Our Observations: In April 2023, the TMT sector in China witnessed considerable regulatory advancements, notably the Cyberspace Administration of China’s (the “CAC") introduction of new regulations for AIGC. This legislative action highlights the growing emphasis on ethical and secure AI use. Concurrently, other regulatory bodies, including the NMPA, MST, SPP, and the TC260 expanded the scope of digital and cyberspace regulation, indicating an increased commitment to securing and regulating the digital ecosystem. Furthermore, the NDRC’s strategy to strengthen the digital economy with efforts in six key aspects reflects an integrated approach towards the nation’s digital transformation. Meanwhile, the focus on open source code security indicates a growing recognition of compliance issues in the tech sector. Last, the ruling on the inadmissibility of unauthorized WeChat chat records recovery reaffirms the judiciary’s commitment to personal information protection.

Part I – Regulations, Policies & Judiciary Interpretations

1. The CAC Issued New Regulations to Enhance the Supervision on AIGC

On April 11, 2023, the CAC issued the Measures for the Management of Generative Artificial Intelligence Services (Draft for Comment) (the “AIGC Measures"), which aims to provide clearer guidance for China’s AI and algorithm-related industries in the context of the current regulatory landscape.

The AIGC Measures defines generative artificial intelligence as technology that creates content based on algorithms, models, and rules. AIGC companies targeting the Chinese public, regardless of these companies’ physical locations, are subject to regulatory supervision. ChatGPT’s recent move of shutting down user accounts from the PRC can be considered as a preemptive measure to avoid being subject to the laws and regulations of the PRC. The AIGC Measures may also regulate “specific targeting" AIGC products, which means that even if an AIGC product is targeted at specific domestic enterprise users or custom-designed products instead of directly targeting the public, , it may still be subject to the AIGC Measures.

The AIGC Measures defines service providers as individuals and organizations that use AIGC products to provide services such as chat, text, image, and sound generation. Entities that provide programmable API interfaces to support others in generating related content also fall under this definition, while AIGC end-users do not. The AIGC Measures sets out the extensive obligations of service providers.

2. The NMPA Introduced Measures for Regulating Cosmetics Business Operating in Cyberspace

Recently, the National Medical Products Administration issued the Measures for the Supervision and Administration of Cosmetics Operations in Cyberspace (the “NMPA Measures"), which will come into effect on September 1, 2023. The NMPA Measures aims to primarily regulate two entities: e-commerce platform operators and cosmetics businesses operating on these platforms.

The NMPA Measures emphasizes the responsibilities of e-commerce platform operators to uphold quality control and perform routine inspections on cosmetics businesses operating on the platforms. It should be noted that the NMPA Measures does not extend to cosmetics import or retail conducted during cross-border e-commerce.

E-commerce platform operators must develop quality management systems and have specialized quality management functions or personnel in place to fulfil their obligations of implementing quality control over cosmetics businesses operating on the platforms. Additionally, the operators are responsible for routine inspections of product information posted on the platform and daily business operations. During inspections, the operators verify the registration and record-keeping of cosmetics, as well as the consistency, authenticity, and legality of cosmetics labeling information.

3. The MST Solicited Comments on the Measures for Ethical Review of Science and Technology

On April 4, 2023, the Ministry of Science and Technology issued the Measures on Ethical Review of Science and Technology (for Trial Implementation) (the “MST Measures"), aiming to reinforce ethical review and supervision of science and technology activities in accordance with the Circulars on Beefing up Ethical Governance of Science and Technology. The MST Measures comprehensively regulates the requirement for ethical review regarding science and technology applicable in all fields.

The MST Measures defines the scope of application, reviewing entities, review process, and supervisory requirement for science and technology ethics review in accordance with other applicable laws and regulations, such as the Personal Information Protection Law. Additionally, the MST Measures stipulates that if competent authorities of specific industries have issued industry-based regulations for the ethical review of science and technology activities in their fields, provided that these regulations are at least as strict as MST Measures in terms of ethics reviews, such industry-specific regulations will take precedence.

The application scope of the MST Measures extends to scientific and technological activities as follows:

(1) scientific and technological activities involving human beings, including tests, investigations, observational studies with human research participants, and involving the use of human genes, human embryos, human biological samples, and personal information;

(2) scientific and technological activities involving experimental animals;

(3) scientific and technological activities that do not directly involve human beings or experimental animals, but may pose ethical risks to life and health, ecology and environment, public order, and sustainable development; and

(4) scientific and technological activities that are subject to ethical review of science and technology in accordance with laws, administrative regulations, and relevant state provisions.

4. The SPP Issued the Circular on Beefing up the Procuratorate’s Work in Cyberspace in the New Era

On April 18, 2023, the Supreme People’s Procuratorate issued the Circular on Beefing up the Judicial Work in Cyberspace in the New Era (the “Circular"). The Circular consists of 21 articles in 6 aspects, focusing on the deployment of a comprehensive governance system in cyberspace. The Circular provides for specific requirements for legislation, law enforcement, judicial practice, legal popularization, legal research, and team building for the national procuratorate system.

In terms of legislation, the Circular proposes to actively participate in the development and revision of legislation in cyberspace, cooperate with the legislature and regulatory authorities, and promote the development and revision of the Cybersecurity Law, Cybercrime Prevention Act, Anti-Unfair Competition Law, Regulations for the Network Protection of Minors, and other laws and regulations.

