In 2024, the China's digital economy and AI are growing fast. This has raised concerns about data security, AI regulation, and personal information protection. In response, China has stepped up data compliance and AI standards. It did this through new laws and technical standards. This article reviews key developments in data compliance and AI regulation in 2024, and we will outlines future compliance priorities for the readers.
Part I: 2024 Legislative Developments in Data Compliance
In 2023, China made new laws to boost digital economy compliance. It made big strides in cross-border data flows and the use of data.
Focus 1: The Emerging Blueprint for Cross-Border Data Compliance
In 2023, China set rules on cross-border data transfer. They created a "three-path" compliance framework: a security assessment, standard contract filing, and personal information protection certification. In March 2024, the Cyberspace Administration of China ("CAC") announced the Provisions on Promoting and Regulating Cross-Border Data Flow. These eased the workload on firms for cross-border data transfers. They also changed the basic rules for data compliance.
In this context, local legislation has been actively evolving, showing a rapidly developing trend:
The Lin-gang Special Area then released whitelists in six fields: biomedicine, intelligent connected vehicles, public funds, reinsurance, shipping, and securities. Those lists clarify data that can flow freely and the important data that require special attention.
Legislative efforts in various regions are shaping cross-border compliance. They center on the Provisions on Promoting and Regulating Cross-Border Data Flow. Also, the China-EU data flow exchange mechanism was established. The China-Germany Data Cross-Border Flow Cooperation MOU was signed. China applied to join the CPTPP. These actions show its desire for seamless cross-border data transmission.
Focus 2: The Launch of the Regulation on Network Data Security Management
On August 30, 2024, after three years of debate, the Regulation on Network Data Security Management (the "Network Data Regulation") was adopted. It will take effect on January 1, 2025. The Network Data Regulation has been revised several times since the draft for public comments. It is now a major change from that draft.
The Network Data Regulation simplifies concepts and processes. It eases the burden on businesses and encourages innovation. For example, it defines "network data" and "important data." It removes the annual audit for large platforms and important data processors. It replaces the cybersecurity review with a national security review, among other things. In addition:
Also, the Network Data Regulation has refined the duties of network data processors. It introduced a penalty system: "no penalty for the first offense" and "no penalty for minor violations." This shows a tolerant, cautious regulatory approach.
The Network Data Regulation, a key admin rule, follows the Cybersecurity Law, Data Security Law, and Personal Information Protection Law. Its enactment refines China's data protection and platform governance laws. It also provides clearer compliance guidelines for companies.
Focus 3: The Gradual Implementation and Refinement of the Personal Information Protection Law
Since the Personal Information Protection Law passed, key compliance sections have been clarified. This has created a strong legal framework for protecting personal information. In 2024, legislators focused more on defining compliance actions. They aimed to refine the personal information protection system.
In summary, the 2024 laws have implemented the framework of the Personal Information Protection Law. They offer better protection for personal information and align with China's commitments in this area.
Focus 4: The Continued Exploration of Data Utilization
In 2024, there is much focus on data use. It is being explored at the policy level.
The "Twenty Data Measures" clarify the direction for developing data. They propose basic systems for data rights, circulation, benefits, and governance. The process of translating the Twenty Data Measures into law has been slow. This is especially true for the three-rights system. It needs further legal clarification on its operational mechanisms. Data rights are mainly protected by anti-unfair competition, intellectual property, and contract laws. Lack of data rights legislation will lead to much uncertainty. This affects the interpretation and application of data rights in practice.
On September 21, 2024, the Opinions on Accelerating the Development and Utilization of Public Data Resources was issued. It aimed to boost the use of public data in the data element market and support the economy. However, there are uncertainties in these opinions. They mainly concern the definition of "public data." Public data serves the public good. So, its pricing and circulation should differ from ordinary data. If the core concepts are unclear, it could cause big differences in implementation, even lawsuits.
After the Ministry of Finance released new accounting rules, there is a push for SOEs to list their data resources on their balance sheets. From a market view, data monetization has two main approaches. Some companies are committed to including data on their balance sheets but encounter difficulties in data valuation. Also, it's unclear what data firms can legally trade. This limits their ability to use their data as an asset. Other companies focus on data transactions, although the market for such activities is still in its nascent stages. Pit trading, driven by governments, limits companies' autonomy. Ex-pit trading involves more firms but lacks clear compliance rules. In both cases, the legal status and responsibilities of all parties involved in data circulation remain unclear.
In 2024, data elements have made some progress in laws and practices. But, we still need to speed up legislation and set National Standards. In order to facilitate the growth of the data factor market, the State must priorities the construction of a unified data factor system and the clarification of the 'three-rights' mechanism for the operation of data rights. Furthermore, the State must enhance its legislation on the use of public data to provide a stronger foundation for the data factor market.
Part II: 2024 Legislative Developments in Artificial Intelligence: Details Matter
Focus 1: Regulating Corporate Practices with Detailed Rules
In 2024, China's AI regulations focus on "development and protection." The authorities have resolved key issues in the Interim Measures for Generative AI Services through a series of new regulations.
The national standard Basic Safety Requirements for Generative Artificial Intelligence Services delineates the safety boundaries for generative AI services. It details safety standards for each stage, from data processing to model training to service provision. It ensures that generative AI is convenient and safe for users. These rules protect users' privacy rights. They also give companies a framework for ensuring security. Additionally, this regulation serves as a benchmark for the filing of large models.
The Measures for Identification of Artificial Intelligence-Generated Synthetic Contents (Draft for Comment) focuses on the identification issues of content generated by artificial intelligence. Distinguishing between real and synthetic content is always a critical issue in AI regulatory compliance. The measures require companies to identify synthetic content. They must specify the methods, locations, and imaging effects for this process. This boosts the transparency of AI-generated info. It also eases the compliance burden for companies.
