要点解析丨《生成式人工智能服务管理办法(征求意见稿)》(双语)
Commentary of the Administrative Measures for Generative Artificial Intelligence Services (Draft for Public Comments)
作者丨朱韦悦 斯响俊 蔡荣伟
导语
Introduction
2023年4月11日,中国网信办发布《国家互联网信息办公室关于<生成式人工智能服务管理办法(征求意见稿)>公开征求意见的通知》对《生成式人工智能服务管理办法(征求意见稿)》(以下简称“《生成式AI管理办法草案》”)公开征求意见,意见反馈截止时间为2023年5月10日。《生成式AI管理办法草案》针对目前广受关注的生成式人工智能服务的提供者提出了多项合规要求,我们简要分析如下。
On April 11, 2023, the Cyberspace Administration of China (hereinafter referred to as the “CAC”) released a notice to solicit public comments on the "Administrative Measures for Generative Artificial Intelligence Services (Draft for Public Comments)" (hereinafter referred to as the "Draft Administrative Measures for Generative AI"). The deadline for submitting comments is May 10, 2023. The Draft Administrative Measures for Generative AI proposes several compliance requirements for providers of generative AI services. The following are our high-level comments.
正文
Main Body
近日,以ChatGPT为代表的生成式人工智能服务广受关注。除发布ChatGPT的美国OpenAI公司外,中国许多互联网公司也逐步加入赛道。
Recently, generative AI services, represented by ChatGPT, have gained attention and investments. Following OpenAI, many internet companies in China have also joined the race.
随着人工智能热潮被掀起,可以确定的是未来因人工智能而引发的社会问题将会不断涌现,因此人工智能服务的法律法规管理,即如何合法、合规、合伦理地打造、应用人工智能服务,成为社会各界人士所关心的问题。
With the AI boom, many new issues arising from AI will emerge. Therefore, the legal and regulatory supervision of AI services, including how to legally, compliantly, and ethically develop and use AI services, has become a concern for various sectors of the society.
美国拜登政府已经开始审查是否需要对人工智能技术进行监管。美国商务部于当地时间2023年4月11日发布了一份正式的公开意见征求文件,征求内容包括政府是否应该在可能具有潜在风险的人工智能模型发布之前对之进行批准。
The Biden administration in the United States has already begun examining whether there is a need to regulate AI technologies. On April 11, 2023, the U.S. Department of Commerce released a formal request for public comments on accountability measures, including whether potentially risky AI models should go through a certification process before they are made available.
同样在4月11日,中国网信办发布《生成式AI管理办法草案》。对于《生成式AI管理办法草案》的要点,我们简要分析如下:
Also on April 11, the CAC released the Draft Administrative Measures for Generative AI. Below is our brief digest of this draft regulation.
适用范围
Scope of Application
《生成式AI管理办法草案》第二条明确:”研发、利用生成式人工智能产品,面向中华人民共和国境内公众提供服务的,适用本办法“。在此定义中,“面向”一词含意不甚清楚 —— 尚无法判断是专为中国境内公众提供,还是不专门为中国境内公众提供但能被境内公众所接受和使用。即便如此,有一点是可以肯定的,即,不管服务机构和服务器是否位于中国境内,只要面向中国境内公众,《生成式AI管理办法草案》就有管辖权。同时,这个定义里的“公众“一词似乎又限制了《生成式AI管理办法草案》的适用范围:比如,内部自用、科研和生产使用等,似乎不受其管辖。此外,对于生成式人工智能服务提供者仅仅向企业用户(而不包括个人用户)提供服务是否构成向“公众”提供服务,也需要监管部门进一步明确。
Article 2 of the Draft Administrative Measures for Generative AI stipulates that "these measures apply to the research, development and utilization of generative artificial intelligence products, when they become services to the general public within the territory of the People's Republic of China." The term "to the general public" in this definition is not clear - whether it refers to services specifically designed for the general public in China, or services that are accessible and used by the general public in China, even if not specifically designed for them. However, it is certain that regardless of whether the service provider and servers are located within China, as long as services are provided to the general public in China, the Draft Administrative Measures for Generative AI has jurisdiction over it. At the same time, the term "general public" in this definition seems to limit the application scope of the Draft Administrative Measures for Generative AI. For example, it may not apply to internal uses, scientific research, or manufacture uses, etc. Further clarification may also be needed from the regulatory authorities on whether providing services only to enterprise users (excluding individual users) constitutes providing services to the "general public".
