Simpson Thacher & Bartlett | ||
icbc tower, 35th floor 3 garden road, central hong kong
| ||
telephone: +852-2514-7600 facsimile: +852-2869-7694
| ||
Direct Dial Number +852-2514-7660 | E-mail Address dfertig@stblaw.com |
March 24, 2023
VIA EDGAR
Division of Corporation Finance
U.S. Securities and Exchange Commission
100 F Street, N.E.
Washington, D.C. 20549
Attention: | Nicholas Nalbantian |
Donald Field
Re: | Alibaba Group Holding Ltd |
Form 20-F for the Fiscal Year Ended March 31, 2022 Filed July 26, 2022
Response Dated October 3, 2022 and January 11, 2023
File No. 001-36614
Ladies and Gentlemen:
On behalf of our client, Alibaba Group Holding Limited, a company organized under the laws of the Cayman Islands (together with its subsidiaries, the “Company” or “Alibaba”), we respond to the comments contained in the letter from the staff (the “Staff”) of the Securities and Exchange Commission (the “Commission”), dated February 24, 2023 (the “February 24 Comment Letter”), relating to the Company’s response letter, dated January 11, 2023 (the “January 11 Response”) to the Commission’s comment letter dated December 12, 2022, and the Company’s response letter, dated October 3, 2022, to the Commission’s comment letter, dated September 7, 2022, regarding the Company’s annual report on Form 20-F for the fiscal year ended March 31, 2022 filed with the Commission on July 26, 2022 (the “2022 20-F”).
Set forth below are the Company’s responses to the Staff’s comments in the February 24 Comment Letter. The Staff’s comments are retyped below for ease of reference. In amending the proposed disclosure, the Company has also made certain additional clarifications and amendments. The Company respectfully advises the Staff that where the Company proposes to add or revise disclosure to its future filings on Form 20-F in response to the Staff’s comments, the changes to be made will be subject to relevant factual updates and changes in relevant laws or regulations, or in interpretations thereof.
michael j.c.M. ceulen | marjory j. ding | daniel fertig | adam C. furber | YI GAO | MAKIKO HARUNARI | Ian C. Ho | JONATHAN HWANG | anthony d. king | jin hYUK park | christopher k.s. wong |
resident partners
simpson thacher & bartlett, hong kong is an affiliate of simpson thacher & bartlett llp with offices in:
| |||||||||
New York | Beijing | Brussels | Houston | LONDON | Los Angeles | Palo Alto | SÃO PAULO | TOKYO | Washington, D.C. |
Simpson Thacher & Bartlett | ||
March 24, 2023 | -2- |
In the Annexes, the Company is only including the updated information and disclosure that is responsive to the Staff’s remaining two comments from the February 24 Comment Letter.
* * * *
Risk Factors
Summary of Risk Factors, page 1
1. | We note your response to comment 6 and reissue in part. We note your revisions in Annex B to include specific cross-references to the more detailed discussion of the risks in the annual report for bullets one and two. However, please revise to include specific cross-references (titles and page numbers) for all the risk factors discussed in this portion of the risk factor summary. |
The Company acknowledges the Staff’s comment and respectfully advises the Staff that the Company will revise disclosure consistent with the changes set forth in the revised Annex B, in which further revisions made in response to this comment are bolded and underlined, in its 2023 20-F.
Our business is subject to complex and evolving domestic and international laws and regulations regarding privacy and data protection, page 23
2. | We note your response to comment 7 and reissue. In light of recent events indicating greater oversight by the Cyberspace Administration of China (CAC) over data security, please revise your risk factor disclosure to explain in greater detail how you believe this oversight impacts the company and its business and to what extent you believe that you are compliant with the regulations or policies that have been issued by the CAC to date. In this regard, we note that the revised risk factor continues to generally describe the new or proposed laws and regulations but doesn't evaluate how the company will actually be impacted by the new or proposed laws and regulations. Please revise to clarify and specifically address if you believe you will be subject to a cybersecurity review under these new or proposed laws and regulations. To the extent you do not believe you will be subject to a cybersecurity review, discuss specifically how you came to that conclusion including the specific underlying facts and circumstances which support that determination. For example, the third paragraph discusses operators of critical information infrastructure, network platform operators and data processors but doesn't provide any analysis regarding whether the company will be captured by these new or proposed laws and regulations based upon the company's number of users or the type of data that the company collects. Please revise as applicable so investors can clearly understand how these new or proposed laws and regulations will impact the company and its business and any future offerings. |
The Company acknowledges the Staff’s comment and respectfully advises the Staff that the Company will revise its disclosure consistent with the changes set forth in the revised Annex C in its 2023 20-F. In response to the Staff’s comment, the Company has revised and restructured the referenced risk factor to more clearly explain the impacts of the relevant laws and regulations.
