Our business involves collecting and retaining certain internal and external data and information including that of our customers and suppliers. The integrity and protection of such information and data are crucial to us and our business. Owners of such data and information expect that we will adequately protect their personal information. We are required by applicable laws to keep strictly confidential the personal information that we collect, and to take adequate security measures to safeguard such information.
The PRC Criminal Law, as amended by its Amendment 7 (effective on February 28, 2009) and Amendment 9 (effective on November 1, 2015), prohibits institutions, companies and their employees from selling or otherwise illegally disclosing a citizen's personal information obtained in performing duties or providing services or obtaining such information through theft or other illegal ways. On November 7, 2016, the Standing Committee of the PRC National People's Congress issued the Cyber Security Law of the PRC (the "Cyber Security Law"), which became effective on June 1, 2017. Pursuant to the Cyber Security Law, network operators must not, without users' consent, collect their personal information, and may only collect users' personal information necessary to provide their services. Providers are also obliged to provide security maintenance for their products and services and shall comply with provisions regarding the protection of personal information as stipulated under the relevant laws and regulations.
The Civil Code of the PRC (issued by the PRC National People's Congress on May 28, 2020 and effective from January 1, 2021) provides legal basis for privacy and personal information infringement claims under the Chinese civil laws. Chinese regulators, including the CAC, the Ministry of Industry and Information Technology, and the Ministry of Public Security, have been increasingly focused on regulation in data security and data protection.
On August 20, 2021, the Standing Committee of the 13th National People's Congress of China issued the final version of the Personal Information Protection Law (the "PIPL"), which became effective on November 1, 2021. The PIPL imposes on China-based data processers (such as our China-based subsidiaries) significant obligations with respect to, among other things, obtaining, processing and cross-border transferring personal information. The PIPL may subject a data processor to a penalty of as much as RMB50 million or 5% of the preceding year's turnover.
The Chinese regulatory requirements regarding cybersecurity are evolving. For instance, various regulatory bodies in China, including the CAC, the Ministry of Public Security and the State Administration for Market Regulation, have enforced data privacy and protection laws and regulations with varying and evolving standards and interpretations.
In November 2021, the CAC and other related authorities released the amended Cybersecurity Review Measures which became effective on February 15, 2022. Under the amended Cybersecurity Review Measures:
- companies who are engaged in data processing are also subject to the regulatory scope;- the CSRC is included as one of the regulatory authorities for purposes of jointly establishing the state cybersecurity review working mechanism;- the operators (including both operators of critical information infrastructure and relevant parties who are engaged in data processing) holding more than one million users/users' (which are to be further specified) individual information and seeking a listing outside China shall file for cybersecurity review with the Cybersecurity Review Office; and - the risks of core data, material data or large amounts of personal information being stolen, leaked, destroyed, damaged, illegally used or transmitted to overseas parties and the risks of critical information infrastructure, core data, material data or large amounts of personal information being influenced, controlled or used maliciously shall be collectively taken into consideration during the cybersecurity review process.
As a result of the promulgation of the amended Cybersecurity Review Measures, we may become subject to enhanced cybersecurity review. Certain internet platforms in China have been reportedly subject to heightened regulatory scrutiny in relation to cybersecurity matters. As of the date of this Form 10-K, we have neither been subject to heightened regulatory scrutiny with respect to cybersecurity matters nor been informed by any Chinese governmental authority of any requirement that we file for a cybersecurity review. However, if we are deemed to be a critical information infrastructure operator or a company that is engaged in data processing and holds personal information of more than one million users, we could be subject to Chinese cybersecurity review.
As there remains significant uncertainty in the interpretation and enforcement of relevant Chinese cybersecurity laws and regulations, we could be subject to cybersecurity review, and if so, we may not be able to pass such review. In addition, we could become subject to enhanced cybersecurity review or investigations launched by Chinese regulators in the future. Any failure or delay in the completion of the cybersecurity review procedures or any other non-compliance with the related laws and regulations may result in fines or other penalties, including suspension of business, website closure, removal of our app from the relevant app stores, and revocation of prerequisite licenses, as well as reputational damage or legal proceedings or actions against us, which may have material adverse effect on our business, financial condition or results of operations. As of the date of this Form 10-K, we have neither been involved in any investigations on cybersecurity review initiated by the CAC or any other Chinese regulatory authority nor have we received any inquiry, notice or sanction in such respect. We believe that we are in compliance with the aforementioned regulations and policies that have been issued by the CAC.
On June 10, 2021, the Standing Committee of the National People's Congress of China (the "SCNPC") promulgated the PRC Data Security Law, which took effect on September 1, 2021. The PRC Data Security Law imposes data security and privacy obligations on entities and individuals carrying out data activities, and introduces a data classification and hierarchical protection system based on the importance of data in economic and social development, and the degree of harm it will cause to national security, public interests, or legitimate rights and interests of individuals or organizations when such data is tampered with, destroyed, leaked, illegally acquired or used. The PRC Data Security Law also provides for a national security review procedure for data activities that may affect national security and imposes export restrictions on certain data an information.
As of the date of this Form 10-K, we do not expect that the current Chinese laws on cybersecurity or data security or the PIPL would have a material adverse impact on our business operations. However, as uncertainties remain regarding the interpretation and implementation of these laws and regulations, we cannot assure you that we will comply with such regulations in all respects and we may be ordered to rectify or terminate any actions that are deemed illegal by regulatory authorities. We may also become subject to fines and/or other sanctions which may have material adverse effect on our business, operations and financial condition.