Our thinking

AI Watch: Global regulatory tracker

What's inside

Keeping track of AI regulatory developments around the world.

The global dash to regulate AI

Artificial intelligence (AI) has made enormous strides in recent years and has increasingly moved into the public consciousness.

Explore Trendscape

Our take on the interconnected global trends that are shaping the business climate for our clients.

Read more

Increases in computational power, coupled with advances in machine learning, have fueled the rapid rise of AI. This has brought enormous opportunities, as new AI applications have given rise to new ways of doing business. It has also brought potential risks, from unintended impacts on individuals (e.g., AI errors harming an individual's credit score or public reputation) to the risk of misuse of AI by malicious third parties (e.g., by manipulating AI systems to produce inaccurate or misleading output, or by using AI to create deepfakes).

Governments and regulatory bodies around the world have had to act quickly to try to ensure that their regulatory frameworks do not become obsolete. In addition, international organizations such as the G7, the UN, the Council of Europe and the OECD have responded to this technological shift by issuing their own AI frameworks. But they are all scrambling to stay abreast of technological developments, and already there are signs that emerging efforts to regulate AI will struggle to keep pace. In an effort to introduce some degree of international consensus, the UK government organized the first global AI Safety Summit in November 2023, with the aim of encouraging the safe and responsible development of AI around the world. 

Most jurisdictions have sought to strike a balance between encouraging AI innovation and investment, while at the same time attempting to create rules to protect against possible harms. However, jurisdictions around the world have taken substantially different approaches to achieving these goals, which has in turn increased the risk that businesses face from a fragmented and inconsistent AI regulatory environment. Nevertheless, certain trends are becoming clearer at this stage:

  1. "AI" means different things in different jurisdictions: One of the foundational challenges that any international business faces when designing an AI regulatory compliance strategy is figuring out what constitutes "AI." Unfortunately, the definition of AI varies from one jurisdiction to the next. For example, the EU AI Act adopts a definition of "AI systems" that is based on (but is not identical to) the OECD's definition, and which leaves room for substantial doubt due to its uncertain wording. Canada has proposed a similar, though more concise, definition. Various US states have proposed their own definitions, which differ from one another. And many jurisdictions (e.g., the UK, Israel, China, and Japan) do not currently provide a comprehensive definition of AI. Because several of the proposed AI regulations have extraterritorial effect (meaning more than one AI regulation may apply simultaneously), international businesses may be forced to adopt a "highest common denominator" approach to identifying AI based on the strictest applicable standard.
  2. Emerging AI regulations come in different forms: The various emerging AI regulations have no consistent legal form – some are statutes, some are executive orders, some are expansions of existing regulatory frameworks, and so on. The EU AI Act is a "Regulation" (which means that most of it will apply directly in all EU Member States, without the need for national implementation in most cases). The UK has taken a different approach, declining to legislate at this early stage in the development of AI, and instead choosing to task existing UK regulators with the responsibility of interpreting and applying five AI principles in their respective spheres. In the US, there is a mix of White House Executive Orders, federal and state initiatives, and actions by existing regulatory agencies, such as the Federal Trade Commission. As a result, the types of compliance obligations that international businesses face are likely to be materially different from one jurisdiction to the next. Many other jurisdictions have yet to decide whether they will issue sector-specific or generally applicable rules and have yet to decide between creating new regulators or expanding the roles of existing regulators, making it challenging for businesses to anticipate what form their AI regulatory relationships will take in the long term.
  3. Emerging AI regulations have different conceptual approaches: The next difficulty is the lack of a consistent conceptual approach among emerging AI regulations around the world – some are legally binding while others are not, some are sector-specific while others apply across all sectors, some will be enforced by regulators while others are merely guidelines or recommendations, and so on. As noted above, the UK approach is to use existing regulators to implement five AI principles, but with no new explicit legal obligations. This has the advantage of meaning that businesses will deal with AI regulators with whom they are already familiar but has the disadvantage that different UK regulators may interpret these principles differently in their respective spheres. The EU AI Act is cross-sectoral and creates new regulatory and enforcement powers for existing bodies, including the European Commission, and also creates entirely new bodies such as the AI Board and the AI Office, while leaving EU Member States to appoint their own AI regulators tasked with enforcing the EU AI Act. In the US, the Federal Trade Commission, Equal Employment Opportunity Commission, Consumer Financial Protection Bureau, and Department of Justice issued a joint statement clarifying that their existing authority covers AI, while various state regulators are also likely to have competence to regulate AI. International organizations including the OECD, the UN, and the G7 have issued AI principles, but these impose no legal obligations on businesses. In principle, these initiatives encourage consistency across members of each organization, but in practice this does not seem to have worked.
  4. Flexibility is a double-edged sword: In an effort to create AI regulations that can adapt to technological advances that have not yet been anticipated, many jurisdictions have sought to include substantial flexibility in those regulations, either by using deliberately high-level wording and policies, or by allowing for future interpretation and application by courts and regulators. This has the obvious advantage of prolonging the lifespan of such regulations by allowing them to be adapted to future technologies. However, it also creates the disadvantage of uncertainty because it leaves businesses uncertain of how their compliance obligations will be interpreted in the future. This is likely to mean that it is harder for businesses to know whether their planned implementations of AI will be lawful in the medium-to-long term and may make it harder to attract long-term AI investment in those jurisdictions.
  5. The overlap between AI regulation and other areas of law is complex: A substantial number of laws that are not directly focused on AI nevertheless apply to AI by association within their respective spheres, meaning that any use of AI will often trigger compliance issues and legal challenges even where there is not (yet) any enforceable AI-specific law. These areas of overlap include: IP (e.g., IP infringement issues with respect to AI model training data, and questions about copyright and patentability of AI-assisted inventions); antitrust; data protection (which adds restrictions to processing of personal data, and in some cases imposes special compliance obligations for processing carried out by automated means, including by AI); M&A (where AI innovation is driving dealmaking in many markets); financial regulation (where financial regulatory requirements may limit the ways in which AI can lawfully be deployed); litigation; digital infrastructure; securities; global trade; foreign direct investment; mining & metals; and so on. This overlap will mean that many businesses need to understand not just AI regulations in general, but also any rules that affect the use of AI in the context of the relevant sector or business activity.

