DCC
Data Compliance China
Search · ⌘K
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ LAW · INTERIM MEASURES FOR THE MANAGEMENT OF GENERATIVE ARTIFICIAL INTELLIGENCE SERVICES

Interim Measures for the Management of Generative Artificial Intelligence Services.

生成式人工智能服务管理暂行办法

FILED UNDER · AI Governance

Promulgated by: CAC + 6 ministries (NDRC, MOE, MOST, MIIT, MPS, NRTA).
Document No.: Decree No. 15 of the Cyberspace Administration of China.
Adopted at the 12th executive meeting of the CAC in 2023 on May 23, 2023. Effective August 15, 2023.

Chapter I General Provisions

Article 1. These Measures are enacted in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Law of the People’s Republic of China on Science and Technology Progress and other laws and administrative regulations to promote the healthy development and standardized application of generative artificial intelligence (GAI), safeguard national security and social public interests, and protect the legitimate rights and interests of citizens, legal persons and other organizations.

Article 2. These Measures shall apply to the use of GAI technologies to provide the public within the territory of the People’s Republic of China with services of generative text, pictures, audios, videos and other content (hereinafter referred to as “GAI services” in short). Where the State stipulates otherwise on the use of GAI services to engage in press and publication, film and television production, literary and artistic creation and other activities, such provisions shall prevail. These Measures shall not apply to trade organizations, enterprises, education and scientific research institutions, public cultural institutions and relevant specialized agencies that research, develop and apply GAI technologies but fail to provide GAI services to the public within the territory of China.

Article 3. The State adheres to the principles of attaching equal importance to development and security and promoting the combination of innovation and governance according to the law, takes effective measures to encourage innovation and development of GAI, and implements inclusive, prudent, categorized and graded regulation for GAI services.

Article 4. Whoever provides and uses GAI services shall abide by laws and administrative regulations, respect social morality and ethics, and comply with the following provisions: (I) upholding socialist core values, and not generating any content prohibited by laws and administrative regulations that incites subversion of the state power or the overthrow of the socialist system, endangers national security and interests, damages the national image, incites separatism, undermines national unity and social stability, propagates terrorism, extremism, ethnic hatred and discrimination, violence, pornography, and false and harmful information;

(II) taking effective measures to prevent discrimination in terms of nationality, religion, country, region, gender, occupation, health, etc., in the process of algorithm design, training data selection, model generation and optimization, service provision, etc.;

(III) respecting intellectual property rights and business ethics, keeping confidential trade secrets, and refraining from carrying out acts of monopoly and unfair competition with the advantages of algorithms, data and platforms, etc.;

(IV) respecting others’ legitimate rights and interests, refraining from endangering others’ physical and mental health, refraining from infringing upon others’ rights to portrait, reputation, honor, privacy or personal information; and

(V) taking effective measures in the light of the characteristics of different types of services to boost the transparency of GAI services and the accuracy and reliability of contents generated.

Chapter II Technological Development and Governance

Article 5. We encourage innovation and application of GAI technologies in various industries and fields to generate positive, healthy, progressive and good quality content, to explore and optimize application scenarios, and to build an application ecosystem. We support trade organizations, enterprises, education and scientific research institutions, public cultural institutions, relevant specialized agencies and so on to collaborate in respect of the innovations of GAI technologies, the development of data resources, the transformation and application, and the prevention of risks, among others.

Article 6. We encourage independent innovations in fundamental technologies of GAI algorithms, frameworks, chips and supporting software platforms, among others, carry out international exchanges and cooperation on an equal and mutually beneficial basis, and take part in formulating international rules relating to GAI. Efforts should be made to drive the development of GAI infrastructure and public training data resource platforms, to promote the collaboration and sharing of algorithm resources, to improve the efficiency of the use of algorithm resources, to push the orderly disclosure of categorized and graded public data, and to expand high-quality public training data resources. We encourage the use of secure and reliable chips, software, tools, algorithm and data resources.

Article 7. GAI service providers (hereinafter referred to as the “Providers”) shall carry out pre-training, optimization training and other training data processing activities in accordance with the law and abide by the following provisions: (I) using data and basic models from lawful sources;

(II) not infringing upon the intellectual property rights involved that are owned by others in accordance with the law;

(III) obtaining the content of an individual whose personal information is involved or complying with other circumstances stipulated by laws and administrative regulations;

(IV) take effective measures to improve the quality of training data and to enhance the authenticity, accuracy, objectivity and diversity of training data; and

(V) other relevant provisions of laws and administrative regulations such as the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China and the Personal Information Protection Law of the People’s Republic of China and the relevant regulatory requirements of relevant competent authorities.

