4 January 2023

On 11 December 2022, the Provisions on the Administration of Deep Synthesis Internet Information Services (《互联网信息服务深度合成管理规定》) (“Provisions”) were published on the official website of the Cyberspace Administration of China (“CAC”). The Provisions seek to regulate and administer the thriving deep synthesis services and technology industry, which has been utilised by the public more and more in the last few years without close supervision. Before publishing the finalised version, CAC released a draft of the Provisions for comment on 28 January 2022.

The Provisions will take effect on 10 January 2023.

This article provides an overview of the Provisions.

Scope of Provisions

The Provisions are applicable to the provision of Internet information services via deep synthesis technology (“Service”) in China. The Provisions define “deep synthesis technology” as technology utilising generative and/or synthetic algorithms, such as deep learning and virtual reality, to produce text, graphics, audio, video, or virtual scenes.

The Provisions set out examples of deep synthesis technology as including technology for generating and/or editing:

  • text content, such as chapter generation, text style conversion, and question-and-answer dialogues;
  • voice content, such as text-to-speech, voice conversion, and voice attribute editing;
  • non-voice audio content, such as music generation and scene audio editing;
  • biometric features in images and/or video content, such as face generation, face swapping, personal attribute editing, face manipulation, or gesture manipulation;
  • non-biometric features in images and/or video content, such as image generation, image enhancement and image restoration; and
  • digital characters and/or virtual scenes such as 3D reconstruction and/or digital simulation.

The Provisions state that the term “Internet information service” as used therein shall have the meaning ascribed to it in the Measures on the Administration of Internet Information Services (《互联网信息服务管理办法》), that is, the provision of information through the Internet to online users.

The following entities are regulated by the Provisions:

  • Service provider, which refers to the organisation and/or individual providing the Service (“Service Provider”);
  • Service technology supporter, which refers to the organisation and/or individual providing technology support for the Service (“Technology Supporter”);
  • Service user, which refers to the organisation and/or individual utilising the Service to produce, copy, publish, transfer information (“User”); and
  • Application distribution platforms, such as an Internet application store.

Highlights of general obligations

The Provisions stipulate that no organisation or individual shall use the Service to produce, copy, publish or disseminate information in contravention of any laws and regulations. Using the Service to engage in activities prohibited by laws and regulations, such as endangering national security or infringing the legitimate rights and interests of others, is also prohibited. Service Providers and Users shall not use the Service to produce, copy, publish or disseminate false news.

A Service Provider should fulfil its responsibility as a safeguarding entity of information security, including establishing and improving policies regarding user registration, algorithm mechanism audit, technology ethics review, information publishing audit, data security, personal information protection, anti-telecommunications network fraud, and emergencies. Relevant safe and controllable technical safeguard measures are also required to be established within the Service Provider.

A Service Provider shall authenticate a User’s identity by requiring the provision of certain information, such as the User’s ID number. Information publishing services shall not be provided to Users whose real identity has not been verified.

Service Providers are required to review both data provided by Users and the results rendered via synthesis technology. Where a Service Provider identifies illegal and/or undesirable information, it is required to save the relevant records and promptly report to the competent cyberspace authority and other relevant departments. The Users involved will be suspended or banned from accessing the relevant Service.

A Service Provider must establish a misinformation refutation mechanism. The Provisions require Service Providers to refute misinformation, if any, keep relevant records and report to relevant authorities.

The application distribution platforms, for example app stores, should inspect the deep synthesis application, including its security assessment and filing status, and halt distribution of or listing of the application where a violation of the Provisions and other applicable laws and regulations is detected.

Data and technology management

In relation to data management, a Service Provider and a Technology Supporter should take the necessary measures to safeguard the security of training data, which is the annotated or benchmark dataset that is used to train the machine learning model. Relevant requirements of personal information protection should be met if the training data contains personal information. Where the editing functions for biometric information, such as face and voice, is provided, the Service Provider and Technology Supporter should prompt the Users to inform the individuals being edited and obtain such individuals’ consent.

In terms of technology management, the Service Provider and Technology Supporter should regularly review, evaluate, and verify the algorithm mechanism.

Adding specific marks

For content generated or edited by the Service, the relevant Service Providers should take technical measures to add a mark without affecting usage and save log information in accordance with laws and regulations.

If Service Providers provide the Service with the function of generating or significantly altering information content - such as providing intelligent dialogue, synthetic human voice, face generation, immersive simulation scenes - the Service Providers shall add a noticeable mark at a reasonable position and area of the information content to indicate to the public the synthesis of such information content; if the Services other than those mentioned previously are provided, the Service Providers shall provide the function of adding a noticeable mark and indicate to the Users that they can add such a mark by themselves.

No organisation or individual should delete, alter, or conceal the marks.

Filling and security assessment

The Provisions make it clear that Service Providers and Technology Supporters with the “characteristic of public opinions or social mobilisation capability” are to perform filing, modification and cancellation of filing in accordance with the Provisions on the Administration of Algorithm-generated Recommendations for Internet Information Services (《互联网信息服务算法推荐管理规定》). The filing number and link to the public record of their filling should be displayed at an obvious position on their websites and applications. In accordance with the relevant regulations, the following services are deemed as having the “characteristic of public opinions or social mobilisation capability”:

  • Launching forums, blogs, microblogs, chat rooms, communication groups, public accounts, short videos, webcasts, information sharing, small programs, or other information services, or adding the corresponding functions; or
  • Launching other Internet information services that provide channels for the public to express their opinions or are capable of mobilising the public to engage in specific activities.

Where models, templates and other tools with the function of editing biometric information or special non-biometric information, including objects and scenes that may involve national security, national image, national interests and social public interests, are provided, the Service Provider and Technology Supporter shall carry out safety assessment on their own or commission professional institutions to implement such safety assessment. Apart from the aforesaid, the Service Provider should carry out a security assessment when it develops or rolls out new products, applications or functions that have the “characteristic of public opinions or social mobilisation capability”.