Businesses in almost all sectors need to keep a close eye on these developments to ensure that they are aware of the AI regulations and forthcoming trends, in order to identify new opportunities and new potential business risks. But even at this early stage, the inconsistent approaches each jurisdiction has taken to the core questions of how to regulate AI is clear. As a result, it appears that international businesses may face substantially different AI regulatory compliance challenges in different parts of the world. To that end, this AI Tracker is designed to provide businesses with an understanding of the state of play of AI regulations in the core markets in which they operate. It provides analysis of the approach that each jurisdiction has taken to AI regulation and provides helpful commentary on the likely direction of travel.

Because global AI regulations remain in a constant state of flux, this AI Tracker will develop over time, adding updates and new jurisdictions when appropriate. Stay tuned, as we continue to provide insights to help businesses navigate these ever-evolving issues.

Articles

Australia

Voluntary AI Ethics Principles guide responsible AI development in Australia, with potential reforms under consideration.

Read 7 min. article
Australia

Brazil

The enactment of Brazil's proposed AI Regulation remains uncertain with compliance requirements pending review.

Read 8 min. article
Sao Paulo

Canada

AIDA expected to regulate AI at the federal level in Canada but provincial legislatures have yet to be introduced.

Read 14 min. article
Canada

China

The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.

Read 11 min. article
China

Council of Europe

The Council of Europe is developing a new Convention on AI to safeguard human rights, democracy, and the rule of law in the digital space covering governance, accountability and risk assessment.

Read 7 min. article
European Union

Czech Republic

The successful implementation of the EU AI Act into national law is the primary focus for the Czech Republic, with its National AI Strategy being the main policy document.

Read 6 min. article
Czech Republic

European Union

The EU introduces the pioneering EU AI Act, aiming to become a global hub for human-centric, trustworthy AI.

 

Read 13 min. article
European Union

France

France actively participates in international efforts and proposes sector-specific laws.

Read 10 min. article
Paris

G7

The G7's AI regulations mandate Member States' compliance with international human rights law and relevant international frameworks.

Read 11 min. article
G7 flags

Germany

Germany evaluates AI-specific legislation needs and actively engages in international initiatives.

