We may become subject to a variety of laws and regulations in the PRC regarding privacy, data security, cybersecurity, and data protection. These laws and regulations are continuously evolving and developing. The scope and interpretation of the laws that are or may be applicable to us are often uncertain and may be conflicting. In particular, there are a number of laws and regulations regarding privacy and the collection, sharing, use, processing, disclosure, and protection of personal information and other user data. Such laws and regulations often vary in scope, may be subject to differing interpretations, and may be inconsistent among different jurisdictions.
The PRC Criminal Law, as amended by its Amendment 7 (effective on February 28, 2009) and Amendment 9 (effective on November 1, 2015), prohibits institutions, companies and their employees from selling or otherwise illegally disclosing a citizen's personal information obtained during the course of performing duties or providing services or obtaining such information through theft or other illegal ways. On November 7, 2016, the Standing Committee of the PRC National People's Congress issued the Cyber Security Law of the PRC, or Cyber Security Law, which became effective on June 1, 2017. The Cyber Security Law is the first PRC law that systematically lays out the regulatory requirements on cybersecurity and data protection, subjecting many previously under-regulated or unregulated activities in cyberspace to government scrutiny. Pursuant to the Cyber Security Law, network operators must not, without users' consent, collect their personal information, and may only collect users' personal information necessary to provide their services. Providers are also obliged to provide security maintenance for their products and services and shall comply with provisions regarding the protection of personal information as stipulated under the relevant laws and regulations. The legal consequences of violation of the Cyber Security Law include penalties such as warnings, confiscation of illegal income, suspension of related business, winding up for rectification, shutting down the websites, and revocation of business license or relevant permits. As of the date of this annual report, we have not been involved in any investigations or cybersecurity reviews by the CAC, and we have not received any inquiry, notice, warning, or sanction in such respect.
The Civil Code of the PRC (issued by the PRC National People's Congress on May 28, 2020, and effective from January 1, 2021) provides the main legal basis for privacy and personal information infringement claims under the Chinese civil laws. PRC regulators, including the CAC, Ministry of Industry and Information Technology, and the Ministry of Public Security, have been increasingly focused on regulation in the areas of data security and data protection. The PRC regulatory requirements regarding cybersecurity are constantly evolving. For instance, various regulatory bodies in China, including the CAC, the Ministry of Public Security and the State Administration for Market Regulation, have enforced data privacy and protection laws and regulations with varying and evolving standards and interpretations.
On July 30, 2021, the State Council promulgated the Regulations on Security Protection of Critical Information Infrastructure, or the CII Regulations, which became effective on September 1, 2021. Pursuant to the CII Regulations, critical information infrastructure refers to any important network facilities or information systems of an important industry or field such as public communication and information service, energy, transport, water conservation, finance, public services, e-government affairs, science and technology industry for national defense and other industries and sectors that may seriously endanger national security, people's livelihood and public interest in case of damage, function loss or data leakage. In addition, relevant administration departments of each critical industry and sector are responsible for formulating eligibility criteria and determining the critical information infrastructure in the respective industry or sector. The operators will be informed about the final determination as to whether they are categorized as critical information infrastructure operators, or CIIOs.
As of the Date of this annual report, no detailed rules or interpretations have been issued and we have not been informed by any governmental authorities that we are a CIIO. However, the exact scope of CIIOs under the current regulatory regime remains unclear, and the PRC governmental authorities have discretion in the interpretation and enforcement of these laws and regulations. Therefore, it is uncertain whether we would be deemed as a CIIO under PRC law. According to our PRC counsel, Guantao Law Firm, if we are identified as CIIO, we will be subject to stricter requirements on business operations and cybersecurity compliance, and we may need to follow cybersecurity review procedure and apply with Cybersecurity Review Office before making certain purchases of network products and services, and if a cybersecurity review is applicable, we may be required to suspend providing any existing or new services to our users, and we may experience other disruptions of our operations.
On November 14, 2021, the CAC published the Security Administration Draft, which provides that data processing operators engaging in data processing activities that affect or may affect national security must be subject to network data security review by the relevant Cyberspace Administration of the PRC. According to the Security Administration Draft, data processing operators who possess personal data of at least one million users or collect data that affects or may affect national security must be subject to network data security review by the relevant Cyberspace Administration of the PRC. The deadline for public comments on the Security Administration Draft was December 13, 2021. The Security Administration Draft has not been fully implemented.
