,

China's Interim Measures for the Management of Generative AI Services

,

On August 15, 2023, the Interim Measures for the Management of Generative AI Services (Measures) – China’s first binding regulation on generative AI – came into force. The Interim Measures were jointly issued by the Cyberspace Administration of China (CAC), along with six other agencies, on July 10, 2023, following a public consultation on an earlier draft of the Measures that concluded in May 2023. 

This blog post is a follow-up to an earlier guest blog post, “Unveiling China’s Generative AI Regulation” published by the Future of Privacy Forum (FPF) on June 23, 2023, that analyzed the earlier draft of the Measures. This post compares the final version of the regulation with the earlier draft version and highlights key provisions.

Notable changes in the final version of the Measures include:

  • A shift in institutional dynamics, with the CAC playing a less prominent role;

  • Clarification of the Measures’ applicability and scope;

  • Introduction of responsibilities for users;

  • Introduction of additional responsibilities for providers, such as taking effective measures to improve the quality of training data, signing service agreements with registered users, and promptly addressing illegal content;

  • Assignment of responsibilities to government agencies to strengthen the management of generative AI services; and

  • Introduction of a transparency requirement for generative AI services, in addition to the existing responsibilities for providers to increase the accuracy and reliability of generated content.

Published by the Future of Privacy Forum blog. The blog post builds on insights developed in the context of Guarini Global Law & Tech’s conference on “how (not) to regulate generative AI”.

Attributive Justice in International Law: The Global Law and Infrastructure of Pathogen Genomic Sequence Data-Sharing and Benefit-Sharing

A succession of epidemic diseases among humans in the first decades of the 21st century renewed long-standing controversies about power imbalances and justice in the global production, use, and distribution of scientific data and its benefits. A new area of contention concerns digital genomic sequence data (GSD). The largely-forgotten idea of ‘attributive justice’, articulated by Hugo Grotius (1625), helps make sense of otherwise-disparate demands for GSD justice.

At least two kinds of attributive justice claims are made in relation to GSD. One is for attribution of credit to scientists and others involved in medical services or other procurement of samples—a scientist-focused attributive justice. These claims are mobilized especially in efforts to rectify existing power and resource imbalances in science production, both within national societies and by scientists from developing country. These claims have considerable traction, but not in formal international law.

A second claim relates to demands by developing countries either to control GSD, or at least to receive benefits from commercial use of it when the underlying biological sample originates specifically in their territory. These claims have been pursued in efforts to extend the 2010 Nagoya Protocol. Other existing or pending international treaty regimes embedded in entirely separate institutions also address benefit sharing in relation to oceanic, plant, or human digital sequence sharing, complicating the formation of a coherent or unified set of rules. Contentions about widely used sets of data- governance principles such as Findable, Accessible, Interoperable, and Reus- able (FAIR) data also arise in each treaty regime.

Infrastructural regimes for the sharing of sequences have become major sites for both the scientist-relative and state-relative attributive justice claims. The most widely used platform for access to GSD of all kinds is the International Nucleotide Sequence Database Collaboration (INSDC) (including GenBank). A leading alternative is GISAID, which is similar in being free to use but conditions GSD access and sets requirements for attribution of

scientific credit. While GISAID goes further than INSDC in supporting scientist-relative attributive justice claims, the two infrastructures are broadly similar with regard to state-relative claims for attribution of GSD and benefit-sharing. The infrastructures have recently begun trying to ensure that metadata accompanying each sequence attributes it to samples taken from a particular country, but not that the GSD is systematically linked to its com- mercial outcomes. These infrastructures embed norms and ideologies of their original builders, such as a normative commitment to ‘Open Science’, and the economic and epidemic-security interests of richer OECD countries.

Attributive justice entitlements of particular scientists and states will not leverage universal principles of distributive virus- and vaccine-justice but are reinforcing significant shifts toward orders of respect and recognition in global health research and (slowly) in sequencing infrastructures. The contributions of attributive justice have been underestimated.