As for judicial protection, the Circular proposes to focus on maintaining network system security and data security, and to strengthen punishment of crimes against computer information system security in accordance with the law. At the same time, it highlights enhanced judicial protection of core technologies in key areas such as integrated circuits, artificial intelligence, big data, and cloud computing, and to beef up the judicial protection of computer software, databases, network domain names, digital copyrights, and digital content.

With respect to public interest litigation, the Circular proposes to actively carry out prosecutorial public interest litigation in the field of network governance, focusing on the acts of sabotaging cybersecurity, data security, and personal information security, infringing on the rights and interests of network users, etc.

5. The NDRC Advocated for the Digital Economy to Become Stronger, Better, and Bigger through Six Key Aspects

On April 3, 2023, the head of the Department of Innovation and High-Tech Development, under the National Development and Reform Commission, announced at a State Council Information Office press conference a commitment to fortifying China’s digital economy, highlighting six priorities for this year:

(1) strengthening policy and system infrastructure;

(2) strategically deploying digital infrastructure;

(3) encouraging digital industry innovation and growth;

(4) expediting industry-wide digital transformation;

(5) enhancing digital public services; and

(6) deepening international cooperation in the digital economy.

Specifically, the department aims to expedite the development of the “1+N" data factors system, encouraging early adoption and trial use of data factors where feasible, and coordinate a multilevel and diverse data factors market system.

The “1" in the “1+N" legal framework refers to the “Circular of the State Council of the Central Committee of the Communist Party of China on Building a Data Foundation System to Better Play the Role of Data Factors".

Part II - Sectorial Standards & Practice Guidance

1. TC260 Solicited Opinions on the National Standard Information Security Technology Open Source Code Security Evaluation Method for Software Products

On April 10, the National Information Security Standardization Technical Committee (the “TC260") issued the Information Security Technology Open Source Code Security Evaluation Method for Software Products (Draft for Comments) (the “OSS Method"). The OSS Method provides for explicit targets, evaluation criteria, and methods for assessing the security of open source code in software products. OSS Method’s evaluation criteria encompass aspects concerning open source code origin, quality, IPR, and management capabilities. The OSS Method is intended to afford guidance for organizations to self-evaluate the safety of the open source code in their software, and provide a foundation for third-party entities to carry out self-evaluation in a similar manner.

2. The National Information Security Standardization Technical Committee Solicited Public Comments on the Practice Guideline for Cybersecurity Standards

On April 18, 2023, the National Technical Committee for Standardization of Information Security issued the Practice Guideline for Cybersecurity Standards - Implementation Guidelines of Network Data Security Risk Assessment (Draft for Comments) (the “Guideline"), which aims to guide data processors in conducting network data security risk assessment.

The Guideline elucidates the ideas, main work content, processes, and methods for network data security risk assessment, and proposes to assess security risks from the aspects of data security management, data processing activities, data security technologies, personal information protection, etc.

Part III - Enforcement Highlights

1. The State Administration for Market Regulation Announced Key Legislative Tasks for the Year of 2023

On April 11, the State Administration for Market Regulation announced key legislative tasks for the year of 2023, focusing on four aspects:

(1) optimizing the fair competition environment: enacting the Regulations on the Review of Fair Competition and revising the Regulations on Prohibiting the Abuse of Intellectual Property Rights to Eliminate or Restrict Competition and other regulations;

(2) improving the business environment: enacting and revising the Implementation Measures for the Administration of Enterprise Name Registration and Medical Devices, Health Food and Food Formulas for Special Medical Purposes;

(3) implementing strict quality and safety supervision of food, drugs, industrial products, and special equipment: actively promoting the revision of administrative regulations such as the Regulations on the Supervision of Special Equipment Safety and the Regulations on the Implementation of the Drug Administration Law; and

(4) accelerating the development of China into a great power of quality: actively promoting the rev sion of the Product Quality Law and the Certification and Accreditation Regulations and revising the Measures for the Administration of National Measurement and Calibration Regulations, the Measures for the Administration of Industry Standards, and other regulations.

2. The State Administration for Market Regulation Organized the Special Enforcement Campaign Against Unfair Competition in 2023

On April 18, the State Administration of Market Supervision launched the 2023 “Guardian" campaign against unfair competition. This “Guardian" campaign emphasizes efforts in the following aspects:

(1) focusing on the investigation and rectification of unfair online competition, including new forms such as fraudulent credit cards and deceptive live-stream promotions, to safeguard the digital economy;

(2) regulating market practices in essential sectors, intensifying supervision of new commercial marketing tactics, curbing illicit commercial bribery in key industries like pharmaceutical sales, catering, and tourism, and regulating prize promotions to boost consumer confidence; and

(3) protecting enterprises’ core competitiveness, including enhancing protection of trade secrets, commercial logos, and business reputations, stimulating innovation in business, promoting efficient circulation of goods and production factors, and advancing the development of a unified national market.

Part IV - Court Judgments

1. The Employee’s WeChat Chat Records Recovered by the Employer Without Consent Is Inadmissible Evidence

The Beijing Second Intermediate People’s Court recently publicized a noteworthy case on employee personal information protection. The court held that the WeChat chat record screenshots retrieved by the defendant (the company) from data previously deleted from the plaintiff’s working computer constituted the plaintiff’s personal information. Therefore, irrespective of its content, such information should only be recovered and gathered with the plaintiff’s informed, voluntary, and explicit consent to such personal information processing. The company’s unauthorized restoration and collection of the deleted data on the grounds of internal discipline and the use of such data as case evidence, is deemed an improper utilization of the plaintiff’s personal information. This action also breaches the key principle of personal information protection. As a result, the court found this evidence of WeChat chat records inadmissible.