Article 8. For data annotation during the research and development process for GAI technologies, Providers shall formulate clear, specific and operable annotation rules that meet the requirements of these Measures; they shall carry out the quality assessment of data annotation and take samples to verify the accuracy of annotation contents; moreover, they shall provide necessary training to the annotation staff, enhance such staff’s awareness of respecting and abiding by the law, and supervise and guide such staff to carry out annotation work in a regulated manner.

Chapter III Service Standards

Article 9. A Provider shall assume its responsibility as a producer of network information contents in accordance with the law and fulfill its obligation of network information security. If personal information is involved, a Provider shall assume its responsibility as a personal information hander in accordance with the law and fulfill its obligation of protecting personal information. A Provider shall enter into a service agreement with the users registering for its GAI services (hereinafter referred to as the “Users”), specifying the rights and obligations of both parties.

Article 10. A Provider shall specify and disclose the applicable users, occasions and purposes of its services, guide Users to acquire a scientific and rational understanding and use GAI technologies in accordance with the law, and adopt effective measures to prevent underage Users from over-relying on or addicting to GAI services.

Article 11. A Provider shall fulfill its obligations of protection for users’ input information and use records in accordance with the law, and shall not collect unnecessary personal information, illegally keep the input information and use records that can identify users’ identity, or illegally provide others with the input information and use records of users. A Provider shall promptly accept and handle individuals’ requests for access, reproduction, correction, supplementation and deletion of personal information in accordance with the law.

Article 12. A Provider shall mark pictures, videos and other generated content in accordance with the Administrative Provisions on In-depth Synthesis of Internet-based Information Services.

Article 13. A Provider shall, in the course of its services, provide safe, stable and continuous services and ensure the normal use of Users.

Article 14. Where any illegal content is found out, the Provider concerned shall timely take such handling measures as stopping the generation or transmission, or elimination, adopt measures such as model optimization training to make rectification, and report the case to the competent authority. When finding out that a User uses GAI services to engage in illegal activities, the Provider concerned shall take handling measures in accordance with the law or as agreed, such as giving a warning, restricting functions, suspending or terminating the provision of services to the User, keep relevant records, and report the case to the competent authority.

Article 15. A Provider shall establish a sound complaint and whistleblowing mechanism, set up convenient portals for complaints and whistleblowing, make public the handling process and time limit for feedback, timely accept and handle the public complaints and whistleblowing, and give feedback on the handling results.

Article 16. Authorities of cyberspace, development and reform, education, science and technology, industry and information technology, public security, radio and television, press and publication and so on shall, ex officio, strengthen the administration of GAI services in accordance with the law. The relevant competent authorities of the country shall, in light of the characteristics of GAI technologies and their service application in relevant industries and fields, improve the scientific ways of regulation in line with the innovation and development, and formulate the corresponding regulatory rules or guidelines for different categories or grades.

Article 17. Any provider of GAI services with attribute of public opinions or capable of social mobilization shall conduct security assessment in accordance with the relevant provisions of the State, and complete the formalities for algorithm filing, change or deregistration in accordance with the Administrative Provisions on the Recommendation of Internet-based Information Service Algorithms.

Article 18. Any user who finds that GAI services do not comply with laws, administrative regulations or these Measures shall have the right to complain or blow whistle to the competent authority.

Article 19. Relevant competent authorities shall supervise and inspect GAI services ex officio, and Providers shall cooperate in accordance with the law, explain the source, scale, type, marking rules, algorithm mechanism for the training data as required, and provide necessary technical, data and other support and assistance. The relevant institutions and personnel participating in the security assessment, supervision and inspection of GAI services shall keep confidential the state secrets, trade secrets, personal privacy and personal information that they have accessed in the performance of their duties in accordance with the law, and shall not disclose or illegally provide the same to others.

Article 20. Where the provision of GAI services from outside the territory of the People’s Republic of China to persons within the territory of the People’s Republic of China is not in line with laws, administrative regulations and these Measures, the Cyberspace Administration of China shall notify the relevant authorities to take technical measures and other necessary measures to deal with the situation.

Article 21. Any Provider in violation of these Measures shall be punished by the competent authorities in accordance with the Cybersecurity Law of the People’s Republic of China, the Data Security Law of the People’s Republic of China, the Personal Information Protection Law of the People’s Republic of China, the Law of the People’s Republic of China on Science and Technology Progress and other laws and administrative regulations. In the absence of such provisions in laws and administrative regulations, the competent authorities shall, ex officio, give a warning to the Provider, circulate a notice of criticism against the Provider, and order the Provider to make corrections within a time limit. If the Provider refuses to make corrections or the circumstances are serious, the competent authorities shall order the Provider to suspend the provision of relevant services. Where a violation of public security administration is constituted, the offender shall be subject to public security administration punishment in accordance with the law; if a crime is constituted, the offender shall be subject to criminal liability in accordance with the law.

