On August 20, 2021, the SCNPC promulgated the Personal Information Protection Law, which took effect on November 1, 2021. The Personal Information Protection Law aims at protecting the personal information rights and interests, regulating the processing of personal information, ensuring the orderly and free flow of personal information in accordance with the law, and promoting the reasonable use of personal information. According to the Personal Information Protection Law, personal information includes all kinds of identified or identifiable information related to natural persons recorded by electronic or other means, but excludes de-identified information. The Personal Information Protection Law also specified the rules for handling sensitive personal information, which includes biometrics, religious beliefs, specific identities, medical health, financial accounts, trails and locations, and personal information of teenagers under fourteen years old and other personal information, which, upon leakage or illegal usage, may easily infringe the personal dignity or harm of safety of livelihood and property. Personal information handlers shall bear responsibility for their personal information handling activities, and adopt necessary measures to safeguard the security of the personal information they handle. Otherwise, the personal information handlers will be ordered for rectification or suspension or termination of provision of services, confiscation of illegal income, subject to fines or other penalties.
Furthermore, on November 14, 2021, the CAC published the Administrative Regulations on Internet Data Security (Draft for Comments), or the Draft Data Security Regulations, which provides that data processors refer to individuals or organizations that, during their data processing activities such as data collection, storage, utilization, transmission, publication and deletion, have autonomy over the purpose and the manner of data processing. In accordance with the Draft Data Security Regulations, data processors shall apply for a cybersecurity review for certain activities, including, among other things, (i) the listing abroad of data processors that process the personal information of more than one million individuals and (ii) any data processing activity that affects or may affect national security. In addition, the Draft Data Security Regulations requires that data processors that process “important data” or are listed overseas must conduct an annual data security assessment by itself or commission a data security service provider to do so, and submit the assessment report of the preceding year to the municipal cybersecurity department by the end of January each year. As of the date of this annual report, the Draft Data Security Regulations is published for public comments only and the final version and effective date of which are subject to change with substantial uncertainty.
On January 4, 2022, the CAC published the Revised Cybersecurity Review Measures, which became effective on February 15, 2022 and repeal the Cybersecurity Review Measures promulgated on April 13, 2020. The Revised Cybersecurity Review Measures provide that a critical information infrastructure operator purchasing network products and services, and network platform operators engaging in data processing activities that affect or may affect national security, which affect or may affect national security, shall apply for cybersecurity review and that network platform operators that hold personal information of over one million users shall apply with the Cybersecurity Review Office for a cybersecurity review before any public offering at a foreign stock exchange.
On January 4, 2022, the CAC published the Administrative Provisions on Internet Information Service Algorithm Recommendation on its website, or the Algorithm Recommendation Provisions, which became effective on March 1, 2022 and raise certain new compliance requirements on internet information service providers using algorithm recommendation technology. Specifically, the Algorithm Recommendation Provisions require that such service providers shall provide users with options that are not specific to their personal characteristics, or provide users with convenient options to cancel algorithmic recommendation services.
On July 7, 2022, the CAC issued the Measures on Security Assessment of the Cross-border Transfer of Data, with effective from September 1, 2022. The measures provide that four types of cross-border transfers of critical data or personal data generated from or collected in the PRC should be subject to a security assessment, which include: (i) a data processor to transfer important data overseas; (ii) either a critical information infrastructure operator, or a data processor processing personal information of more than 1 million individuals, transfers personal information overseas; (iii) a data processor who has, since January 1 of the previous year, transferred personal information of more than 100,000 individuals overseas cumulatively, or transferred sensitive personal information of more than 10,000 individuals overseas cumulatively; or (iv) other circumstances under which security assessment of data cross-border transfer is required as prescribed by the national cyberspace administration.
Regulations on Publishing and Distribution of Publications
The State Council promulgated the Administrative Regulations on Publication, or the Publication Regulations, which was most recently amended on November 29, 2020. The Publication Regulations apply to publication activities, i.e., the publishing, printing, copying, importation or distribution of publications, including books, newspapers, periodicals, audio and video products and electronic publications, each of which requires approval from the relevant publication administrative authorities. According to the Publication Regulations, any entity engaging in the activities of publishing, printing, copying, importation or distribution of publications, shall obtain relevant permits of publishing, printing, copying, importation or distribution of publications. We do not engage in publishing business. Instead, Beijing New Oriental Dogwood Cultural Communications Co., Ltd., a subsidiary of New Oriental China, has been cooperating with qualified PRC publishing companies to publish our in-house developed teaching materials and other content.
According to Measures for the Administration of Internal Informative Publications, the editing and printing of internal informative publications is subject to the internal informative publications printing permit, though the permit of publishing is not required. Internal informative publications are defined as publications used for internal information communication and work guidance purpose and are not for sale. Measures for the Administration of Internal Informative Publications particularly clarify that textbooks and ancillary teaching materials should be published by publishing companies and are not internal informative publications. New Oriental China and its schools and subsidiaries engage in printing and providing teaching handouts and other materials to our students. Under the new regulation, it is uncertain whether printing and providing teaching handouts and other materials to our students would be deemed publishing activities. If the NPPA or its local branches or other competent authorities deem such activities as publishing, we may become subject to significant penalties, fines, legal sanctions or an order suspending our printing and providing of teaching handouts and other materials to our students.