Professor Benedict Kingsbury published his article 'Attributive Justice in International Law: The Global Law and Infrastructure of Pathogen Genomic Sequence Data-Sharing and Benefit-Sharing' in the Summer 2023 issue of NYU Journal of International Law and Politics.

,

Unveiling China’s Generative AI Regulation

,

The Cyberspace Administration of China (CAC) released Draft Measures for the Management of Generative AI Services (the “Draft Measures”) on April 11, 2023. The comment period closed on May 10, 2023. Public statements by industry participants and legal experts provided insight into the likely content of their comments. It is now the turn of the CAC as China’s “cyber super-regulator” to consider these comments and likely produce a revised text.

This blog post analyzes the provisions and implications of the Draft Measures. It covers the Draft Measures’ scope of application, how they apply to the development and deployment lifecycle of generative AI systems, and how they deal with the ability of generative AI systems to “hallucinate” (that is, produce inaccurate or baseless output). It also highlights potential developments and contextual points about the Draft Measures that industry and observers should pay attention to.

Published by the Future of Privacy Forum blog. The blog post builds on insights developed in the context of Guarini Global Law & Tech’s conference on “how (not) to regulate generative AI”.

,

Three Years of GDPR: Enforcement (or Lack Thereof) and Its Impact on Cross-Border Contracts

,

The General Data Protection Regulation (GDPR) is widely touted as the greatest shift in data privacy regulation of the century—with protections of users’ rights in commercial use, as well as cross-border transfers, the GDPR establishes fundamental freedoms within digital spaces and codifies the rights of users across the European Union (EU). When the GDPR was introduced, the EU had high expectations of changing practices in relation to data collection, processing and transfer. Despite examples of penalties and fines being imposed on businesses, three years after the GDPR entered into force, the question remains: Has GDPR enforcement (or lack thereof) changed the way cross-border contracting is carried out? This article describes the EU’s initial plans for enforcement under the GDPR, discusses actual instances of enforcement over its three years of existence, and queries whether anything about the GDPR has changed cross-border contracting practices.

Since inception, EU supervisory authorities have levied approximately 1,034 fines and 1.6 billion Euro in penalties for violations under the GDPR. Nonetheless, since 2021, authorities appear to have ramped up enforcement. Between January and November 2021, DPAs filed 395 fines against companies, totaling over 1 billion Euro (eighty-one percent of all fines issued from the inception of the GDPR to November 2021) .

However, very few enforcement actions have addressed cross-border contracting. Companies engaging in cross-border contracting could interpret this lack of interest from regulatory bodies as a sign that things may carry on as they did before the GDPR came into effect. While corporations may have altered attitudes towards customer engagement and data processing based on the GDPR, there is little evidence of changes to nuanced practices associated with cross-border contracts. Businesses seem far more focused on compliance with requirements related to contracts with user than requirements for contractual relationships internationally. Similar enforcement trends in the narrowed context of Chapter V protections against improper and unjustifiable cross-border data tranfsers remain to be seen.

Published in The Year in Review: An Annual Publication of the ABA International Law Section (vol 56 ABA/ILS YIR 67-72 (2022)). The article was written by Ali Strongwater (JD ‘23) and Izak Rosenfeld (Associate General Counsel, Access Now) during Ali’s externship at Access Now in Fall 2021.

,

Confronting Data Inequality

,

Control over data conveys significant social, economic, and political power. Unequal control over data—a pervasive form of digital inequality—is a problem for economic development, human agency, and collective self-determination that needs to be addressed. This Article takes steps in this direction by analyzing the extent to which law facilitates unequal control over data and by suggesting ways in which legal interventions could lead to more equal control over data. We use the term "data inequality" to capture unequal control over data-not only in terms of having or not having data, but also in terms of having or not having the ''power to datafy" (i.e., deciding what becomes or does not become data). We argue that data inequality is a function of unequal control over the infrastructures that generate, shape, process, store, transfer, and use data. Existing law often regulates data as an object to be transferred, protected, shared, and exploited and is not always attuned to the salience of infrastructural control over data. While there are no easy solutions to the variegated causes and consequences of data inequality, we suggest that retaining flexibility to experiment with different approaches; reclaiming infrastructural control; systematically demanding enhanced transparency; pooling data and bargaining power; and developing differentiated and conditional access to data mechanisms may help in confronting data inequality more effectively going forward.