生成式人工智能之定义
Definition of Generative AI
《生成式AI管理办法草案》第二条也对”生成式人工智能”进行了一个较为宽泛的定义:“本办法所称生成式人工智能,是指基于算法、模型、规则生成文本、图片、声音、视频、代码等内容的技术”。该定义属于不完全列举,概念的核心是“生成”。由此,生成式人工智能的定义也会随着实际产品的演化而进一步扩张,从而保证《生成式AI管理办法草案》的监管范围。
The definition of "generative AI" is also broadly defined in Article 2 of the Draft Administrative Measures for Generative AI, which states "[f]or the purpose of these measures, the term ‘generative artificial intelligence’ refers to the technology for generating text, pictures, sounds, videos, codes and other content based on algorithms, models or rules." With the core concept being "generating”, this definition is not exhaustive. Therefore, the definition of generative AI may further expand with the evolution of actual products, ensuring the regulatory scope of the Draft Administrative Measures for Generative AI will keep pace with the development of AI technologies.
对生成内容的规定
Regulations on Generated Content
《生成式AI管理办法草案》第四条规定 “提供生成式人工智能产品或服务应当遵守法律法规的要求,尊重社会公德、公序良俗”,具体内容包括:
Article 4 of the Draft Administrative Measures for Generative AI stipulates that providers of generative AI products or services must comply with legal requirements, respect social morality and public order, and specifically includes the following provisions:
(一) 利用生成式人工智能生成的内容应当体现社会主义核心价值观,不得含有颠覆国家政权、推翻社会主义制度,煽动分裂国家、破坏国家统一,宣扬恐怖主义、极端主义,宣扬民族仇恨、民族歧视,暴力、淫秽色情信息,虚假信息,以及可能扰乱经济秩序和社会秩序的内容。
1. The content generated by generative artificial intelligence shall reflect the core socialist values, and shall not contain any content that subverts the state regime, overthrows the socialist system, incites separatism, undermines national unity, promotes terrorism, extremism, ethnic hatred, ethnic discrimination, violence, obscenity, false information, or any content that may disrupt economic and social order.
(二) 在算法设计、训练数据选择、模型生成和优化、提供服务等过程中,采取措施防止出现种族、民族、信仰、国别、地域、性别、年龄、职业等歧视。
2. Measures shall be taken during algorithm design, training data selection, model generation and optimization, and service provision processes to prevent discrimination based on the race, ethnicity, religion, nationality, region, gender, age, occupation, and other factors.
(三) 尊重知识产权、商业道德,不得利用算法、数据、平台等优势实施不公平竞争。
3. Respect for intellectual property rights and business ethics, and the use of algorithm, data, platform, and other advantages to engage in unfair competition is prohibited.
(四) 利用生成式人工智能生成的内容应当真实准确,采取措施防止生成虚假信息。
4. The content generated by generative artificial intelligence shall be true and accurate, and measures shall be taken to prevent the generation of false information.
(五) 尊重他人合法利益,防止伤害他人身心健康,损害肖像权、名誉权和个人隐私,侵犯知识产权。禁止非法获取、披露、利用个人信息和隐私、商业秘密。
5. Respect the legitimate interests of others, prevent harm to others' physical and mental health, damage to their portrait rights, reputation rights, and personal privacy, and infringement of intellectual property rights. Illegal acquisition, disclosure, and use of personal information, privacy, and trade secrets are prohibited.
其中,争议较大的是第四款对”真实准确“的规定。《生成式AI管理办法草案》中没有对”虚假信息“进行进一步的定义。但是在现今的生成式人工智能服务中经常出现给出信息与客观事实不相符的错漏,而人工智能服务的黑箱模型使得很少有有效手段能够控制人工智能服务的算法运行和生成结果,从而保证生成内容的真实准确。因此,尽管本条规则的目的是为了切实避免生成式人工智能技术被非法滥用,但其中给出的标准仍有待准确定义。
The "true and accurate" requirements for generative AI services in Paragraph 4 above has been a subject of controversy. The Draft Administrative Measures for Generative AI do not provide definition of "false information". However, in current generative AI services, we often see discrepancies between the results generated and the actual facts. Black box models in generative AI services make it difficult to effectively control the algorithmic operations and generated results of AI services. Therefore, it is practically impossible to ensure the truthfulness and accuracy of the generated contents. While the purpose of this provision is to effectively prevent misuses of generative AI technology, the standards provided in it still need to be refined.
