In January 2022, China released two regulations (one in draft form) that touch on hot topics in technological development – algorithmic recommendations and deep synthesis – making it one of the first countries in the world to directly tackle these cutting edge areas.  In this post, we provide an overview of the draft Provisions on the Management of Deep Synthesis in Internet Information Service and the Provisions on the Management of Algorithmic Recommendations for Internet Information Services, and briefly compare the latter to the European Union’s approach to algorithmic recommendations under the GDPR.

In an address to the Politburo in October 2021, President Xi Jinping made clear that the robust growth of China’s digital economy is key to China’s national strategy. While stating that technological breakthroughs will promote China’s competitiveness, President Xi also warned that China’s digital economy displayed  “unhealthy and unregulated symptoms” that threatened its healthy development. These two new regulations track with the vision that President Xi set out: to both promote technological innovations and to ensure that regulations are in place to steer such developments in the interest of the country.

Background on two new regulations

On January 4, 2022, the Cyberspace Administration of China (“CAC”), Ministry of Industry and Information Technology (“MIIT”), Ministry of Public Security (“MPS”), and State Administration for Market Regulation (“SAMR”) released the Provisions on the Management of Algorithmic Recommendations for Internet Information Services (“Algorithm Provisions”).[i] A prior version of the Algorithm Provisions was issued for public comments on August 27, 2021, and the Algorithm Provisions will take effect on March 1, 2022.

Then, on January 28, 2022, the CAC released the draft Provisions on the Management of Deep Synthesis in Internet Information Service (“Draft Deep Synthesis Provisions”).[ii]  The CAC is accepting comments on this draft until February 28, 2022.

Substantive rules regulating new technologies

The table below shows how the Chinese regulators plan to regulate these new technologies. Note that the obligations imposed on service providers address concerns both on the data privacy side and on the content management side.

Algorithmic Recommendations

Deep Synthesis

Purpose Aim to prevent the abuse and misuse of algorithmic recommendation technologies when providing Internet information services within the territory of China, while protecting the legitimate interests and rights of users. Aim to regulate activities that use deep synthesis technologies to provide Internet information services, as well as activities that provide technical support to deep synthesis services carried out in the territory of China, while protecting the legitimate interests and rights of users.
Scope of technologies regulated
  • Algorithmic recommendation technologies” are algorithms that are generative or synthetic, for the purposes of providing personalized recommendations, ranking and selecting, filtering searches, or dispatching and decision-making. (Article 2)
  • No definition is provided for “Internet information service.” However, this term is defined by the draft updated version of Measures on Managing Internet Information Service, released in January 2021, as “Internet information posting and application platforms, providing Internet services including but not limited to: Internet news information service, search engine, instant message, interactive information service, online broadcast, online payment, advertisement and marketing, online storage, online shopping, online appointment, and application download.”
  • Deep synthesis technologies” are technologies that utilize algorithms, such as deep learning and virtual reality, to synthesize or generate text, photo, audio, video, or virtual scenes.  Such technologies include, but are not limited to:
    • auto-generation of articles or Q&As;
    • text to audio conversion;
    • music synthesis;
    • deep fake pictures or video;
    • inpainting; and
    • 3-D reconstruction. (Article 2)

 

  • Deep synthesis services” is the application of deep synthesis technology to provide internet information services.

 

Entities regulated
  • Algorithmic recommendation service providers” (“Service Providers”) are entities that develop algorithms and use such algorithms to run their Internet information services.
  • The Algorithm Provisions do not expressly reference entities that develop algorithm technologies but then sell, license, or otherwise provide their technologies to third party entities, who in turn operate Internet information services. It remains to be seen whether the Chinese government will apply the Algorithm Provisions to, or otherwise address, algorithm technology providers, as well as whether parties will be able to allocate rights and obligations through contractual arrangements for the use of algorithmic recommendation technologies when providing Internet information services.

 

 

  • Deep synthesis service providers” are organizations that provide deep synthesis services as well as those that provide technical support to deep synthesis services.
  • Deep synthesis service users” are organizations and individuals that use deep synthesis services to produce, copy, publish and disseminate information. (Article 2)
  • Internet application store service providers (see “Additional Obligations”)
Obligations on Service Providers
  • Content Management. Identify and prevent the distribution of illegal information (Article 9) and promote information that confirms to mainstream value orientations (Article 11)

 

  • Content Management. Review the synthesized information and establish a database to identify illegal or adverse information.  If the deep synthesis service providers find that the users produce, copy, publish or disseminate fraudulent information, take measures immediately and report to CAC and other regulators (Article 17)

 

  • Tagging/Labeling. Manage User Profiling and Labeling, without using harmful information as keyword tags (Article 10)
  • Provide users with an option to receive services without using users’ profile, or an option to opt-out from the algorithm recommendation service (Article 17)
  • Provide users with channel to choose or delete the labels that are used to provide algorithm recommendation services (Article 17)
  • Tagging/Labeling. Add tags on information generated from using deep synthesis technologies, including voice simulation, intelligent conversation or writing that simulate the style of a real person, and face image synthesis, face manipulation, or deep fakes (Article 13)
  • Transparency. Establish an Algorithm Review Mechanism (Article 8), and make the algorithmic recommendation service related rules transparent and straightforward (Articles 12, 16, 17). Provide users with the way to opt-out and delete (Article 17) and with convenient means to complain (Article 22)