Published in Columbia Journal of Transnational Law, Volume 60, Issue 3 (2022), pp. 829-956. The paper was initially written as a background paper for the World Development Report 2021: Data for Better Lives. It draws on ideas developed in Guarini Global Law & Tech’s Global Data Law project.

Illicit Antiquities and the Internet: The Trafficking of Heritage on Digital Platforms

The contemporary internet has become the transnational marketplace for the sale and trafficking of illicit products, from drugs and guns to malware and stolen user information. Given the scale of these activities, these marketplaces have drawn the attention of international and national law enforcement bodies as well as scholars of cybersecurity and criminal activities. As such, these platforms have moved to the ‘dark web’ or other encrypted communication channels and separated from the ‘surface web’ platforms run by global platform companies, which are the increasing focus of both government regulation and scholars of data privacy law. Among such illicit goods, one is often ignored though globally traded via established marketplaces on social media platforms: looted antiquities. Although representing only a portion of an already small global illicit trafficking network, such activities on internet platforms, particularly Facebook, can cause immense damage to archaeological and cultural heritage sites. Such marketplaces on major internet platforms provide a unique case study in global data privacy and cybersecurity law that has largely gone unstudied. This paper analyzes the trafficking of illicitly acquired antiquities on a variety of internet platforms—particularly Facebook—as an illustration of issues with both the current framework of global data privacy law and the moderation and regulation of such transnational criminal activity. This note will review and critique the existing literature on platform moderation and digital infrastructure and propose and examine various solutions to the mechanisms by which illicit activities endure, specifically by focusing on the potential of multistakeholder collaboration to bring effectively targeted moderation to the trade in illicit antiquities online.

Published in the New York University Journal of International Law and Politics, Vol. 54 (2022), pp. 659-698. It received the journal’s award for the best student note published in the spring 2022 edition of the publication.

This paper originated in the Guarini Colloquium: Regulating Global Digital Corporations convened by Thomas Streinz and Joseph Weiler in fall 2020.

The Digital Markets Act (DMA): A Procompetitive Recalibration of Data Relations?

Since its publication in December 2020, the European Commission’s regulatory proposal for a Digital Markets Act (DMA) continues to be the subject of sustained political and academic interest, particularly in the United States and Europe. Part of the “European strategy for data”, the DMA is designed to address “the most salient incidences of unfair practices and weak contestability” in the digital economy, responding to concerns about the data-derived dominance of U.S. technology companies operating in Europe. This paper aims to provide the first comprehensive legal analysis of the DMA’s recalibration of data relations in the European Union. Through an analysis of the data-specific obligations imposed on gatekeepers under the DMA and their interaction with existing laws and jurisprudence, this paper finds that the proposed access rights and limitations on the collection, combination and use of data give rise to significant ambiguities and could make “Big Tech” the winners of an act originally designed to tackle their dominance. This paper also finds that the DMA may recalibrate data relations in favor of Chinese tech companies wishing to strengthen their position in the EU against their U.S. competitors. Nevertheless, this paper will show that the adoption of the DMA will be a positive first step in the direction of recalibrating data relations in a way that – once teased out by future enforcement and caselaw – could allow for a more active contestation of digital markets, and a freer flow of data.

This paper originated in the Global Data Law course. It was published by the Illinois Journal of Law, Technology and Policy, Volume 2022, Issue 1 (pp. 101-154).

Designing International Economic Data Law

This contribution to the Proceedings of the Annual Meeting of the American Society of International Law (ASIL) reflects on discussions at ASIL’s virtual annual meeting in 2021, where the author chaired a panel titled “The Rise of Restrictions on Data Flows and Digital Technologies: National, Security, Human Rights, or Geo-Economics?”. Transnational access, transfer, and use of data have increasingly become focal points during negotiations for “comprehensive” trade and investment agreements. While these efforts are often presented and discussed as negotiations about “electronic commerce” and “digital trade” that will “modernize” the acquis of international economic law, we are arguably witnessing the design of new international economic data law that is conceptually distinct from conventional international trade and investment law. The design of this new international economic data law reflects a complex political economy.