此外,以上第一、第三、第四和第五款仅仅从生成式人工智能服务提供者的角度规定了内容合规义务,而用户责任却有所缺席,这样的规定从实操层面有待商榷。实践中生成式人工智能服务提供者为确保自身合规,是否有能力做到全流程的审查监管,从而避免用户利用其服务制造了侵犯他人权益的内容,是一个不得不考虑的现实问题。即便提供者可以做到全流程的审查和监管,那这些审查和监管本身是否会触发对用户(尤其在用户为企业等商业机构时)自身保密信息的窥探,都值得进一步探讨。因此,如何在提供者和用户之间合理分配责任尤为重要。
In addition, the provisions in Paragraph 1, 3, 4, and 5 above only specify the content compliance obligations from the perspective of generative AI service providers, while user responsibilities are absent, which may require further consideration. In practice, it is doubtful whether generative AI service providers have the ability to conduct comprehensive reviews and supervisions throughout the entire process to prevent users from creating any content that infringes on the rights of others. Even if providers can conduct comprehensive reviews and supervisions, such reviews and supervisions may intrude users' confidential information, particularly when users are commercial entities. This issue needs further consideration. Therefore, one possible solution is to properly allocate responsibilities between providers and users.
责任主体认定
Identification of Responsible Entities
《生成式AI管理办法草案》第五条对责任主体作出了规定:”利用生成式人工智能产品提供聊天和文本、图像、声音生成等服务的组织和个人(以下称“提供者”),包括通过提供可编程接口等方式支持他人自行生成文本、图像、声音等,承担该产品生成内容生产者的责任。”由此,需要注意除了“研发、利用生成式人工智能产品”的技术研发商、应用开发商等,提供API接口等接入服务的提供商也要为内容生成承担责任。此外,如上文中提到,生成式人工智能服务或产品的用户的责任有所缺席,需要监管部门进一步明确。
The Draft Administrative Measures for Generative AI stipulates in Article 5 that "organizations and individuals (hereinafter referred to as 'providers') that provide services such as chat, text, image, and sound generation using generative artificial intelligence products, including support others to generate text, image, sound, etc. on their own by providing APIs or other means, shall assume the responsibility as producers of the content generated by the product." Therefore, it is important to note that in addition to the technology developers and application developers who are involved in the "research, development and utilization of generative artificial intelligence products", providers of API interfaces or other access services are also responsible for the content generated. In addition, as mentioned above, the responsibility of users of generative AI services or products is absent, and needs further clarification by the regulatory authorities.
《生成式AI管理办法草案》在第七条至第二十条进一步规定了“提供者”的监管义务、责任归属以及惩罚措施。
The Draft Administrative Measures for Generative AI further specifies in Articles 7 to 20 the regulatory obligations, responsibility attribution, and penalties for "providers".
对数据信息的合规要求
Compliance Requirements for Data and Information
《生成式AI管理办法草案》第七条指出:提供者应当对生成式人工智能产品的预训练数据、优化训练数据来源的合法性负责。用于生成式人工智能产品的预训练、优化训练数据,应符合《中华人民共和国网络安全法》等法律法规的要求,不含有侵犯知识产权的内容。提供者还要保证数据的真实性、准确性、客观性、多样性。
Article 7 of the Draft Administrative Measures for Generative AI specifies that providers must be responsible for the legality of the pre-training data and source of the optimized training data used in generative AI products. The pre-training and optimized training data used in generative AI products must comply with the requirements of laws and regulations such as the Cybersecurity Law of the People's Republic of China, and may not contain any content that infringes upon intellectual property rights. Providers must also ensure the authenticity, accuracy, objectivity, and diversity of the data.
