Purpose of regulations
Rights of individuals
Supervision and management of ARS services
Liabilities of ARS providers
On 31 December 2021, the Regulations on the Administration of Internet Information Service Algorithms Recommendation were announced. They will come into force on 1 March 2022. The Cyberspace Administration of China will plan and coordinate enforcement of the regulations by other regulators according to their jurisdictional powers.
Once in force, the regulations will regulate the provision of algorithm recommendation services (ARS) in China. "ARS" refers to services using technologies such as generating composite applications or content, personalised pushing, sorting and selecting, retrieval and filtering, dispatching and scheduling decisions, and other recommendation technologies to provide internet information services.
Chinese netizens have become increasingly aware of algorithms and how they affect people's daily lives. As this awareness increases, so does public concern over practices such as the algorithmic swaying of public opinion, the algorithmic management of workers and discriminatory pricing. In this context, the regulations impose stricter governance standards on the provision of ARS. It can be expected that many businesses providing ARS will need to update their existing privacy policies and decision-making procedures to comply with the regulations.
The regulations explicitly regulate internet information service providers' ARS, promote core socialist values, safeguard national security and public interests, protect all entities' legitimate rights and interests, and promote the healthy and orderly development of internet information services.
The regulations overlap with other statutory and regulatory obligations of operators. This overlap affords ARS providers with some legal certainty. However, it also suggests that such areas of overlap, particularly regarding personal information, are regulatory targets.
The regulations also oblige ARS providers to comply with ethical principles. Unfortunately, the ethical principles related to ARS – such as fairness, openness, transparency, scientific rationality and good faith – are undeveloped, and prominent ethicists, such as Timnit Gebru, computer scientist, have labelled self-regulation attempts by tech companies as "ethics washing". Accordingly, in the face of such uncertainty and criticism, ARS providers risk getting things wrong, although some entities some entities are trying to mitigate ethical risks by using independent ethics review boards or suitable qualified non-executive directors.
Other notable obligations imposed on ARS providers include:
- ensuring algorithmic security;
- implementing reviews, evaluations and verification measures for algorithm mechanisms, models, data and results;
- improving illegal and bad data identification and data marking;
- having clear rules for user tags;
- establishing and improving ARS user's ability to intervene and choose; and
- creating convenient and effective complaint facilities.
The regulations also explicitly prohibit ARS providers from engaging in the following acts, among others:
- endangering national security and public interests;
- disrupting economic and social order;
- encouraging bad or unsafe behaviour, overconsumption or addiction (some organisations already employ psychologists to help them manage such risks);
- disseminating false information;
- creating false information;
- inappropriately manipulating information;
- influencing online public opinion or evading government supervision and management;
- unreasonably restricting, hindering or destroying the services of other internet information service providers; and
- engaging in discriminatory pricing based on consumer preferences and other types of unreasonable differential behaviour.
Individuals have rights under the regulations, and certain vulnerable groups have additional rights. The general rights of all individuals include but are not limited to the right to:
- disable ARS;
- access ARS operating principles, purposes and mechanisms; and
- access and select or delete user tags.
Additional rights given to vulnerable groups include the following.
Minors have the right to obtain services suitable for their physical and mental characteristics. The regulations state that ARS must develop "models suitable for use by minors".
ARS must "fully consider the needs of the elderly for travel, medical treatment, consumption, and errands, and provide intelligent elderly-appropriate services in accordance with relevant national regulations". Moreover, ARS must take steps to protect the elderly from fraud.
Regulators have been strengthening the labour protections for couriers following some well-publicised investigations into the labour practices of food delivery platforms. Therefore, it is no surprise that ARS providers must:
protect workers' legitimate rights and interests such as labour remuneration, rest and vacation, and establish and improve relevant algorithms for platform order distribution, remuneration composition and payment, working hours, rewards and punishments, etc.
Supervision and management of ARS services
Categorisation, registration and notification
The authorities will classify algorithms based on their attributes, including their ability to sway public opinion and their "social mobilisation" capabilities. ARS providers with such abilities or capabilities must register with the authorities. Registered ARS providers must display their registration details in a prominent position on, for example, their websites and applications.
Confidential security review
Regulators will carry out security assessments and inspect algorithm recommendation services. Because of the technical nature of algorithms, the skills required to understand them and the salary levels that data scientists can command in the private sector, it is expected that such reviews will involve a top-down approach that considers ARS policies, staff training, user interfaces and interactions, and service provider dashboards.
Regulatory officials are expected to keep confidential any business secrets or personal information that they learn during security reviews.
ARS providers face warnings, circulated criticisms, correction orders, market suspensions and fines of up to 100,000 yuan for violating the regulations.
The regulations come at a time when ARS providers are facing public criticism. Businesses providing ARS need to update their existing privacy policies and consider adjusting their decision-making procedures to better demonstrate regulatory compliance.
For further information on this topic please contact Samuel Yang or Chris Fung at AnJie Law Firm by telephone (+86 10 8567 5988) or email ([email protected] or [email protected]). The AnJie Law Firm website can be accessed at www.anjielaw.com.