Dieser Artikel ist derzeit auf Englisch verfügbar.
China's AI Governance: PIPL, CAC Regulations, and the World's Most Comprehensive AI Rulebook
China has the world's most complete suite of AI-specific regulations — the Algorithm Recommendation Provisions, the Deep Synthesis Provisions, and the Generative AI Service Management Provisions — all alongside PIPL's comprehensive data protection framework. Here is the complete picture.
Key Takeaways
China has more AI-specific regulations than any other jurisdiction: Algorithm Recommendation Provisions (2022), Deep Synthesis Provisions (2022), Generative AI Service Management Provisions (2023), and AI Labelling Rules (2025).
The Personal Information Protection Law (PIPL), in force since November 2021, applies comprehensive data protection obligations to AI systems — with stricter cross-border transfer controls than GDPR.
The Cyberspace Administration of China (CAC) is the primary AI regulator, with enforcement powers that include suspension of services for non-compliant operators.
Generative AI providers in China must file with the CAC and must not generate content that violates 'core socialist values', endangers national security, or is 'false information'. Training data must meet quality and legality standards.
Cross-border data transfers for critical information infrastructure operators and large-scale processors require CAC security assessments — this directly constrains how AI companies can export Chinese user data for model training.
"Nur zu Informationszwecken. Dieser Artikel stellt keine rechtliche, regulatorische, finanzielle oder professionelle Beratung dar. Konsultieren Sie einen qualifizierten Spezialisten für spezifische Beratung."
Why China's AI regulation is unlike any other
China has approached AI regulation differently from every other major jurisdiction. While the EU built a horizontal risk-based framework and the US relies on agency enforcement of existing laws, China has built a layered suite of AI-specific regulations that address different AI modalities — recommendation algorithms, synthetic media, and generative AI — as distinct regulatory objects with distinct obligations. This produces the most comprehensive (and most complex) AI regulatory environment of any major economy.
For organisations operating in China or providing AI services to Chinese users, understanding this regulatory stack is essential. Missteps carry serious consequences: CAC has suspended services from major platforms for non-compliance, and the regulatory environment is actively enforced.
The regulatory stack
Algorithm Recommendation Provisions (March 2022): Apply to organisations that use algorithmic recommendation technologies to recommend information to users. Requirements include: disclosure that algorithm-based recommendations are being used, options for users to opt out of personalised recommendation, and requirements to avoid over-promoting content based on consumption addiction patterns. Large-scale algorithm recommendation service providers must file with the CAC.
Deep Synthesis Provisions (December 2022): Apply to providers of deep synthesis (deepfake) technologies — AI used to generate synthetic audio, video, images, and text. Providers must: label deep synthesis content as AI-generated, implement identity authentication where services are used to generate realistic synthetic persons, and maintain user logs. Real-name registration is required for users of high-risk deep synthesis services.
Generative AI Service Management Provisions (August 2023): The most significant AI-specific regulation for international companies. Applies to organisations providing publicly available generative AI services to users in China. Requirements include: filing with the CAC before launching the service publicly; ensuring training data is "accurate, objective, and diverse" and meets Chinese law; not generating content that violates core socialist values, endangers national security, incites discrimination, or constitutes false information; and labelling AI-generated content. The extraterritorial scope means that foreign companies providing generative AI services accessible in China may be in scope.
AI Labelling Rules (2025): China promulgated AI content labelling rules in 2025 requiring service providers to add both explicit labels (visible to users) and implicit labels (machine-readable metadata) to AI-generated content. This applies across text, audio, image, and video generation.
PIPL: data protection for AI in China
The Personal Information Protection Law, in force since November 2021, creates GDPR-comparable data protection obligations with some significant differences. Consent is the primary legal basis for most personal data processing. Automated decision-making using personal information must be transparent: users must have the right to refuse, correct, and request human review of automated decisions that significantly affect their interests.
Cross-border data transfers are where PIPL most significantly constrains AI governance. Critical information infrastructure operators and large-scale processors processing personal information above defined thresholds must pass CAC security assessments before transferring data out of China. This directly constrains AI companies that want to use Chinese user data to train or fine-tune models outside China. Standard contract clauses are available for some transfers below the threshold, and PIPL-adequacy certification is in development.
CAC enforcement: active and consequential
The Cyberspace Administration of China has enforcement powers that it exercises actively. CAC has conducted investigations of major domestic platforms, required algorithmic audits, and suspended services from non-compliant providers. Didi, the ride-hailing company, faced a CAC data security review that resulted in an extended service suspension. ByteDance faces ongoing CAC oversight of TikTok's domestic operations. For international companies providing AI services accessible in China, CAC's reach and willingness to act are real compliance considerations.