在用户隐私和个人信息保护层面,《生成式AI管理办法草案》明确,涉及个人信息的,提供者承担个人信息处理者的法定责任,履行个人信息保护义务。训练数据包含个人信息的,应当征得个人信息主体同意。同时,提供者在提供服务过程中,对用户的输入信息和使用记录承担保护义务,(i)不得非法留存能够推断出用户身份的输入信息,(ii)不得根据用户输入信息和使用情况进行画像(即根据用户输入信息和使用情况等行为数据分析推断出标签化的用户特征,从而达到精准营销、用户研究、个性服务等目的),或(iii)不得向他人提供用户输入信息。
Regarding the protection of user privacy and personal information, the Draft Administrative Measures for Generative AI clearly stipulate that providers must assume the statutory responsibilities of personal information processors and fulfill the obligations of personal information protection if personal information is involved. Consent of the personal information subject must be obtained if the training data contains personal information. Providers must protect the input information and usage records of users during the provision of services. Providers may not (i) illegally retain input information that can infer the user's identity, (ii) create user profiles based on user input information and usage (i.e., infer and label user characteristics based on behavioral data analysis such as user input information and usage, so as to achieve the purpose of precise marketing, user research, and personalized services, etc.), or (iii) provide user input information to others.
安全评估及算法备案
Security Assessment and Algorithm Filing
两部现有法规也适用于生成式人工智能,即 (i) 《具有舆论属性或社会动员能力的互联网信息服务安全评估规定》(以下简称“《互联网信息服务安全评估规定》”)用于安全评估和 (ii) 《互联网信息服务算法推荐管理规定》(以下简称“《互联网信息服务算法推荐规定》”) 用于算法备案。
Two existing laws may also apply to generative AI, namely (i) the Provisions on the Security Assessment of Internet Information Services with Attribute of Public Opinions or Capable of Social Mobilization (hereinafter referred to as the “Internet Information Service Security Assessment Provisions”) for security assessment and (ii) the Administrative Provisions on Algorithm Recommendation for Internet Information Services (hereinafter referred to as the “Internet Information Service Algorithm Recommendation Provisions”) for algorithm filing.
《互联网信息服务安全评估规定》要求“具有舆论属性或社会动员能力的互联网信息服务”履行安全评估。“具有舆论属性或社会动员能力的互联网信息服务”范畴相当之宽泛。论坛、博客、微博客、聊天室、通讯群组、公众账号、短视频、网络直播、信息分享、小程序以及提供公众舆论表达渠道或者具有发动社会公众从事特定活动能力的其他互联网信息服务均被认定为“具有舆论属性或社会动员能力的互联网信息服务”。此次,《生成式AI管理办法草案》将生成式人工智能视为“具有舆论属性或社会动员能力的互联网信息服务”纳入相关监管。《生成式AI管理办法草案》第六条要求在利用生成式人工智能产品向公众提供服务前,应当按照《互联网信息服务安全评估规定》向国家网信部门申报安全评估,并按照《互联网信息服务算法推荐规定》履行算法备案和变更、注销备案手续。
The Internet Information Service Security Assessment Provisions requires “internet information services with attribute of public opinions or capable of social mobilization” to undergo security assessment. The scope of "internet information services with attribute of public opinions or capable of social mobilization" is quite broad, including forums, blogs, microblogs, chat rooms, communication groups, public accounts, short videos, live streaming, information sharing, mini-programs, and other internet information services that provide channels for public opinion expression or have the ability to mobilize the public for specific activities. The Draft Administrative Measures for Generative AI includes generative AI as an "internet information service with attribute of public opinions or capable of social mobilization" into relevant supervision. Article 6 of the Draft Administrative Measures for Generative AI requires providers to file the security assessment with the cyberspace administration before providing services to the general public using generative AI products in accordance with the Internet Information Service Security Assessment Provisions, and complete algorithm filing, modification, or deregistration procedures in accordance with the Internet Information Service Algorithm Recommendation Provisions.
《互联网信息服务安全评估规定》要求互联网信息服务提供者自行或委托第三方安全评估机构开展安全评估并形成安全评估报告,在信息服务、新技术新应用上线或者功能增设前将安全评估报告通过全国互联网安全管理服务平台提交所在地地市级以上网信部门和公安机关。
The Internet Information Service Security Assessment Provisions requires internet information service providers to conduct security assessments by themselves or entrust third-party security assessment agencies to generate security assessment reports. These reports should be submitted to the local cyberspace administration and public security agencies at the city level or above through the national internet security management service platform before the information service, new technology or new application goes online, or new features are added.
