The previous article primarily discussed the AIGC regulatory legislation in major countries and regions (China, the US, the EU), along with an interpretation of the compliance points in China’s “AIGC Security Requirements.” In this article (the current one), we will focus on the compliance risks of Chinese enterprises’ AIGC business going abroad and provide corresponding suggestions on how enterprises can conduct compliance management.
A Comprehensive Guide to AIGC Compliance Risks for Enterprises Going Abroad (Part 1)
1. Risk-Oriented: AIGC Legislation in Major Global Regions
2. Focus: China’s “AIGC Security Requirements”
3. Not Just Data: Other Compliance Risks Faced by AIGC
A Comprehensive Guide to AIGC Compliance Risks for Enterprises Going Abroad (Part 2)
4. Key Focus: Compliance Risks of AIGC Business Going Abroad
(1) Beware of the “Borrowing Flowers to Present to Buddha” Risk: Overseas GP Interfaces
(2) Intellectual Property Compliance Risks: Pay Attention to the Use of Open Source Algorithms/Models
(3) Risks of Cross-Border Data Transmission
(4) Export Control Risks: Chips, Computing Power, AI Technology
5. Prepare in Advance: Suggestions for Implementing AIGC Compliance Work
(1) Conduct Risk Assessment and Self-Evaluation
(2) Compliance in the Research and Development Phase
(3) Compliance in the Deployment Phase
(4) Post-Event Assurance and Supervision
Key Focus: Compliance Risks of AIGC Business Going Abroad
AIGC is becoming a key factor in shaking up the economy and markets. According to the “2023 Future of Jobs Report” released by the World Economic Forum, global enterprises are expected to create approximately 69 million new jobs in the next five years. The fastest-growing job types are mostly driven by artificial intelligence and digitalization, leading to a large number of emerging industries and innovative AI companies.
As a major component of the global AIGC market, China also possesses strong technological support and a vast application market. It is predicted that by 2030, China’s AIGC market size will reach trillions. In the face of such a strong industrial development trend, enterprises need to pay more attention to the compliance risks of future business going abroad. We outline the main compliance risks of AIGC going abroad as follows:
(1) Beware of the “Borrowing Flowers to Present to Buddha” Risk: Overseas GP Interfaces
AIGC applications often require overseas ports to operate smoothly and demonstrate higher performance. Some enterprises call on foreign GP interfaces or simply package foreign ports and provide services internally, which may involve cross-border data and domestic regulatory policies, thus potentially facing the risk of products or services being removed by the Cyberspace Administration.
More seriously, for example, if the cross-border data transmitted includes internal executives and trade secrets of the enterprise, and these pieces of information are obtained by foreign personnel or organizations through overseas interfaces, it may endanger the personal safety of internal executives or lead to the company being sued for patent infringement, even jeopardizing the company’s survival. Sensitive data, such as massive biomedicine or human genetic data, or even high-speed rail scheduling information or general national intelligence, may escalate to national security risks.
(2) Intellectual Property Compliance Risks: Pay Attention to the Use of Open Source Algorithms/Models
Regarding intellectual property, AIGC’s working principle is to utilize its unique language model for computer-based interactions. Taking ChatGPT-4 as an example, its powerful communication capability is realized through numerous copies running on different hardware, which learn independently of each other while simultaneously learning different content and then communicating to produce content.
Therefore, during the initial data learning phase, AIGC may utilize content that involves others’ copyrights, which requires obtaining permission from the copyright holder. However, AIGC itself lacks the ability to identify infringing content, and the scope of involved content is too broad and complex. In cases of illegal copying, adaptation, or dissemination of other copyright-protected content, it may fall into the dilemma of intellectual property infringement. Thus, it is essential to pay special attention to and comply with relevant intellectual property laws and regulations to ensure that generated voice content does not infringe on others’ intellectual property rights, such as copyrights, patents, trademarks, etc. Ensure the legality and compliance of voice synthesis services.
