As a technology-based platform, our business generates and processes a large quantity of personal, transaction, behavioral and demographic data. We face risks inherent in handling and protecting large volumes of data, including protecting the data hosted in our system, detecting and prohibiting unauthorized data sharing and transfer, preventing attacks on our system by outside parties or fraudulent behavior or improper use by our employees, and maintaining and updating our database. Any system failure, security breach or third-party attack or attempt to illegally obtain the data that results in any actual or perceived release of user data could damage our reputation and brand, deter current and potential customers from using our services, damage our business, and expose us to potential legal liability.
We also have access to a large amount of confidential information in our day-to-day operations. Each waybill contains the names, addresses, phone numbers and other contact information of the sender and recipient of an order placed and delivered through our platforms. The content of the item delivered may also constitute or reveal confidential information. Although we have data security polices and measures in place, for example, leveraging our encryption techniques, order code, instead of actual personal information, of each transaction on our platforms will be shown to our personnel as well as riders handling the orders, we cannot assure you that the information will not be misappropriated, as a large number of riders and our personnel handle the orders and have access to the relevant confidential information. All of the riders are not our employees, which makes it more difficult for us to implement adequate management, supervision and control over them.
We are subject to domestic laws and regulations relating to the collection, use, storage, transfer, disclosure and security of personally identifiable information with respect to our customers and employees including any requests from regulatory and government authorities relating to this data. Further, PRC regulators have been increasingly focused on regulation in the areas of cybersecurity and data protection. For example, on June 10, 2021, the Standing Committee of the National People's Congress promulgated the PRC Data Security Law. The PRC Data Security Law and the Regulations on Security Protection of Critical Information Infrastructure promulgated by the State Council on July 30, 2021, among others, provide for a security review procedure for the data activities conducted by critical information infrastructure operators that may affect national security. As of the date of this annual report, no detailed rules or implementation has been issued by any authority and we have not been informed as a critical information infrastructure operator by any government authorities. Furthermore, the exact scope of "critical information infrastructure operators" under the current regulatory regime remains unclear, and the PRC government authorities may have wide discretion in the interpretation and enforcement of these laws. Therefore, it is uncertain whether we would be deemed as a critical information infrastructure operator under PRC law. If we are deemed as a critical information infrastructure operator under the PRC cybersecurity laws and regulations, we must fulfill certain obligations as required under these laws and regulations, including, among others, storing personal information and important data collected and produced within the PRC territory during our operations in the Chinese mainland, which we have fulfilled in our business, and we may be subject to review when purchasing internet products and services.
On November 14, 2021, the CAC released the Network Data Security Management Regulations (Draft for Comments), which requires data processors to conduct cybersecurity reviews and annual data security assessments. However, there have been no clarifications from the authorities as of the date of this annual report as to the standards for determining such activities that "affect or may affect national security." If the final version of the draft regulations is adopted, we may be subject to review when conducting data processing activities and annual data security assessments and may face challenges in addressing its requirements and make necessary changes to our internal policies and practices in data processing. As of the date of this annual report, the draft regulations were released for public comments only, and their respective provisions and the anticipated adoption or effective date may be subject to change with substantial uncertainty. The draft regulations remain unclear on whether the requirements will be applicable to companies that have been listed in the United States, such as us. We cannot predict the impact of the draft regulations, if any, at this stage, and we will closely monitor and assess any development in the rule-making process. If the enacted versions of the draft regulations mandate clearance of cybersecurity review and other specific actions to be completed by China-based companies listed on a U.S. stock exchange, such as us, we face uncertainties as to whether such clearance can be timely obtained, or at all.
