Generative AI: the Measures of the Cyberspace Administration of China

Generative Artificial Intelligence Services (in Chinese: 生成式人工智能服务管理暂行办法, the “Measures”) came into effect. The Measures were issued by the Cyberspace Administration of China (“CAC”), the Chinese authority in charge for the supervision and regulation of the internet, personal data protection, and antitrust matters. The main objective of the Measures is to establish operational rules aimed at regulating the development and the increasingly rapid use of generative artificial intelligence systems .

The Measures were formulated taking into account the provisions of the “3 pillars” of China’s data security and protection regulations: the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law.

The content of the Measures

The Measures apply to developers and providers of generative artificial intelligence systems that generate texts, images, audio, video, and other content for individuals living in the People’s Republic of China (e.g., Ernie, Baidu’s chatbot comparable to ChatGPT, which also generates images – like Dall-E and Midjourney – and videos).

On the other hand, companies, as well as public entities and research institutions that develop and use generative artificial intelligence services and technologies but do not provide them to individuals residing in the PRC, are not subject to the Measures.

The regulation provides that entities falling within the scope of the Measures must:

• implement appropriate measures to prevent discrimination based on ethnicity, religious beliefs, nationality, region, gender, age, employment status, and health condition in the algorithm development process, selection of training data, model generation and optimization, and service supply;

• respect intellectual property rights, business ethical standards, maintain trade secrets, and not use algorithms, data, platforms, and other tools to create a monopoly or engage in acts of unfair competition;

• respect the rights and interests of individuals, avoiding harm their physical and mental health;

• comply with personal data protection rights;

• on the basis of the type of service, implement adopt effective measures to improve the transparency of generative artificial intelligence systems and enhance the accuracy and reliability of generated content;

• enter into terms and conditions with users  for the use of such systems, specifying the rights and obligations of both parties;

• in order to protect children, prevent minors from abusing generative artificial intelligence systems (on this regard, the CAC has also published guidelines aimed at strengthening the protection of minors online);

• label content created by generative artificial intelligence systems in accordance with the Regulations on Administration of Deep Synthesis of Internet Information Services;

• embed mechanisms to protect information submitted by users;

• in a data minimization perspective, collect only the necessary personal data;

• do not store any input information that could identify users.

The Measures also specify that providers of generative artificial intelligence systems must carry out training data processing activities, such as pre-training and training optimization, observing the following provisions:

• use data and foundation model originating from lawful sources;

• do not infringe the intellectual property rights of other parties;

• where personal data of data subject is used, obtain their prior consent;

• implement appropriate technical measures to improve the quality of training data and improve the authenticity, accuracy, objectivity, and diversity of training data;

• comply with further applicable regulations, such as the Personal Information Protection Law.

Furthermore, during the data labeling process , providers of generative artificial intelligence systems must formulate clear, specific, and operational labeling rules that meet the requirements outlined in the Measures, as well as assess the quality of data labeling and conduct sample verification of the accuracy of labeled content.

Regarding personal data, providers of generative artificial intelligence systems, when these systems handle personal data, are considered data processors.

In the event of requests for erasure, modification, and copy of personal data by the data subjects, providers of generative artificial intelligence systems must process the request in a timely manner, also providing a complaint and reporting mechanism.


China’s recent initiatives not only represent a pivotal milestone in the country’s legislative process, but in fact precede many other countries, making Chinese legislation not only as a benchmark for a future more systematic and comprehensive regulatory framework: it is also representing a significant shift in the global legislative landscape regarding artificial intelligence.

The Chinese lawmaker has clearly shown its determination to be a leader in regulating this technology, while also opening the field to possible significant impacts on future global economic and technological development.

Considering the speed at which China is moving, it is hoped that other countries (and first and foremost the European Union) will soon establish appropriate regulations that can ensure competitive dynamics in the global market.