Focus 2: A Notable Improvement in Regulatory Efficiency
China's AI sector is regulated by two main mechanisms: algorithm filing and large model filing.
The Provisions on the Administration of Algorithm-generated Recommendations require algorithm filing. They apply to all Chinese firms that provide Internet services using algorithmic recommendations. The primary compliance mechanism relies on pre-screening by mobile app stores. Apps that fail to complete the algorithm filing process are prohibited from being listed in app stores.
"Large model filing" means the "safety assessment" in Article 17 of the Interim Measures for the Administration of Generative Artificial Intelligence Services. The purpose of this filing is to ensure the safety, reliability, and compliance of large models. AI companies that provide services to consumers (TO C) are most likely to fall within the scope. Regulators will assess the model's technical architecture, data sources, training processes, and application scenarios. This is to ensure AI services are safe and reliable. Companies must file detailed technical documents and safety reports. Experts help regulatory agencies review them. Only large models that pass the filing process may operate in the market.
Unlike the initial efforts in algorithm filing and large model filing in 2023, which were somewhat tentative and unclear, 2024 has seen regulators refine their enforcement strategies and responsibilities. The two filings improved approval efficiency. Many more firms completed the process. At the same time, regulators are intensifying post-filing supervision to ensure continued compliance with relevant regulations, fostering a stable and sustainable development environment in the field of artificial intelligence.
Focus 3: The Rise of AI-Related Litigation Cases
Looking back at the legal cases of 2024, it can be called the year of the explosion of AI litigation without question. A series of landmark "first AI cases" have emerged, with some of the most notable examples being:
Focus 4: Proactively Contributing to the Formulation of International Rules
In 2024, China has been active in AI governance. It has influenced global efforts to shape international rules.
In June 2024, the Shanghai Declaration on Global AI Governance was released at the opening ceremony of the 2024 World Artificial Intelligence Conference and the High-Level Meeting on Global AI Governance. The declaration calls for joint development and shared security. It seeks collaborative governance, collective wisdom, and mutually beneficial outcomes. It proposes initiatives to promote the healthy, secure, and orderly growth of global AI. This declaration shows China's commitment to global AI governance. It aims to be a key player in the AI governance debate.
In September 2024, the National Technical Committee 260 on Cybersecurity of Standardization Administration of China released Version 1.0 of the Artificial Intelligence Safety Governance Framework.
This framework outlines four principles for AI safety governance:
It details AI security risks and proposes measures to address them. It sets a framework for AI security risk governance, from risk classification to management. The framework guides safe AI governance. It is a valuable reference for a global AI governance framework.
China seeks to shape the future of global AI. It aims to be a key player in promoting its healthy development. It is doing this by joining in on global AI rule-making, issuing key declarations, and promoting cooperation.
China's data rules, unlike those of the EU and others, impose heavy fines. They also use national security reviews and cybersecurity assessments to restrict market access and enforce compliance. From the penalty cases involving illegal access to surveying and mapping data announced by the Ministry of National Security, as well as the cybersecurity review cases initiated by the regulatory initiative this year, it is clear that the state attaches great importance to data compliance in key areas and systems. This is especially true for handling important, sensitive data in various scenarios. It may also raise national security concerns.. In practice, many organizations and businesses ignore these legal risks. They often prefer a superficial compliance to, instead of, ensuring real data compliance work. This may trigger stronger regulatory enforcement. It could lead to more security reviews or penalties.
In 2024, several drafts of rules for the Personal Information Protection Law were released. These drafts should be formally published by 2025. They will strengthen the laws on personal information protection. This will give clearer, specific rules for handling personal info. It will boost protection, raise the cost of violations, and promote better standards in personal info protection.
With the rapid development of artificial intelligence technology and its widespread application across various sectors of society, the need for comprehensive and systematic legal regulation has become inevitable. In 2024, no major AI laws were introduced. But, a series of regulatory guidelines were released. China's push for global rules suggests that AI legislation is progressing. In 2025, China is expected to introduce an Artificial Intelligence Law, which lawmakers included in the legislative agenda as early as 2023. We hope this law will foster industrial growth. It should also regulate all aspects of AI, including research, development, and oversight.
2024 has witnessed a surge in AI-related litigations. By next year, we may see rulings on key legal issues. These include: whether using works as training data is "fair use," the limits of data collection via web crawlers, and how AI platforms apply the "safe harbor" principle. We also hope for more responses from legislative bodies. In particular, we seek their views on an "opt-out" mechanism. It could balance all parties' interests, resolve disputes, and promote industry growth.
With new productive forces, data will be a key factor of production. It will become a variable in economic development. The utilization of public data has now been placed on the agenda, marking a significant shift. With a more mature data law, we aim to empower through data. We want to clarify the legal status of all parties. We also want to maximize the economic value of data and serve market participants. Soon, lawmakers will work to reshape the legal system. They'll dismantle data barriers and standardize the data element market.
Conclusion
2024 marks a pivotal year for China in the fields of data compliance and AI regulation. The country has strengthened its data governance through new laws and technical standards. It has also given clear guidelines for sensitive industry on data processing. We must also recognize the impact of geopolitics on data security. These factors have raised data security concerns in many countries. This has greatly hindered data flows and use. Also, these factors have led to blocking tools, like technical and export controls. This has created major challenges to the vision of data-driven economic development. We hope lawmakers will allow broader public input in these discussions. This will help build a more open data ecosystem and a better AI governance framework. This will enhance the security of the digital space. It will boost the digital economy's growth. Ultimately, it will benefit society.