Written by: Huang Peng, senior lawyer at Shanghai Mankiw Law Firm

On June 25, OpenAI sent an official email to API (application interface) users, informing them that starting from July 9, API traffic from regions not included in the list of supported countries and regions will be blocked. If you want to continue using OpenAI's services, you need to access them in supported regions.

There was a lot of discussion at the time, and the media even described OpenAI's move as "cutting off supply." Some people think it is because of the US's suppression policy against China; some people think it is to prevent the domestic large model from being packaged and obtaining corpus. In fact, OpenAI has never opened its services to the domestic market. "Cutting off supply" is an exaggeration. It is more accurate to say that it has strengthened the ban. Therefore, all companies in my country that call API interfaces are essentially in a non-compliant state, which neither complies with OpenAI's policies nor domestic laws. So, where should these companies go next?

Migrate with the trend

In July 2023, the Cyberspace Administration of China and relevant departments jointly launched the "Interim Measures for the Administration of Generative Artificial Intelligence Services", which is the first special legislation for generative artificial intelligence in the world. According to the measures, providers of generative artificial intelligence services must use data and basic models with legal sources; OpenAI did not register algorithms and generative artificial intelligence services in accordance with domestic regulatory requirements. At the same time, according to OpenAI's policy, GPT services are not provided to Chinese users.

Under the "double violation", "shell" applications using the OpenAI API interface are in a state of being banned from operation at any time, which is not a good thing for a long-term project. The reason why domestic supervision still maintains a certain "leniency" is that the industry is in its early development stage after all, and the intensity of law enforcement has also gone from loose to tight. This ban by OpenAI can force domestic projects to develop in compliance.

Under the current situation, choosing domestic AI models for migration has become one of the key solutions that all applications that use Open API interfaces need to consider. At the same time, domestic large models have also lost no time in launching "relocation" solutions.

Through migration, the functions of the original application can be maintained stable, and the application and the company behind it can avoid breach of contract due to the loss of OpenAI API. In addition to considering the cost-effectiveness, applications can give priority to large models that have been registered with generative artificial intelligence services to avoid new compliance issues. It is worth noting that as of March 2024, a total of 117 large models in my country have been registered with the Cyberspace Administration of China.

However, since OpenAI released the announcement, some articles have suggested that applications using OpenAI API can be migrated to Azure OpenAI. The reason given is that Microsoft has cooperated with OpenAI and has not banned Chinese users from using it. So, can these applications adopt this suggestion and how compliant are they?

Azure OpenAI

First, let's take a look at what Azure OpenAI is.

Azure OpenAI is a service provided by Microsoft that provides REST API access to OpenAI's large language models, including GPT-4, GPT-4 Turbo with Vision, GPT-3.5-Turbo, and the Embedding model series. The Azure OpenAI service is completely controlled by Microsoft; Microsoft hosts the OpenAI models in the Azure environment, and the service does not interact with any services operated by OpenAI (such as ChatGPT or the OpenAI API). Moreover, Microsoft also joined the migration feast after the OpenAI "supply cut" incident.

Unlike OpenAI, Azure OpenAI does not restrict Chinese users from using it, which has been confirmed both in official publicity and verbal responses from staff. However, paradoxically, an official product available service area document seems to indicate that it is not available in China.

So, if Chinese companies that use the OpenAI API interface to develop AI projects choose to migrate their projects to Azure OpenAI, can they rest assured about compliance?

Compliance in doubt

As a global service, Microsoft has a complete data compliance policy. For example, it promises that data will not be open to OpenAI, will not be used to improve OpenAI or Microsoft's products and services, can be deleted at any time, prevent the generation of harmful content, and comply with the requirements of the EU GDPR and ISO 27001, ISO 27002, and ISO 27018. However, according to information learned by Attorney Mankiw, Azure OpenAI's compliance policy is not specifically adapted to Chinese law. Therefore, the compliance of using Azure OpenAI is still questionable in the following aspects.

Question 1: Data outflow

Azure's Chinese service is operated by China's 21Vianet, and its data center is located in China. However, Azure OpenAI is a global service, and its data center is outside China. When domestic key information infrastructure operators or other data processors transmit sensitive personal information, personal information, and important data that exceeds certain standards, they need to apply to the national cybersecurity and informatization department for data outbound security assessment and pass personal information protection certification. This is a huge compliance cost for domestic users, and since Azure OpenAI itself has not been found to have passed domestic assessment and certification, it is difficult to guarantee that it can pass smoothly.

Question 2: Failure to complete filing

According to the "Internet Information Service Algorithm Recommendation Management Regulations", "Internet Information Service Deep Synthesis Management Regulations" and "Interim Measures for the Management of Generative Artificial Intelligence Services", all generative artificial intelligence services with public opinion attributes or social mobilization capabilities should conduct security assessments and perform algorithm and model filing procedures. After searching, Azure OpenAI has not completed the filing of algorithms and large models. Therefore, for users who want to provide services to the domestic public, it is difficult to prove that the basic model is from a legal source and meet other regulatory requirements.

Summary: Azure OpenAI is an option for companies that want to use it for internal R&D and operations, not for the public, and not involving personal information or important data; otherwise, the compliance risks of using Azure OpenAI should be carefully evaluated. Since I do not have complete information, I have tried to analyze the compliance of Azure OpenAI based on public information. If there are any discrepancies, please contact Microsoft to correct them.

Worst Case

Some industry insiders have suggested that restrictions can be circumvented by using overseas servers or creating reverse proxies. This solution is to counter the blockade through technical means, but it cannot solve any compliance issues. On the contrary, doing so will increase the risk of data security and privacy. In terms of operations, domestic Apple and Android app markets can remove such apps; the stability of application services is also a big question mark.

summary

In the context of OpenAI restricting China from using its API, existing domestic AI companies must carefully assess compliance risks when considering migrating data to Azure OpenAI or other international services. At the same time, in the face of legal challenges brought about by new technologies, companies may need to actively explore localized solutions rather than blindly seeking "substitutions" to achieve compliance development in an ever-changing technological environment.