Read 8 min. article
Germany

India

National frameworks inform India’s approach to AI regulation, with sector-specific initiatives in finance and health sectors.

Read 5 min. article
India

Israel

Israel promotes responsible AI innovation through policy and sector-specific guidelines to address core issues and ethical principles.

Read 9 min. article
Israel

Italy

Italy engages in political discussions for future laws.

Read 6 min. article
Milan

Japan

Japan adopts a soft law approach to AI governance but lawmakers advance proposal for a hard law approach for certain harms.

Read 9 min. article
Tokyo

Kenya

Kenya's National AI Strategy and Code of Practice expected to set foundation of AI regulation once finalized.

Read 6 min. article
Kenya
Kenya

Nigeria

Nigeria's draft National AI Policy underway and will pave the way for a comprehensive national AI strategy.

Read 6 min. article
Nigeria
Nigeria

Norway

Position paper informs Norwegian approach to AI, with sector-specific legislative amendments to regulate developments in AI.

Read 9 min. article
Norway

OECD

The OECD's AI recommendations encourage Member States to uphold principles of trustworthy AI.

Read 8 min. article
country flags

Saudi Arabia

Saudi Arabia is yet to enact AI Regulations, relying on guidelines to establish practice standards and general principles.

Read 6 min. article
Riyadh_Hero_1600x600 Saudi Arabia

Singapore

Singapore's AI frameworks guide AI ethical and governance principles, with existing sector-specific regulations addressing AI risks.

Read 7 min. article
Singapore

South Africa

South Africa is yet to announce any AI regulation proposals but is in the process of obtaining inputs for a draft National AI plan.

Read 5 min. article
Johannesburg

South Korea

South Korea's AI Act to act as a consolidated body of law governing AI once approved by the National Assembly.

Read 6 min. article
Korea

Spain

Spain creates Europe's first AI supervisory agency and actively participates in EU AI Act negotiations.

Read 10 min. article
Madrid

Switzerland

Switzerland's National AI Strategy sets out guidelines for the use of AI, and aims to finalize an AI regulatory proposal in 2025.

Read 8 min. article
Switzerland

Taiwan

Draft laws and guidelines are under consideration in Taiwan, with sector-specific initiatives already in place.

Read 6 min. article
Taiwan city

Turkey

Turkey has published multiple guidelines on the use of AI in various sectors, with a bill for AI regulation now in the legislative process.

Read 11 min. article
Türkiye

United Arab Emirates

Mainland UAE has published an array of decrees and guidelines regarding regulation of AI, while the ADGM and DIFC free zones each rely on amendments to existing data protection laws to regulate AI.

Read 15 min. article
UAE

United Kingdom

The UK prioritizes a flexible framework over comprehensive regulation and emphasizes sector-specific laws.

Read 12 min. article
London hero image

United Nations

The UN's new draft resolution on AI encourages Member States to implement national regulatory and governance approaches for a global consensus on safe, secure and trustworthy AI systems.

Read 7 min. article
United Nations

United States

The US relies on existing federal laws and guidelines to regulate AI but aims to introduce AI legislation and a federal regulation authority.

Read 14 min. article
New York city photo

Contacts

Tim Hickman
Tim Hickman
Partner
London
Erin Hanson
Erin Hanson
Partner
New York
Dr. Sylvia Lorenz
Dr. Sylvia Lorenz
Partner
Berlin

Service areas

China

AI Watch: Global regulatory tracker - China

The Interim AI Measures is China's first specific, administrative regulation on the management of generative AI services.

Insight
|
11 min read

Laws/Regulations directly regulating AI (the “AI Regulations”)

The Cyberspace Administration of China, the National Development and Reform Commission, the Ministry of Education, the Ministry of Science and Technology, the Ministry of Industry and Information Technology, the Ministry of Public Security, and the National Radio and Television Administration jointly released the Interim Measures for the Management of Generative Artificial Intelligence Services (the "AI Measures"), which is the first administrative regulation on the management of Generative AI services, which came into effect on August 15, 2023.2

Status of the AI Regulations 

The AI Measures came into effect on August 15, 2023.