On December 28, 2021, the CAC and other twelve PRC regulatory authorities jointly revised and promulgated the Measures for Cybersecurity Review, or the Cybersecurity Review Measures, which is consistent with the Cybersecurity Review Measures (Revision Draft for Comment) announced by the CAC on July 10, 2021.Pursuant to the Cybersecurity Review Measures: (i) "operator of critical information infrastructure" should take the initiative to report to the Cybersecurity Review Office for cybersecurity review when purchasing network products and services which affects or may affect national security; (ii) network platform operators possessing the personal information of more than one million users must apply to the Cybersecurity Review Office for cybersecurity review when list abroad; and (iii) data processor carrying out data processing activities that affect or may affect national security should be subject to cybersecurity review. The Cybersecurity Review Measures further elaborated on the factors to be considered when assessing the national security risks of the relevant activities, including, among others, (a) the risk of core data, important data or a large amount of personal information being stolen, leaked, destroyed, and illegally used or exited the country; and (b) the risk of critical information infrastructure, core data, important data or a large amount of personal information being affected, controlled, or maliciously used by foreign governments after listing abroad.
We believe, in consultation with our PRC counsel, Guantao Law Firm, that we have none of the aforesaid factors in our business, and given that: (i) we have not been informed to be an operator of critical information infrastructure by any governmental authorities; (ii) we do not possess the personal information of more than one million users; and (iii) the type and nature of the personal information we gather is of relatively low national security significance. However, there remains uncertainty as to how the Cybersecurity Review Measures will be interpreted or implemented and whether the PRC regulatory agencies, including the CAC, may adopt new laws, regulations, rules, or detailed implementation and interpretation related to the Cybersecurity Review Measures. If a cybersecurity review is required, we will actively cooperate with the CAC to conduct such cybersecurity review. According to our PRC counsel, any failure to comply with applicable laws or regulations or any other obligations relating to privacy, data protection or information security, or any compromise of security that results in unauthorized access, collection, transfer, use or release of personally identifiable information or other data, or the perception or allegation that any of the foregoing types of failure or compromise has occurred, could damage our reputation or result in investigations, fines, or other penalties by government authorities and private claims or litigation, any of which could materially adversely affect our business, financial condition and results of operations. If any such new laws, regulations, rules, or implementation and interpretation comes into effect, we will take all reasonable measures and actions to comply and to minimize the adverse effect of such laws on us.
On June 10, 2021, the Standing Committee of the NPC promulgated the PRC Data Security Law, which took effect on September 1, 2021. The Data Security Law also sets forth the data security protection obligations for entities and individuals handling personal data, including that no entity or individual may acquire such data by stealing or other illegal means, and the collection and use of such data should not exceed the necessary limits the costs of compliance with, and other burdens imposed by, CSL and any other cybersecurity and related laws may limit the use and adoption of our products and services and could have an adverse impact on our business. Any organizational or individual data processing activities that violate the Data Security Law shall bear the corresponding civil, administrative or criminal liabilities depending on specific circumstances. During the years ended December 31, 2020, 2021, and 2022, and up to the date of this annual report, we had not experienced any material data or personal information leakage or loss, infringement of data or personal information, or information security incident, nor had we been subject to or involved in any official inquiry, examination, warning, interview on cybersecurity, data security and personal information protection by relevant competent regulatory authorities.
On August 20, 2021, the Standing Committee of the NPC approved the Personal Information Protection Law ("PIPL"), which became effective on November 1, 2021. The PIPL regulates collection of personal identifiable information and seeks to address the issue of algorithmic discrimination. Companies in violation of the PIPL may be subject to warnings and admonishments, forced corrections, confiscation of corresponding income, suspension of related services, and fines. As of the date of this annual report, we have not received any personal data protection related administrative warnings or penalties from any competent PRC regulatory authorities.
We cannot assure you that PRC regulatory agencies, including the CAC, would take the same view as we do, and there is no assurance that we and/or our PRC subsidiaries can fully or timely comply with such laws as our business develops. In the event that we or our PRC subsidiaries are subject to any mandatory cybersecurity review and other specific actions required by the CAC, we face uncertainty as to whether any clearance or other required actions can be timely completed, or at all. Given such uncertainty, we and/or our PRC subsidiaries may be further required to suspend the relevant business, or face other penalties, which could materially and adversely affect our business, financial condition, and results of operations. From time to time, we communicate with the competent authorities, including the local branch of the CAC, and expect to closely monitor and assess further regulatory developments regarding cybersecurity and data privacy laws, including the development on cybersecurity review, and comply with the latest regulatory requirements.