Internet Information Security and Privacy Protection
In November 2016, the SCNPC promulgated the Cyber Security Law of the PRC, or the Cyber Security Law, which became effective on June 1, 2017. The Cyber Security Law requires that a network operator, which includes, among others, internet information services providers, to take technical measures and/or other necessary measures in accordance with applicable laws, regulations and national and industrial standards, to ensure the safe and stable operation of its networks. We are considered an “internet information service provider” as we operate website and mobile application and providing certain internet services mainly through our mobile application. The Cyber Security Law further requires internet information service providers to formulate contingency plans for network security incidents, report to competent departments immediately upon the occurrence of any incident endangering cyber security and take corresponding remedial measures. Internet information service providers are also required to maintain the integrity, confidentiality and availability of network data. The Cyber Security Law reaffirms the basic principles and requirements specified in other existing laws and regulations on personal data protection, such as the requirements on the collection, use, processing, storage and disclosure of personal data, and internet information service providers being required to take technical and other necessary measures to ensure the security of the personal information they have collected and prevent the personal information from being divulged, damaged or lost. Any violation of the Cyber Security Law may subject the internet information service provider like us to warnings, fines, confiscation of illegal gains, revocation of licenses, cancellation of filings, shutdown of websites or criminal liabilities.
The recommended national standard, Information Security Technology Personal Information Security Specification, which became effective in October 2020, puts forward specific refinement requirements on the collection, preservation, use, sharing, transfer, and public disclosure of personal information. Although it is not mandatory, in the absence of clear implementation rules and standards for the law on cyber security and other personal information protection, it will be used as the basis for judging and making determinations. On November 28, 2019, The Notice of Identification Method of Application Illegal Collection and Use of Personal Information was issued, which provides a reference for the identification of illegal collection and use of personal information by mobile apps, and provides guidance for app operators’ self-inspection and self-correction and netizens’ social supervision.
On June 10, 2021, the Standing Committee of the National People’s Congress of China promulgated the Data Security Law of PRC, or Data Security Law, which took effect in September 2021. The Data Security Law sets forth data security and privacy related compliance obligations on entities and individuals carrying out data related activities. The Data Security Law also introduces a data classification and layered protection system based on the importance of data and the degree of impact on national security, public interests or legitimate rights and interests of individuals or organizations when such data is tampered with, destroyed, leaked or illegally acquired or used. In addition, the Data Security Law provides a national security review procedure for those data activities that may affect national security, and imposes export restrictions on certain data and information. According to the PRC National Security Law, the State shall establish institutions and mechanisms for national security review and regulation, and conduct national security review on certain matters that affect or may affect PRC national security, such as key technologies and IT products and services. In early July 2021, regulatory authorities in China launched cybersecurity investigations with regard to several China-based companies that are listed in the United States.
On July 10, 2021, the CAC released the revised draft of Cybersecurity Review Measures (for public comments). On December 28, 2021, the CAC, NDRC, MIIT, the MPS, the Ministry of National Security, the MOF, the MOFCOM, the People’s Bank of China, the SAMR, the National Radio and Television Administration, the CSRC, the National Administration of State Secrets Protection and the State Cryptography Administration jointly released the Cybersecurity Review Measures, which took effect on February 15, 2022. Pursuant to the Cybersecurity Review Measures, network platform operators with information of over one million users shall be subject to cybersecurity review before listing abroad. The cybersecurity review will evaluate, among others, the risk of critical information infrastructure, core data, important data, or the risk of a large amount of personal information being influenced, controlled or maliciously used by foreign governments after going public, and Cyber information security risk.
On August 17, 2021, the State Council promulgated the Regulations on the Protection of the Security of Critical Information Infrastructure, or the CIIO Regulations, which took effect in September 2021. The CIIO Regulations supplement and specify the provisions on the security of critical information infrastructure as stated in the Cyber Security Law. The CIIO Regulations provide, among others, that protection department of certain industry or sector shall notify the operator of the critical information infrastructure in time after the identification of certain critical information infrastructure. According to the CIIO Regulations, operators of certain industries or sectors that may endanger national security, people’s livelihood and public interest in case of damage, function loss or data leakage may be identified as critical information infrastructure operators by the CAC or the respective industrial regulatory authorities once they meet the identification standards promulgated by the governmental authorities.
96