On December 28, 2021, the CAC, together with other government authorities in the Chinese mainland issued the Measures for Cybersecurity Review (2021 version). Pursuant to the measures, critical information infrastructure operators that procure internet products and services, and data processing operators engaging in data processing activities, must be subject to the cybersecurity review if their activities affect or may affect national security. The measures further stipulate that an online platform operator holding over one million users' personal information shall apply with the Cybersecurity Review Office for a cybersecurity review when it seeks to list overseas. On July 7, 2022, the CAC promulgated the Measures for the Security Assessment of Cross-border Data Transfer. These measures regulate the security assessment of important data and personal information collected and generated within the territory of China and transferred overseas by a data processor during its operation. According to these measures, where a data processor transfers data overseas under certain circumstances, it shall apply to the provincial department of the CAC for a security assessment. On March 22, 2024, the CAC promulgated the Provisions on Promoting and Regulating Cross-border Data Transfer, which took effect on the same day, pursuant to which, any data processor which exports personal information shall apply for a security assessment before transferring any personal information abroad under certain circumstances. As of the date of this annual report, we have not been involved in any formal investigations on cybersecurity review made by the CAC on such basis and are not required to go through cybersecurity review by the CAC. However, if we are not able to comply with the cybersecurity and network data security requirements in a timely manner, or at all, we may be subject to government enforcement actions and investigations, fines, penalties, suspension of our non-compliant operations, or removal of our app from application stores, among other sanctions, which could materially and adversely affect our business and results of operations, significantly limit or completely hinder our ability to continue to offer securities to investors, or cause the value of such securities to significantly decline. In particular, if it is determined in the future that the approval of the CAC or any other regulatory authority is required for our offering, any failure to complete such procedures for our offshore offerings, would subject us to sanctions by the CAC or other PRC regulatory authorities. See "-Risks Related to Doing Business in China-We may be required to complete filing procedures with the CSRC in connection with our future offerings. We cannot predict whether we will be able to complete such filing in a timely manner, or at all." Based on the foregoing, our PRC legal counsel does not expect that, as of the date of this annual report, the current applicable PRC laws on cybersecurity would have a material adverse impact on our business.
On August 20, 2021, the Standing Committee of the National People's Congress promulgated the Personal Information Protection Law, which integrates the scattered rules with respect to personal information rights and privacy protection. Our mobile apps and websites only collect basic user personal information that is necessary to provide the corresponding services. We do not collect any sensitive personal information or other excessive personal information that is not related to the corresponding services. We update our privacy policies from time to time to meet the latest regulatory requirements of the CAC and other authorities and adopt technical measures to protect data and ensure cybersecurity in a systematic way. Nonetheless, the Personal Information Protection Law raises the protection requirements for processing personal information, and many specific requirements of the Personal Information Protection Law remain to be clarified by the CAC, other regulatory authorities, and courts in practice. We may be required to make further adjustments to our business practices to comply with the personal information protection laws and regulations.
The PRC Cybersecurity Law, the PRC Data Security Law, the Personal Information Protection Law and the Civil Code are relatively new and subject to interpretation by the regulators. Although we only gain access to user information that is necessary for, and relevant to, the services provided, the data we obtain and use may include information that is deemed as "personal information," "network data" or "important data" under the PRC Cybersecurity Law, the Civil Code and related data privacy and protection laws and regulations. As such, we have adopted a series of measures to ensure that we comply with the laws and regulations in the collection, use, disclosure, sharing, storage, and security of user information and other data. The PRC Data Security Law also stipulates that the authorities will formulate the catalogues for important data and strengthen the protection of important data, and state core data, i.e., data having a bearing on national security, the lifelines of national economy, people's key livelihood and major public interests, shall be subject to stricter management system. The exact scopes of important data and state core data remain unclear and may be subject to further interpretation. If any data that we are in possession of constitutes important data or state core data, we may be required to adopt stricter measures for protection and management of such data.
We are constantly in the process of evaluating the potential impact of the laws, regulations and policies relating to cybersecurity, privacy, data protection and information security on our current business practices. All these laws and regulations may result in additional expenses and obligations to us and subject us to negative publicity, which could harm our reputation and negatively affect the trading price of the ADSs. We expect that these areas will receive greater public scrutiny and attention from regulators and more frequent and rigid investigation or review by regulators, which will increase our compliance costs and subject us to heightened risks and challenges. If we are unable to manage these risks, we could become subject to penalties, fines, suspension of business and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. We believe, to the best of our knowledge, that our business operations are compliant with the currently effective PRC laws relating to cybersecurity, data security, and personal data and privacy laws in all material respects. We have taken and will continue to take reasonable measures to comply with such laws and regulations. For details of the abovementioned laws and regulations, see "Item 4. Information on the Company-B. Business Overview-Regulation."