Other laws affecting AI

There are various other laws and regulations in China that do not directly seek to regulate AI, but that may affect the development or use of AI: 

  • The Administrative Provisions on Deep Synthesis in Internet-based Information Services (the "Deep Synthesis Provisions") which came into effect on January 10, 20233
  • The Administrative Provisions on Recommendation Algorithms in Internet-based Information Services (the "Recommendation Algorithms Provisions") which came into effect on March 1, 20224
  • Data-related laws, such as the Cybersecurity Law, the Personal Information Protection Law (the PIPL), and the Data Security Law may affect several aspects of AI development and use in connection with data privacy and security 
  • Intellectual property laws, including the Copyright Law of China, that may affect several aspects of AI development and use
  • Both the Civil Code of China and the Criminal Law of China may affect several aspects of AI development and use in connection with the protection of privacy rights, portrait rights and other related rights from being violated by the improper use of AI 
  • The Measures for Review of Scientific and Technological Ethics (for Trial Implementation), which came into effect on December 1, 2023, provide that enterprises engaged in AI and certain other technology activities should undergo scientific and technological ethics reviews5
  • The relevant national standards and recommended guidelines set out relevant rules and guidance regarding the use of AI technology, such as the Practical Guidelines for Cybersecurity Standards – Method for Tagging Content in Generative Artificial Intelligence Services6

Definition of “AI”

The current Chinese laws and regulations do not provide a clear definition of "AI." Under the AI Measures, "generative AI technology" refers to models and related technology that have the ability to generate text, images, audios, videos, or other content.7

Territorial scope

The AI Measures apply to companies when they provide Generative AI services to the public within China regardless of where they are incorporated.8  For the purpose of this document, "China" refers to the People's Republic of China excluding the Hong Kong Special Administrative Region of the People's Republic of China, the Macau Special Administrative Region of the People's Republic of China and Taiwan. Specifically, the Cybersecurity Administration of China has the authority to take technical and other necessary measures against foreign companies if the provision of Generative AI services (originating from outside of China) to China violates relevant laws and regulations.9

Sectoral scope 

In general, the AI Measures do not adopt a sector-specific approach, while the Deep Synthesis Provisions and Recommendation Algorithms Provisions focus on internet-based information service providers. In addition, some industry sectors, such as the financial, healthcare and automobile sectors, have their own sector-specific regulations relating to the use of AI technology.   

  • Financial sector: 
    • Guiding Opinions on Regulating the Asset Management Business of Financial Institutions10
    • Evaluation Specification of Artificial Intelligence Algorithm in Financial Applications11
    • Guidance on Information Disclosure for Financial Applications Based on Artificial Intelligence Algorithms12
  • Healthcare sector: Guidance for the Classification and Definition of AI-Based Medical Software Products13
  • Automobile sector: Opinions on Strengthening the Management of Manufacturing Enterprises and Product Access of Smart Internet-Connected-Vehicles14

Compliance roles 

The key roles under the AI Measures are Generative AI service providers and users. 
"Generative AI service provider" refers to any organization or individual that utilizes generative AI technology to provide generative AI services (including providing such services through the provision of a programmable interface or other means).15

"User of Generative AI services" refers to any organization or individual that uses Generative AI services to generate content.16 The AI Measures do not apply if an organization or institution engages in research, development, or application of generative AI technology but does not offer Generative AI services to the domestic public in China.17

Core issues that the AI Regulations seek to address

The AI Measures are formulated to "promote a healthy development and regulated application of generative artificial intelligence, safeguard national security and social public interests, and protect the lawful rights and interests of citizens, legal persons and other organizations."18

Risk categorization

The AI Measures provide that the government will implement "categorical and hierarchal regulation of Generative AI services."19 Further, the AI Measures provide that the relevant competent departments shall enhance scientific supervision methods compatible with innovative development for Generative AI technology. They shall also create classification and grading-based supervision rules, or guidelines based on the technology's characteristics and its application in relevant industries and fields.20

However, the AI Measures do not provide for the risk categorizations of AI services, although some provisions suggest that some categories of AI services are subject to stricter scrutiny by the regulators. For example, Generative AI service providers with "public opinion attributes or the capacity for social mobilization" are required to carry out a security assessment and undergo a regulatory filing before launching such services, in addition to complying with generally applicable requirements like content moderation and tagging.21

Key compliance requirements 

Under the AI Measures, the key compliance requirements for a Generative AI service provider include:

