably, the CAC also formulated a dedicated regulation on deep synthesis technology, i.e., the Provisions on the Administration of Deep Synthesis of Internet Information Services (Deep Synthesis Provisions). The Deep Synthesis Provisions focus on the management of deep synthesis technology, which refers to any technology that uses deep learning, virtual reality, or any other generative and synthetic algorithm to produce text, images, audio, video, virtual scenes, or other network information.

On July 10, 2023, seven departments including the CAC jointly issued the Interim Measures for the Management of Generative Artificial Intelligence Services (Generative AI Measures), which aim to promote the development and ensure the security of this fast-growing area of technology. The Generative AI Measures come into force on August 15, 2023.

Summary

When developing algorithm products or services in China, enterprises should pay attention to the following:

Management measures

• Institutional and technical measures: According to Article 7 of the Algorithm Provisions, an algorithm-recommended service provider shall establish and improve management systems and technical measures for examination of algorithm mechanisms and mechanics, scientific and technological ethics review, user registration, examination of information releases, data security and personal information protection, combat against telecommunication network frauds, security assessment and monitoring, emergency response to security incidents, and the like, formulate and publicly disclose rules related to algorithm-recommended services, and assign professionals and technical support commensurate with the scale of algorithm-recommended services.
• Algorithm evaluation: According to Article 8 of the Algorithm Provisions, an algorithm-recommended service provider shall regularly review, assess, and verify algorithm mechanisms and mechanics, models, data, and application results, among others.
• User model and tag management: According to Article 10 of the Algorithm Provisions, an algorithm-recommended service provider shall improve the rules of points of interest recorded in user models and rules for the management of user tags, and shall not include illegal and negative information as keywords in a user’s points of interest or take it as user tags, on the basis of which information is pushed.
• Prevention of algorithm abuse: According to Article 6, 8, 14 and 15 of the Algorithm Provisions, analgorithm-recommended service provider shall not use algorithm-recommended services to engage in activities prohibited by laws and administrative regulations; shall not set up algorithm models which induce users to indulge or engage in overconsumption, or otherwise violate laws, regulations, or ethics; shall not use algorithms to falsely register accounts, illegally trade accounts, manipulate user accounts, or falsely send likes, comments, or reposts, or to block information, excessively make recommendations, manipulate lists or the ranking of search results, control trends or selections, or otherwise intervene in the presentation of information and perform acts that influence online public opinion or evade supervision and administration; shall not use algorithms to unreasonably restrict other Internet information service providers, or to obstruct or destroy the normal operation of Internet information services legally provided by them, and to exercise monopoly and unfair competition.

Content review

• Establish and improve algorithm review to identify illegal and bad information: According to Article 9 of the Algorithm Provisions, an algorithm-recommended service provider shall establish and improve feature library for identifying illegal and negative information, take measures (stop transmission, prevent proliferation, etc.) when identifying illegal and bad information, keep records and report to competent authorities.

User rights protection

• Improve the transparency of algorithms, formulate and publish rules related to algorithm recommendation services: According to Article 16 of the Algorithm Provisions, an algorithm-recommended service provider shall notify users in a conspicuous manner of its provision of algorithm-recommended services, and publish the basic principles, purposes, and main mechanics of algorithm.
• Ensuring fair trade: According to Article 7 of the Algorithm Provisions, an algorithm-recommended service provider shall not use algorithms to commit unreasonable differential treatment based on their preferences, transaction practices, and other characteristics.
• Protection of users’ personal information: According to Article 55 of the PIPL, those who use personal information to make automated decisions should: (a) conduct a Personal Information Protection Impact Assessment (PIPIA), take effective protection measures based on the assessment results, and record the processing activities; (b) conduct PIPIAs on a regular basis (at least once a year) during use of an algorithm, and improve protection measures based on the assessment results; (c) provide a complaint channel for the results of automatic decision-making, and support manual review of results. Individuals have the right to request an explanation of decisions made by automated decision-making methods that have a significant impact on personal rights, and have the right to refuse decisions made only by automated decision-making.
• Guaranteeing complaint channels: According to Article 22 of the Algorithm Provisions, an algorithm-recommended service provider shall set up convenient and effective portals for user complaints and public complaints and reports, specify handling processes and time limit for feedback, and give feedback on the results of handling such complaints and reports in a timely manner.

Special protection for particular groups

• Protection of minors: According to Article 18 of the Algorithm Provisions, an algorithm-recommended service provider shall neither push to minors’ information which may cause them to imitate unsafe acts or those contrary to social ethics, induce them to develop bad habits, or otherwise affect their physical and mental health nor use algorithm-recommended services to induce them to indulge online.
• Protection of the elderly: According to Article 19 of the Algorithm Provisions, an algorithm-recommended service provider shall monitor, identify, and dispose of information related to telecommunications network frauds in accordance with the law, and facilitate their safe use of algorithm-recommended services.
• Protection of workers: According to Article 20 of the Algorithm Provisions, an algorithm-recommended service provider which provides workers with job scheduling services shall protect workers’ lawful rights and interests in obtaining remuneration of labour, rest, and vacation, among others, and establish and improve platform order distribution, composition and payment of remuneration, working hours, rewards and punishments, and other related algorithms.

