Evaluating China’s New ‘Internet Information Service Algorithmic Recommendation Management’ Regulations

On March 1, 2022, a new data privacy law in China went into effect, known as the Internet Information Service Algorithmic Management (IISARM) regulations. The Cyberspace Administration of China (CAC), joined by three other Chinese entities, issued the regulations. The CAC is a well-known central internet regulator and oversight and control agency in China.

The new IISARM regulations apply to “personalized recommendations in mobile applications” and require that “algorithm recommendation services” providers uphold certain “user rights.” Thus, this raises the questions of what these three phrases: “personalized recommendations in mobile applications,” “algorithm recommendation services providers,” and “user rights,” mean under the IISARM.

To illustrate, when using an application such as Facebook, users may receive content recommendations based on previous posts they have liked, their demographic, and/or their geographic location. Personalized recommendations may refer to content recommendations based on any or all of those factors.

An algorithm recommendation service provider is an entity that uses an algorithm to generate such personalized recommendations. Examples of algorithm recommendation service providers include companies such as Facebook, YouTube, and TikTok.

User rights refer to privileges that a user is entitled to, such as, to provide more user autonomy. User rights may also refer to protections afforded to more vulnerable groups, such as minors or the elderly. For example, under the new regulations, a mobile application media user must be provided with a choice to not be targeted based on the user’s individual characteristics, such as demographic or location information. In another example, the new regulations prohibit algorithm recommendation service providers from pushing content to minors that may be harmful to one’s health, such as alcohol or tobacco.

These new regulations retroactively apply to previously-enacted data privacy laws in China, namely the Data Security Law (DSL) and the Personal Information Protection Law (PIPL). However, the IISARM regulations are also meant to safeguard national security in China as well as the social and public interest. In the meantime, under the new regulations, algorithms cannot be used to influence online public opinions.

Thus, the IISARM regulations could have broad implications on algorithm service providers, users, and the balance between user autonomy and national security, not to mention discovery in litigation matters in the United States.

Background

From a historical perspective, the prior rules from the DSL took effect on September 1, 2021, and they increased enforcement measures and restrictions regarding transferring data out of China. The DSL requires companies doing business in China to establish and improve their data security systems and promptly notify users and authorities of data breaches. Indeed, the DSL expanded China’s existing data rules to affect extraterritorial entities that conduct business in China.

Building on the DSL, the late-enacted PIPL went into effect on November 1, 2021. Under the PIPL, organizations that process personal information of China’s residents are subject to heightened requirements, including obtaining individuals’ consent to process personal information. Additionally, under Articles 36 and 41 of the PIPL, personal information handlers may not provide personal information to foreign judicial agencies without first seeking government approval. Fines for violating these articles are severe—up to 50 million yuan ($7.8 million USD) or 5% of a company’s annual revenue.

And now, new for 2022, the IISARM regulations, which came into effect on March 1 of this year, represent the most recent iteration of data privacy laws in China. The regulations apply algorithmic recommendation technology used to provide Internet information services in China. According to Article 2, algorithmic recommendation technology refers to, among other things, using personalized recommendation-type algorithmic technologies to provide information to users. Such algorithmic recommendation technology users include social media companies and news outlets.

The new regulations also include user rights. For example, Article 16 states that algorithmic recommendation service providers must notify users in a clear manner about the algorithmic recommendation services they provide and to publicize the basic principles, purposes, and motives in a suitable manner.

However, Article 13 states that if a service provider desires to provide Internet news information services, that provider (when operating in China) must obtain an Internet news information service permit and must not disseminate news not published by “work units in the State-determined scope.” Algorithm service providers who violate these or any other Article 13 provisions are subject to a fine between 10,000 and 100,000 yuan (approximately $1,570 and $15,700 USD), and, depending on the offense, criminal liability.

Potential Effects

The IISARM regulations may provide another barrier to cross-border transfers of information from algorithm service providers in China. Perhaps of most significance from a legal perspective, the regulations may allow Chinese litigants to refuse or delay discovery. For example, in In re Valsartan, Losartan, and Irbesartan Products Liability Litigation (D. N.J. Dec. 18, 2021), Chinese-based defendant ZHP invoked the DSL and the PIPL to avoid producing documents, arguing that the documents at issue were “state secrets.” In a published opinion on the issue, Judge Robert B. Kugler held that the PIPL and DSL did not shield discovery, and he warned that Chinese defendants must “know from the outset they risk serious consequences if and when they fail to obey a U.S. court’s order to compel discovery.”

While Judge Kugler was not swayed by ZHP’s attempt to block certain discovery based on the DSL and PIPL, the new IISARM regulations may further serve as an obstacle to discovery in foreign countries, such as the U.S., for litigants in China (and the cross-border transfers of information). For example, in Article 41, the PIPL states that no cross-border transfer of personal information can occur without national security review. Thus, the IISARM regulations add another layer of bureaucracy to that review, in that the authorities administering the regulations have expanded from the Cyberspace Administration of China to include three additional agencies—(1) the Ministry of Industry and Information Technology, (2) the Ministry of Public Security, and (3) the State Administration for Market Regulation. Thus, if litigants want to obtain information for discovery from China, they are likely to run into new administrative slowdowns.

Conclusion

Governments worldwide have implemented various privacy laws, such as the EU General Data Protection Regulation (GDPR) and the German Federal Data Protection Act (BDSG). These laws generally require any personal information, such as names, addresses, and email addresses, to be redacted from any documents produced in U.S. litigation.

The new IISARM regulations, similar to other privacy laws such as the GDPR and the BDSG, are aimed to protect the privacy of those countries’ citizens and to safeguard extraterritorial data transfer. However, the IISARM regulations, in conjunction with the DSL and PIPL, potentially go one step further in that certain requested data must be approved by the Chinese government before it can be obtained in discovery.