Lawful use: Processing data lawfully, respecting intellectual property rights and obtaining consent for personal information use22 

  • Clarify and disclose the applicable groups, occasions and uses of their services, guide users to scientifically and rationally understand and use Generative AI technology in accordance with the law and take effective measures to prevent children from overly relying on or being addicted to generative artificial intelligence services23
  • Assume responsibility for online information content and personal information protection24
  • Guide users in the lawful and responsible use of Generative AI technology, protect user information and handle user requests for (among other rights) accessing, copying, correcting, supplementing and deleting their personal information25
  • Take measures to ensure secure and stable services, promptly address illegal content, and establish a complaints and reporting mechanism for user feedback26
  • Cooperate with relevant authorities during supervisory inspections, providing necessary technical, data, and other support and assistance27

Data labeling rules: Establish clear labeling rules, ensure accurate labeling and provide training for labeling staff.28 In addition, the AI Measures specifically require that a Generative AI service provider comply with the following:

  • "Upholding socialist core values" – including not generating any prohibited content, such as content that incites "subversion of the state power or the overthrow of the socialist system, endangers national security and interests, damages the national image, incites splitting the country, undermines national unity and social stability, advocates terrorism, extremism, ethnic hatred and discrimination, violence, pornography, and false and harmful information"29
  • Taking effective measures to "prevent discrimination based on nationality, religion, country, region, gender, occupation and health in the design of the algorithm, training data set, model generation, optimization and service provision"30
  • Respecting intellectual property rights and business ethics – including keeping confidential trade secrets and refraining from "carrying out acts of monopoly and unfair competition by taking advantage of proprietary algorithms, data and platforms"31
  • Respecting others' legitimate rights and interests – refraining from endangering others' physical and mental health and respecting their "rights of portrait, reputation, honor, privacy and personal information"32 

Taking effective measures to "enhance the transparency, accuracy and reliability of the contents generated by Generative AI services" 

Data training: The AI Measures also introduce requirements related to training data. Generative AI service providers must use data and models from legitimate sources, respect intellectual property rights and personal information, and strive to improve the quality, authenticity, accuracy, objectivity and diversity of the training data they utilize.34

Content moderation: Generative AI service providers are required to promptly remove any illegal content, employ measures for model optimization training, and report cases to the relevant authorities.35

Reporting mechanism: Generative AI service providers must establish a complaints and reporting mechanism, where they accept and handle complaints and reports from the public and provide feedback on the outcome of these cases.36 

Regulators

The Cyberspace Administration of China is the lead regulator for Generative AI technology. The cyberspace, development and reform, education, science and technology, industry and information technology, public security, radio and television, press and publication, and other relevant authorities shall strengthen the management of Generative AI services in accordance with the law based on their respective functions and responsibilities.37

Enforcement powers and penalties 

To effectively manage Generative AI services, Chinese regulators have been granted regulatory powers. These regulators are responsible for strengthening the management of these services based on their respective functions and responsibilities.38 They have the authority to conduct security assessments, supervisory inspections, and impose penalties for any violations in accordance with relevant laws and regulations.39

Article 21 of the AI Measures outlines the liability provisions for violations and non-compliance. 

  • If Generative AI service providers violate the AI Measures or any other relevant laws, the relevant authorities will impose penalties in accordance with the Cybersecurity Law, the Data Security Law, the PIPL, the Law on the Progress of Science and Technology, or other applicable laws and regulations. In cases where the laws or administrative regulations are silent, the relevant authorities, based on their functions and responsibilities, may issue a warning or reprimand, order corrections within a specified time limit, or suspend the provision of related services if corrections are refused or the violation is severe.
  • If a violation constitutes a breach of public security management, public security administrative sanctions will be imposed in accordance with the law. If a violation constitutes a crime, criminal liability will be pursued in accordance with the law.

According to Articles 253 and 291 of the Criminal Law of China, when individuals or organizations illegally obtain personal information or disseminate false information through information networks or media platforms with the intention of disturbing public order or causing severe consequences, they can face penalties of up to seven years in prison or fines.