Additionally, the use of open-source algorithms or models is currently prevalent, and enterprises need to establish a compliance review mechanism for open-source software and agreements to identify and address intellectual property clause risks associated with the use of open-source algorithms or models. According to the open-source protocol “end-to-end” compliance review measures proposed by the Linux Foundation, the following steps should be specifically included:
*Source: Linux Foundation
(3) Risks of Cross-Border Data Transmission
Currently, any process and link in enterprise operations is accompanied by a large amount of data transmission. China’s “Cybersecurity Law,” “Data Security Law,” and “Personal Information Protection Law” have regulations regarding cross-border data issues. In the latest “Regulations on Promoting and Regulating Cross-Border Data Flow,” to reduce the compliance burden on enterprises and achieve a certain degree of free data flow, data processors are only required to apply for approval in special circumstances.
(For detailed content, please refer to the team’s research article “Trade Research | Data Export 2.0: A Detailed Explanation of the Judgment Formula for Data Export Paths”)
However, other enterprises still need to conduct a security assessment and weigh factors such as the industry sector of foreign-invested enterprises, whether it involves important data, the scale and sensitivity of cross-border data, and how much personal information is involved. From their own compliance perspective, enterprises should also conduct self-assessments in advance regarding the above matters to ensure the compliance of cross-border data transmission.
(4) Export Control Risks: Chips, Computing Power, AI Technology
In key technology fields such as chip manufacturing, the US, as a leader in technology, often has policy adjustments that have far-reaching impacts on the global supply chain, which are significant for guiding the strategic decisions of related industry enterprises.
Since 2021, the US government has closely monitored the use of artificial intelligence in military applications. In November 2021, the US Department of Defense released an annual report mentioning the relevant situations of using AI technology in the cyber domain and stated that it would continue to follow up on these technologies’ applications in network monitoring, early warning, and defense.
In September 2022, the US government informed NVIDIA and AMD and restricted their sales of advanced process chips to China. According to the US government’s requirements, NVIDIA must obtain export licenses for selling its A100 and H100 GPU chips to China (including Hong Kong), and all future-developed advanced computing chips with peak performance and inter-chip I/O performance greater than or equal to A100 thresholds, including systems containing the above chips, fall under the restrictions.
In light of the above situation, ICT enterprises involved in AI, cloud computing, IoT, autonomous driving technology, data processing, and gaming must strengthen monitoring of their supply chains, assess whether the required high-performance chips are affected by new semiconductor regulations. If the new regulations significantly impact these enterprises’ purchases of GPU chips, they should evaluate the scope, quantity, and profitability of potentially affected projects and consider adopting domestic alternatives as soon as possible. For enterprises in the supply chain involving consumer-grade semiconductors with AI functionality, it is advisable to assess whether the “Notification-Based Advanced Computing” (NAC) licensing exception may apply. Furthermore, even if the enterprises’ supply chains do not currently involve items classified as strictly export-controlled 3A090 items, they should closely monitor whether they may be classified under other newly added ECCNs in the semiconductor regulations and understand the corresponding export licensing requirements.
(For detailed content, please refer to the team’s research article “Trade Research | Analysis of the Impact of the Latest US Semiconductor Regulations on the Industry”)
Prepare in Advance: Suggestions for Implementing AIGC Compliance Work
(1) Conduct Risk Assessment and Self-Evaluation
The construction of the AIGC compliance work system should start with risk assessment and evaluation of the company’s AIGC, comprehensively grasping the company’s business needs and development plans, while sorting out risk items and assessing risk levels, forming a risk assessment report.
This report, as the beginning of compliance work, should cover all AIGC-related elements as much as possible:
1. From a Process Perspective, it should cover all aspects from product business operation and launch to privacy policy settings, permission applications, and evaluations of processing results;
2. From a Content Perspective, attention should be paid to personal information protection clauses, third-party data processing clauses, and the specific content of the platform;
3. From a Functional Perspective, attention should be paid to the division of responsibilities for entrusted processing and joint processing, and the professional departments or personnel responsible for network security assurance, directly addressing sensitive issues and identifying risks.
