Data Compliance in China in the Age of AI

In April 2021, a Chinese court issued a civil verdict on the compulsory use of facial recognition technology for access to a local zoo, ordering the zoo to delete the plaintiff's facial data. At around the same time, several local market regulators imposed fines on property developers and shopping mall owners for their abusive use of AI-equipped cameras to capture facial images for behaviour-tracking and analysis purposes.

Such enforcement cases, alongside the promulgation of data compliance laws and regulations in the past year, have had profound implications for the booming AI industry in China; mostly challenges but also some fascinating opportunities.

Noteworthy legislation includes keystone laws of general application in the data protection domain, such as the Data Security Law (DSL) and the Personal Information Protection Law (PIPL), as well as laws and regulations that are more narrowly focused; eg, rules relating to algorithm transparency.

The DSL, effective from 1 September 2021, is designed to curtail invasive data collection by Chinese tech companies. Specifically, it restricts the collection of data by Chinese companies within and outside of China where doing so may harm the national security or public interests of the PRC. Illicit collection of mapping and surveying data, which is essential for the training of autonomous driving algorithms, will likely fall into this category.

In comparison, the PIPL, as the counterpart to the EU GDPR, focuses more on the processing of personal data. General data compliance requirements under the PIPL such as the principle of necessity, separate consent requirements for sensitive personal information, enhanced data subject rights and increased limitations on the sharing of personal information de facto limit the intake of raw personal information (PI) data for AI training and processing, and thus reduce the possible application of AI in daily life. One good example is the sanctioning of AI-equipped cameras mentioned above.

The PIPL further requires PI handlers to ensure that automated decision-making is transparent and fair and should not discriminate against particular individuals. Another relevant law is the Internet Information Service Algorithm Recommendation Management Regulations (Algorithm Regulations) effective on 1 March 2022. The Algorithm Regulations again emphasise the rights of the user and algorithm transparency. Algorithm-related regulations often target the implementation of AI in parts of the tech industry where competition is a concern. Data-based price discrimination, for example, has been a hot spot for enforcement against a backdrop of enhanced regulations of the tech giants.

Even with so many challenges arising from these recently implemented laws and regulations, it would be premature to draw the conclusion that the golden age of AI in China is over. We remain cautiously optimistic about its future, given the size of the market, the sophistication of the technology, the depth of the talent pool, and the government's generally positive attitude toward the sector.

It is advisable for affected AI companies to take proactive compliance measures to stay in line with the new data laws and regulations, including:

With respect to AI application scenarios where sharing of data may lead to data compliance concerns in light of the new laws and regulations, AI companies may consider alternatives, such as adopting homomorphic encryption, confidential computing or differential privacy. Such a shift may create new opportunities for newcomers or fast movers.