Chapter V Supplementary Provisions

Article 22. For the purpose of these Measures, the following terms shall have the following meanings: (I) “GAI technologies” refer to models and related technologies that can generate text, pictures, audio, video and other contents.

(II) “GAI service providers” refer to the organizations and individuals that provide GAI services (including providing GAI services by providing programmable interfaces or otherwise) by using GAI technologies.

(III) “Users of GAI services” refer to the organizations and individuals that use the content generated with GAI services.

Article 23. Where laws and administrative regulations stipulate that the provision of GAI services shall obtain the relevant administrative license, any Provider shall obtain such license according to the law. Foreign-invested GAI services shall be in compliance with the relevant laws and administrative regulations on foreign investment. 2023 8 15 Article 24 These Measures shall come into force on August 15, 2023. PAGE/NUMPAGES PAGE/NUMPAGES

§ RELATED LAWS

See also.

§ COMMENTARY

Briefs on this law.

4 briefs reference this law.

  • § 01 · AI-GOVERNANCE

    Zhu Xiaofeng — Who Pays When GenAI Causation Is Unclear? Applying Civil Code Article 1254 by Analogy

    Zhu Xiaofeng (Central University of Finance and Economics Law School) takes on the GenAI causation black hole — when a personal-information harm clearly arises from a GenAI service but specific causation among model designer, model provider, model user, and data provider cannot be established, who pays? Zhu's structural answer: when conventional construction-element-analysis and Article 998 interest-balancing both fail (and they do), apply Civil Code Article 1254's 'unclear-causation' rule by analogy — the same rule used for falling-object-from-building cases. The doctrinal scaffolding: communication-safety theory, gain-and-risk allocation theory, causation proof + harm prevention. Critically: each potential injurer compensates the full damage; among themselves, allocation is proportional, with judges determining specific amounts case-by-case. Highly relevant for multinationals deploying GenAI in China — the proposed framework restructures the operating liability surface.

    ai-governance · genai · personal-information
  • § 02 · AI-AGENTS

    Mapping the AI Agent Risk Surface — A Ten-Category Taxonomy Under China's New 智能体新规

    China's Cyberspace Administration jointly issued the Implementation Opinions on Standardized Application and Innovation Development of AI Agents (the '智能体新规' or 'Agent Rules') on May 8, 2026 — the first dedicated regulatory document on AI agents anywhere in the world. This DCC brief works through the ten-category risk taxonomy that practitioners are now using to map the agent attack surface: goal hijacking, tool misuse, identity/permission abuse, supply-chain compromise, unintended code execution, memory and context poisoning, inter-agent communication insecurity, cascade failures, human-machine trust exploitation, and rogue agents. With the agent risk mapped, the brief works the legal-liability vector: how each risk maps to administrative, civil, and criminal exposure under existing PIPL, CSL, Anti-Unfair Competition, and trade-secret regimes. Closes with the Guangzhou Internet Court's recent dual-authorization ruling against an open-source agent that bypassed a chat platform's risk controls — the first Chinese case to articulate the dual-authorization principle for AI agents accessing third-party platforms.

    ai-agents · ai-governance · genai
  • § 03 · AI-AGENTS

    Operationalizing AI Agent Governance — A Ten-Step Internal Control Framework

    Part 2 of DCC's brief on the Chinese Agent Rules (《智能体规范应用与创新发展实施意见》, May 2026). After mapping the ten-category risk taxonomy in Part 1, this brief works through the ten-step internal governance framework practitioners are now building to operationalize agent compliance: cross-functional governance organization + agent asset inventory; use-case admission and classification (L1 read-only / L2 limited-write / L3 sensitive-data / L4 high-impact); security assessment and AI red-team testing; identity authorization and permission control (with the under-discussed 'permission inheritance' trap); data protection; tool and protocol security; human-in-the-loop design; supply-chain security; continuous monitoring; and AI-specific incident response. Closes with five operational priorities for teams that need to start now without waiting for the 'big-and-comprehensive' regime build.

    ai-agents · ai-governance · genai
  • § 04 · AI-GOVERNANCE

    Open-Source Does Not Mean Open Data — Zhang Ping on Training-Data Compliance for Open-Source AI

    Peking University Law School professor Zhang Ping, writing in 人民论坛 (People's Tribune), takes apart two misconceptions that have dominated the Chinese open-source AI discussion: that 'open source' means training data has no copyright protection, and that 'algorithm open-source' compels 'training data publication.' Both false. Zhang lays out the structural distinction: 'open source is conditional authorization under license' — applied to model weights, not to the training corpus, which is a legally independent object. She then maps the full-chain compliance risk (acquisition / processing / output) and proposes a four-tier differentiated governance framework that finance, healthcare, and government AI deployments can actually use to map their training-data inventory against compliance gates.

    ai-governance · open-source · training-data
§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.