 

  • Transparency.  Obtain separate consent from individual subjects if the service has functions that can make major edits on the biometric information – such as the face or voice (Article 12)
  • Stipulate rules, standards, and procedures for identifying illegal or adverse information, as well as take measures to penalize users that use deep synthesis technologies to generate illegal or adverse information (Article 10)
  • Authenticate the real identities of deep synthesis service users and do not allow users to publish information if such an user fails to authenticate his or her real identity (Article 9)
  • Data Security and Personal Information Protection. Establish internal management mechanisms and rules and retain network logs (Article 28). Adopt technical measures in order to safeguard data security and cybersecurity, protecting personal information, as well as preventing fraudulent activities (Article 7)
  • Data Security and Personal Information Protection. Set up and improve the management mechanisms for algorithm review, user registration, data security, minor protection, personal information protection, and training for employees. (Article 7)
  • Ensure that data are processed in a legal and justified way, while safeguarding data security (Article 12)
  • Comply with requirements on personal information protection and should not process personal information illegally
  • Fair Practice. Not use the algorithm for unfair competition (Article 15), and not use the algorithm to falsely register users, illegally trade accounts, for false likes or comments, or to manipulate search rankings or carry out acts of influencing online public opinion (Article 14)
 
Additional Obligations The Algorithm Provisions also impose specific requirements on Service Providers that engage in certain types of services or target certain groups of individuals. These include:
  • News Services Providers (Article 13)
  • Services Targeting Minors (Article 18)
  • Services Targeting Elders (Article 19)
  • Mobility-as-a-Service (“MaaS”) Service Providers (Article 20)
  • E-Commerce Services Providers (Article 21)
  • Service Providers with an Attribute of Public Opinion or Social Mobilization Capability (Articles 24, 27)
The Draft Provisions require online app store operators to fulfill certain security management obligations on applications operated by deep synthesis service providers, including:
  • Verifying the security assessment and applications of deep synthesis security providers.
  • Taking measures – such as prohibiting mobile applications from launching or removing mobile applications from the app store – immediately if service providers violate laws and regulations. (Article 16)

 

 

How Do the Algorithmic Recommendations Provisions Differ from the Position in the EU?

While Chinese regulators have taken the first steps to regulate new technologies, other regulators around the world are certainly experimenting with approaches to addressing the concerns related to the deployment of artificial intelligence and other new technologies. For example, at present, the EU does not have any comprehensive rules that govern algorithmic recommendation services. However, in addition to general requirements imposed by the EU’s General Data Protection Regulation (“GDPR”), companies using algorithmic recommendation systems on online platforms that enable third-party businesses to offer goods and services directly to consumers, or on search engines, may also be subject to the EU’s Platform-to-Business Regulation (Regulation (EU) 2019/1150), whether those systems use personal data or not. Among other things, this Regulation requires platform operators to explain to business users the main parameters that determine the ranking of products, services and results (Article 6). Additionally, in the future, the proposed Digital Services Act is likely to impose broader transparency obligations on “very large online platforms” that use “recommender systems”, which may capture certain algorithmic recommendation services.

 

*                           *                           *

The Covington team will continue to track and report on the implementation of these developments.

[i] 《互联网信息服务算法推荐管理规定》(the official Chinese version is available here).

[ii] 《互联网信息服务深度合成管理规定(征求意见稿)》(the official Chinese version is available here).

Photo of Yan Luo Yan Luo

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the…

Yan Luo advises clients on a broad range of regulatory matters in connection with data privacy and cybersecurity, antitrust and competition, as well as international trade laws in the United States, EU, and China.

Yan has significant experience assisting multinational companies navigating the rapidly-evolving Chinese cybersecurity and data privacy rules. Her work includes high-stakes compliance advice on strategic issues such as data localization and cross border data transfer, as well as data protection advice in the context of strategic transactions. She also advises leading Chinese technology companies on global data governance issues and on compliance matters in major jurisdictions such as the European Union and the United States.

Yan regularly contributes to the development of data privacy and cybersecurity rules and standards in China. She chairs Covington’s membership in two working groups of China’s National Information Security Standardization Technical Committee (“TC260”), and serves as an expert in China’s standard-setting group for Artificial Intelligence and Ethics.

Yan is named as Global Data Review’s40 under 40” in 2018 and is frequently quoted by leading media outlets including the Wall Street Journal and the Financial Times.

Prior to joining the firm, Yan completed an internship with the Office of International Affairs of the U.S. Federal Trade Commission in Washington, DC. Her experiences in Brussels include representing major Chinese companies in trade, competition and public procurement matters before the European Commission and national authorities in EU Member States.

Yan is a Certified Information Privacy Professional (CIPP/Asia) by the International Association of Privacy Professionals and an active member of the American Bar Association’s Section of Antitrust Law.

Photo of Irina Danescu Irina Danescu

Irina Danescu is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Committee on Foreign Investment in the United States (“CFIUS”) Practice Groups.

Irina advises clients on a broad range of cybersecurity, data…

Irina Danescu is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and the Committee on Foreign Investment in the United States (“CFIUS”) Practice Groups.

Irina advises clients on a broad range of cybersecurity, data privacy, and national security issues. She has assisted clients with understanding and complying with cybersecurity and privacy obligations, conducting internal investigations and due diligence, and preparing submissions to CFIUS and other regulatory agencies.