Governing Data Markets in China: From Competition Litigation and Government Regulation to Legislative Ordering

Data, the most valuable commodity of our age, fuels today’s digital economy. Who owns these data and the rights associated therewith is now an inescapable question and a central concern. Under the current societal backdrop of powerful internet platforms able to wield the increasingly important economic role of data for their own advantage, current legislative frameworks have failed to keep pace with technological progress.

There is of yet no comprehensive nor global legal framework of data property rights. In the People’s Republic of China (“PRC”), as in many other jurisdictions, domestic data ownership law remains unsettled. In this uncertain legal milieu, Chinese platform companies wage intense legal battles with each other and, in rare cases, with their service suppliers over control of user data. Paradoxically, China’s digital economy has boomed without the clear specification of data ownership. How has China managed the massive growth of its data markets and inter-company data disputes without any legal determinations as to who owns data?

This Article finds that the basic rules of Chinese data markets have developed through litigation between private companies under the precepts of anti-unfair competition law, by government mediation in high-profile cases between market-making entities, and by-means-of government regulation using existing and new legal and policy frameworks, including anti-monopoly law and other data-specific government policies on antitrust and cybersecurity. In addition, the Chinese central and local governments have enacted general legislation on key data issues and are refining their policy efforts via experimental pilot projects in various locales to further develop data markets.

The case studies in this Article reveal the present condition and the limitations of a legal regime in which the reality of data monetization precedes the legal issues of “ownership,” and illustrate the efforts taken by the Chinese government thus far. However, in its analysis of the Shenzhen legislative experiment, this Article offers a cautionary perspective on those reform efforts in the absence of a new comprehensive legal framework, by spotlighting the controversy within the Chinese academic and legal communities over issues of how ownership rights granted prematurely can introduce new challenges to the emerging questions of competition, innovation, knowledge, transparency, accountability, privacy, and the broader public interest.

Incremental development and experimentation, in the form of judicial rulings by the Chinese courts and state regulatory guidance as well as legislative actions that influence the evolution of existing law based on established principles of antitrust enforcement, IP regimes, and contracts, is a promising path to allay the concerns of premature legislation on data property rights—as any new legislation that upholds the status quo could run the risk of stifling both market innovation and competition.

Published in the George Mason International Law Journal, Vol. 13, Issue 1, pp. 1-27 (2022). The paper originated in Guarini Global Law & Tech’s Global Data Law course.

Infrastructural Control Does the Trick: Apple’s Privacy Battles with Facebook and Tencent

Jingxian Zeng presents a comparison of Apple’s battles with Facebook and Tencent over advertising data tracking to argue that current notions of privacy law rest on the misconception that the power of digital platforms is derived from their control over data, rather than their control over the infrastructure that collects and processes data. The article targets the assumption behind the mobilization of data protection and privacy to contest platform power: the enormous power of platforms derives from their control over data such that granting individuals rights to their own data is enough to contest platform power. This approach ignores a fundamental source of platform power—control over the digital infrastructure that enables the collection and processing of data. Failing to account for this aspect of platform power runs the risk that data protection and privacy will be mobilized by platforms to safeguard their “walled gardens,” thus running against the “public” expectation of empowering individuals vis-à-vis platforms. The differing implementation of Apple’s privacy-preserving policy in the U.S. and China, through Facebook and Tencent respectively, offers a vivid illustration of the significance of infrastructural control.

This paper was published by the NYU Journal of Legislation & Public Policy. It originated in the Guarini Colloquium: Regulating Global Digital Corporations convened by Thomas Streinz and Joseph Weiler in Fall 2022.

 

© 2018-2024 New York University School of Law. 
40 Washington Sq. South, New York, NY 10012  
Tel. (212) 998-6100