(2) Compliance in the Research and Development Phase
In terms of compliance management standards, due to the large and diverse internal and external systems of each company, the compliance management work of AI systems or data throughout their lifecycle is also quite challenging.
In the research and development phase, focus should be placed on the legality of the source of training data and the guarantee of quality:
1. Compliance Obligation Checklist: For legal sources, enterprises should improve their compliance obligation checklist, paying attention to intellectual property and personal information compliance requirements. Set compliance review points and embed compliance requirements into the generative AI system development process;
2. Data Annotation: For quality assurance, clear, specific, and actionable data annotation rules should be developed;
3. Data Quality: Conduct data annotation quality assessments and sample verification of the accuracy of annotated content;
4. Compliance Training: Conduct compliance training for data annotators to enhance their compliance awareness and capabilities;
5. Process Record Keeping: Maintain records of obligations fulfilled, documenting compliance content that has been adhered to, ensuring that the recorded content is complete, authentic, and accurate;
6. Protection of User Rights: Service agreements need to be formulated and signed with users, clarifying the rights and obligations of both parties. If product usage involves processing users’ personal information, this stage should also assess the target audience, scope, and the minimum necessity of processing personal information, establishing a path and mechanism for users to exercise their personal information rights.
(3) Compliance in the Deployment Phase
1. Content Labeling: In the deployment phase, content generated or edited by deep synthesis services should be labeled according to the “Regulations on the Management of Deep Synthesis of Internet Information Services.” For content generated or edited using deep synthesis services, technical measures should be taken to add labels that do not affect user experience. For services that may lead to public confusion or misrecognition, significant labeling should be placed in reasonable locations or areas of the generated or edited content to inform the public of the deep synthesis situation;
2. Algorithm Evaluation and Filing: For AIGC products and services with public opinion attributes or social mobilization capabilities, compliance with national regulations for safety assessments should be carried out, and filing and changes or cancellation of filings should be fulfilled, reporting information such as service provider name, service format, application field, algorithm type, algorithm self-assessment report, and proposed public content within ten working days from the start of service through the Internet Information Service Algorithm Filing System.
*Illustration: Internet Information Service Algorithm Filing System Platform (https://beian.cac.gov.cn/#/index)
(4) Post-Event Assurance and Supervision
1. Monitoring Usage Activities: Enterprises need to establish compliance risk monitoring mechanisms for controlling user behaviors;
2. Handling Illegal Content: For any illegal content discovered, timely measures should be taken to stop generation, transmission, and elimination, and model optimization training should be conducted for rectification, reporting to relevant authorities. For users who engage in illegal activities using generative AI services, appropriate measures such as warnings, functionality restrictions, or suspension or termination of services should be taken according to laws and agreements, preserving relevant records and reporting to relevant authorities;
3. Establishing Complaint and Reporting Mechanisms: Enterprises need to establish corresponding mechanisms, improve complaint and reporting systems, set up convenient complaint and reporting channels, publicize processing procedures and feedback timelines, and promptly handle public complaints and reports, providing feedback on processing results.
With the winds rising and the skies wide, the situation changes repeatedly. Stepping onto new peaks to open up new skies, we raise our sails to stand at the forefront of the tide. AIGC, as a major breakthrough in future industry development, carries the development direction and destiny of an enterprise, an industry, and even a country. We hope for global mutual prosperity and to work together to create a thriving AIGC era. However, under the influence of geopolitical factors, the risks associated with enterprises “going out,” especially in emerging technologies and advanced algorithms/chips, remain a shadow that enterprises need to focus on. Amidst the national drive to develop “new quality productivity,” enterprises should leverage compliance to promote development, create value through compliance, and establish effective compliance risk identification and control mechanisms. We are also willing to walk alongside those with aspirations to explore more beneficial topics related to AIGC and enterprise compliance governance.