此外,《互联网信息服务算法推荐规定》第二十四条则要求具有舆论属性或者社会动员能力的算法推荐服务提供者在提供服务之日起十个工作日内通过互联网信息服务算法备案系统进行备案。备案信息发生变更的在十个工作日内办理变更手续。终止服务的,在二十个工作日内办理注销备案。
In addition, Article 24 of the Internet Information Service Algorithm Recommendation Provisions requires that algorithm recommendation service providers with attribute of public opinions or capable of social mobilization are required to file for record through the internet information service algorithm filing system within ten working days from the date of providing services. In case of changes in the filed information, the providers must complete the modification procedures within ten working days. For termination of services, the providers must complete the deregistration procedures within twenty working days.
结语
Conclusion
《生成式AI管理办法草案》共二十一条,适用于面向中国境内公众提供服务的生成式人工智能产品,突出强调对意识形态、知识产权、信息安全、公平竞争等方面的限制。《生成式AI管理办法草案》明确,利用生成式人工智能提供服务的主体承担生成内容生产者责任,涉及个人信息的还应承担个人信息处理者的法定责任;提供服务前,应当向国家网信部门申报安全评估,并履行算法备案和变更、注销备案手续。《生成式AI管理办法草案》还强调,服务提供者不得非法留存能够推断出用户身份的输入信息,不得根据用户输入信息和使用情况进行画像,不得向他人提供用户输入信息;不得根据用户的种族、国别、性别等进行带有歧视性的内容生成。《生成式AI管理办法草案》的发布表现出我国对于生成式人工智能技术发展的关注与支持,同时为相关科研机构、企业的发展提供了一个可能的合规、安全的框架。我们期待相关正式办法和国家标准的早日出台。
The Draft Administrative Measures for Generative AI contains 21 provisions and applies to generative AI products that provide services to the general public within China. It emphasizes restrictions on ideology, intellectual property, information security, and fair competition. The Draft Administrative Measures for Generative AI clearly states that the entity using generative AI to provide services should bear the responsibility of a content producer, and if personal information is involved, it should also assume the statutory responsibility of a personal information processor. Before providing services, the Draft Administrative Measures for Generative AI requires a security assessment to be filed with the competent cyberspace administration and compliance with algorithm filing, modification, or deregistration procedures. The Draft Administrative Measures for Generative AI also prohibits the illegal retention of user input information that can infer user identity, prohibits user profiling and sharing of user input information, and prohibits the generation of any discriminatory content based on race, nationality, gender, etc. The release of this Draft Administrative Measures for Generative AI demonstrates China's attention and support for the development of generative AI technology, and provides a possible compliance and secure framework for relevant research institutions and companies. We look forward to the early issuance of relevant official measures and national standards.
朱韦悦 律师
上海办公室 公司业务部
斯响俊 律师
上海办公室 合伙人
业务领域:投资并购和公司治理, 网络安全和数据保护, 劳动人事
特色行业类别:能源与自然资源, 通讯与技术
蔡荣伟 律师
上海办公室 高级顾问
业务领域:投资并购和公司治理, 网络安全和数据保护, 诉讼仲裁
特色行业类别:能源与自然资源, 通讯与技术
* 徐光祖对本文亦有贡献。
《外商投资运营互联网医院监管》
《中国数据出境合规监管》
《NFT在中国面临的法律监管》
《美国国家安全审查范围扩张,双向投资审查继续收紧》
《细节决定成败丨上海网信办发布数据出境安全评估申报工作实务问答》
《美国知识产权保护再出新招,中国企业出海又添挑战——<2022年保护美国知识产权法案>正式签署》
《中国网络安全、数据安全和个人信息保护法概览》
《<个人信息跨境处理活动认证技术规范(征求意见稿)>要点评析》
特别声明
以上所刊登的文章仅代表作者本人观点,不代表北京市中伦律师事务所或其律师出具的任何形式之法律意见或建议。
如需转载或引用该等文章的任何内容,请私信沟通授权事宜,并于转载时在文章开头处注明来源于公众号“中伦视界”及作者姓名。未经本所书面授权,不得转载或使用该等文章中的任何内容,含图片、影像等视听资料。如您有意就相关议题进一步交流或探讨,欢迎与本所联系。