Algorithm filing and security assessments

• According to Article 24 and 27 of the Algorithm Provisions, an algorithm-recommended service provider with public opinion attributes or social mobilisation capabilities shall submit its information on the Internet Information Service Algorithm Filing System within ten working days of the date of providing services, and conduct security assessments in accordance with the relevant provisions.
• According to the filing results shown in the Algorithm Filing List, algorithm services with public opinion attributes or social mobilisation capabilities include not only APPs for e-commerce, life, news, information, videos, search engines, social networking, and office, websites, but also the APP for dispatching orders for takeaway riders, the browser APP and the smart TV APP. According to our understanding, the scope of “algorithm services with public opinion attributes or social mobilisation capabilities” is relatively broad. Thus, any platforms that provide users with interactive and information services through the Internet are likely to be subject to algorithm filing and security assessments.
• In addition, according to the filing results shown in the Algorithm Filing List, the scope of “the recommendation algorithms technology” is also broad. As we mentioned above, the recommendation algorithms technology refers to generation and synthesis technology, personalised pushing technology, ranking and selection technology, retrieval and filtering technology, and dispatching and decision-making technology. In the Algorithm Filing List, speech- to-text algorithms are classified as the generation and synthesis technology, and algorithms that only predict the delivery time of orders without actually making decisions are classified as dispatching and decision- making technology. Therefore, it is likely that more types of algorithm-based services will be subject to the Algorithm Provisions in the future.

When using generative AI technology to provide services to the public within the territory of China, companies should pay attention to the following:

Content Management

The Generative AI Measures require service providers to be responsible for the content generated by the generative AI, including ensuring that the content is:

1. In line with the laws, regulations, political structure, moral values and social and economic orders in China;
2. Is not discriminatory; and
3. Is accurate and truthful.

Where non-compliant content is generated, service providers must prevent the generation of such content, and stop the transmission, or optimize the training model, and report to the competent authorities.

Service providers are required to mark to the public, the relevant content generated by AI in a conspicuous manner.

Disclosure and Transparency

The Generative AI Measures mandate that service providers should, upon the authorities’ request, furnish necessary information that may affect the trust and choice of the end users, such as a description of the source, scale, types and quality of the dataset, rules and types of manual labeling, the basic algorithm and the technology stack.

In addition, service providers must make public the targeted group of users, scenarios and purposes of the generative AI services.

AI Training

The Generative AI Measures have set out specific compliance requirements for training the Generative AI model. These include:

1. Lawful Datasets: Service providers will be responsible for the legality of the source of data used for training Generative AI, including ensuring that the data does not infringe intellectual property rights, complies with cybersecurity and personal information protection laws and is accurate, truthful, objective and diverse. The services providers should use data and underlying models with legitimate sources. If the data contains personal information, the personal information shall not be used for training the generative AI model unless it is expressly allowed by the laws or administrative regulations in China, or the personal information subject has consented to such processing.
2. Manual Labeling: Service providers must formulate clear, specific and operative labeling rules, train the labelers and verify the accuracy of the labeling by random checks.
3. Non-discrimination: When designing an algorithm, selecting a training dataset, generating and optimizing models and providing services, services providers must take measures to prevent discriminatory content from being generated based on race, ethnicity, religious belief, nation, region, gender, age, occupation or health.

Security Assessment, Filing and Ethics Review

The Generative AI Measures require that if the generative AI services have public opinion attributes or the capacity for social mobilization, before providing such generative AI services to the public. The service providers should apply for a government security assessment and a filing of algorithm - both of which are supervised and coordinated by the CAC. The CAC also adopts the same requirements for recommendation algorithms.

Although ethics are not expressly discussed in the Generative AI Measures, the government also intends to strengthen ethical reviews of technologies. In an official opinion issued by the central government in 2022 (Opinions on Strengthening the Governance of Scientific and Technological Ethics), AI is one of the three key areas where the government will focus on formulating laws, regulations, standards and guidance. Under the recent Measures for Review of Scientific and Technological Ethics (for Trial Implementation), technologies involving data and algorithms should be reviewed for their security, fairness, transparency, reliability, and trustworthiness.

Protection of Rights

Service providers are required to compete fairly and to respect the rights of others, including not infringing their rights to portrait, reputation, privacy, personal information, and commercial secrets. In particular, the Generative AI Measures require service providers to protect users’ input information and usage records, collect and retain personal information in accordance with the principles of minimization and necessity, establish mechanisms for handling complaints and requests to promptly respond to individuals’ requests for correcting, deleting, or masking their personal information.

Administrative License and Foreign Investment

The Generative AI Measures provide that services providers should obtain an administrative license where applicable. There is currently no administrative license specifically for generative AI. Service providers can pay attention to the internet content provider license/record, public security Internet record, as well as the online culture operation license, online publishing service license and information network transmission audio-visual program license, etc., if applicable.

How could it be relevant for you?

Companies that provide algorithm recommendation services within China should comply with the legal obligations under the Algorithm Provisions, including but not limited to establishing and improving algorithm management systems and technical measures, disclosing the relevant rules for algorithm- recommendation services, optimising algorithm models to present the information that corresponds to mainstream value orientation, and safeguarding users’ rights to be informed, to opt-out, to delete personal characteristics and to not be subject to “differentiated treatment.” Additionally, providers of algorithm recommendation services with an attribute of public opinion or social mobilisation capability shall complete algorithm self-assessment and file their algorithms with the authority.

Next steps

At present, the Chinese government’s overall approach to algorithm regulation is to give priority to content management to supervise algorithms, taking into account other fields and scenarios, and emphasising the protection of the rights and interests of special groups.

At the same time, according to the current law enforcement trends and policy documents, the focus of work in the next few years will be on: (1) monitoring algorithm security risks; (2) conducting algorithm security assessments; (3) advancing algorithm filing.

*Information is accurate up to 27 November 2023