According to the PIPL, failure to comply with the PIPL can result in penalties such as fines up to 50 million RMB, revenue confiscation (up to 5 percent of annual revenue), and even business cessation.40

1 For the purpose of this document, "China" refers to the People's Republic of China excluding the Hong Kong Special Administrative Region of the People's Republic of China, the Macau Special Administrative Region of the People's Republic of China and Taiwan.
2 See the Interim Measures for the Management of Generative Artificial Intelligence Services, promulgated on July 10, 2023 by the Cyberspace Administration of China, National Development and Reform Commission; Ministry of Education, Ministry of Science and Technology, Ministry of Industry and Information Technology, Ministry of Public Security, National Radio and Television Administration. 
3 See the Administrative Provisions on Deep Synthesis in Internet-based Information Services, promulgated on November 25, 2022, by Cyberspace Administration of China, Ministry of Industry and Information Technology, and Ministry of Public Security. 
4 See the Administrative Provisions on Recommendation Algorithms in Internet-based Information Services, promulgated on December 31, 2021 by Cyberspace Administration of China, Ministry of Industry and Information Technology, Ministry of Public Security, and State Administration for Market Regulation. 
5 See the Measures for Review of Scientific and Technological Ethics (for Trial Implementation), promulgated on December 1, 2023 by the Ministry of Science and Technology, the Ministry of Education, the Ministry of Industry and Information Technology, the Ministry of Agriculture and Rural Affairs, the National Health Commission, the Chinese Academy of Sciences, the Chinese Academy of Social Sciences, the Chinese Academy of Engineering, the China Association for Science and Technology, and the Science and Technology Commission of the Central Military Commission
6 See e.g., the Practical Guidelines for Cybersecurity Standards – Method for Tagging Content in Generative Artificial Intelligence Services, released by the China's National Information Security Standardization Technical Committee on August 25, 2023.
7 The AI Measures, Article 22(1).
8 Id. Articles 2 and 20.
9 Id. Articles 20.
10 See the Guiding Opinions on Regulating the Asset Management Business of Financial Institutions, promulgated by the People's Bank of China, the China Banking and Insurance Regulatory Commission, the China Securities Regulatory Commission, and the State Administration of Foreign Exchange on April 27, 2018.
11 See the Evaluation Specification of Artificial Intelligence Algorithm in Financial Application, promulgated by the People's Bank of China on March 26, 2021.
12 See the Guidance on Information Disclosure for Financial Applications Based on Artificial Intelligence Algorithms, promulgated by the People's Bank of China on November 8, 2023.
13 See the Guidance for the Classification Defining of AI-Based Medical Software Products, promulgated by the National Medical Products Administration on July 1, 2021.
14 See the Opinions on Strengthening the Management of Intelligent and Connected Vehicles Manufacturing Enterprises and Product Access, promulgated by the Ministry of Industry and Information Technology on July 30,2021.
15 The AI Measures, Article 22(2).
16 Id, Article 22(3).
17 Id. Article 2.
18 Id. Article 1.
19 Id. Article 3.
20 Id. Article 16.
21 Id. Article 17.
22 Id. Articles 4 and 7.
23 Id. Article 10.
24  Id. Article 9.
25 Id. Article 11.
26 Id. Articles 13-15.
27  Id. Article 19.
28  Id. Article 8.
29 Id. Article 4(1).
30 Id. Article 4(2).
31  Id. Article 4(3).
32 Id. Article 4(4).
33 Id. Article 4(5).
34 Id. Article 7.
35 Id.  Article14.
36 Id. Article 15.
37 Id. Article 16.
38 Id
39 Id. Articles 19-21.
40 See the PIPL, Article 66.

White & Case means the international legal practice comprising White & Case LLP, a New York State registered limited liability partnership, White & Case LLP, a limited liability partnership incorporated under English law and all other affiliated partnerships, companies and entities.

This article is prepared for the general information of interested persons. It is not, and does not attempt to be, comprehensive in nature. Due to the general nature of its content, it should not be regarded as legal advice.

© 2024 White & Case LLP

Jeffrey Shin (Trainee Solicitor, White & Case, London) contributed to this publication.

Contacts

Amy Yang
Amy Yang
Counsel|Shanghai
Services
Mergers & Acquisitions, Technology
Bob Li
Bob Li
Associate|Beijing
Services
White Collar/Investigations, Technology, Data, Privacy & Cybersecurity

Service areas

Top