Simpson Thacher & Bartlett | ||
March 24, 2023 | -3- |
To facilitate the Staff’s review, each portion of the Staff’s comment is separately set forth below, with specific discussion of how the Company will revise and update its disclosure in respond to that portion of the comment:
In light of recent events indicating greater oversight by the Cyberspace Administration of China (CAC) over data security, please revise your risk factor disclosure to explain in greater detail how you believe this oversight impacts the company and its business and to what extent you believe that you are compliant with the regulations or policies that have been issued by the CAC to date.
The Company respectfully refers the Staff to the second paragraph of the revised and updated proposed risk factor, which discloses that the Company is subject to laws and regulations relating to personal data and privacy protection and believes that it is compliant with these laws in all material respects. The paragraph also discusses in detail the specific impacts these laws have on the Company, including additional protocols and mechanisms the Company has implemented, which resulted in higher compliance costs and operating costs as well as changes to the Company’s data use and business practices.
The Company also respectfully refers the Staff to the third paragraph of the revised and updated proposed risk factor, which discloses that the Company is subject to laws on algorithm recommendation services and believes that it is compliant with such laws in all material respects. The paragraph also noted the impacts on the Company for complying with these laws, including additional compliance costs and changes to data use and recommendation services, which could negative affect user activities on the Company’s platforms, as well as the potential consequences of non-compliance.
Please revise to clarify and specifically address if you believe you will be subject to a cybersecurity review under these new or proposed laws and regulations. To the extent you do not believe you will be subject to a cybersecurity review, discuss specifically how you came to that conclusion including the specific underlying facts and circumstances which support that determination.
Simpson Thacher & Bartlett | ||
March 24, 2023 | -4- |
The Company respectfully refers the Staff to the January 11 Response, in which the Company revised and updated its disclosure to state that the Company has not received any notice from the Cybersecurity Administration of China of a cybersecurity review, but given the scale of the Company’s business, the Company believes that it may be subject to cybersecurity review in the future. In response to the Staff’s comment, the Company further added that the Company does not believe that it is required to undergo cybersecurity review for its previous securities offerings, based on advice of PRC counsel. The Company also provided specific disclosure on the potential impact should the Company be subject to cybersecurity review. The Company respectfully refers the Staff to the fifth paragraph of the revised and updated proposed risk factor.
* * * *
If you have any question regarding the responses contained in this letter, please do not hesitate to contact me at +852-2514-7660 or dfertig@stblaw.com.
Very truly yours, | |
/s/ Daniel Fertig | |
Daniel Fertig | |
Enclosures
cc: | Daniel Yong Zhang, Chief Executive Officer |
Toby Hong Xu, Chief Financial Officer
Sara Siying Yu, General Counsel
Alibaba Group Holding Limited
Ricky Shin, Partner
Daniel Chan, Partner
Cynthia Ning, Partner
PricewaterhouseCoopers
Annex B
To be revised on the 2023 Form 20-F under “Item 3. Key Information — D. Risk Factors — Summary of Risk Factors”:
Risks and uncertainties related to doing business in the PRC include risks and uncertainties associated with the following:
· | changes and developments in the political and economic policies of the PRC government, including but not limited to that the PRC government may intervene in or influence our operations through adopting and enforcing rules and regulatory requirements, which may evolve quickly with little advance notice (see “— Risks Related to Doing Business in the People’s Republic of China — There are uncertainties regarding the interpretation and enforcement of PRC laws, rules and regulations, and changes in policies, laws, rules and regulations in the PRC could adversely affect us” on page [•] of this annual report); |
· | uncertainties regarding the interpretation and enforcement of PRC laws, rules and regulations, including but not limited to actions the PRC government may take to exert more oversight and control over offerings that are conducted overseas and/or foreign investment in China-based issuers, which could significantly limit or completely hinder our ability to offer or continue to offer securities to investors and cause the value of our securities, including our ADSs, to significantly decline or become worthless (see “— There are uncertainties regarding the interpretation and enforcement of PRC laws, rules and regulations, and changes in policies, laws, rules and regulations in the PRC could adversely affect us” on page [•] of this annual report); |
· | potential delisting of our ADSs from the U.S. pursuant to the HFCA Act (see “— Our ADSs will be delisted and our ADSs and shares prohibited from trading in the United States under the Holding Foreign Companies Accountable Act, if the PCAOB is unable to inspect or investigate completely auditors located in China” on page [•] of this annual report); |
· | PRC regulations relating to investments in offshore companies and employee equity incentive plans (see “— PRC regulations relating to investments in offshore companies by PRC residents may subject our PRC-resident beneficial owners or our PRC subsidiaries to liability or penalties, limit our ability to inject capital into our PRC subsidiaries or limit our PRC subsidiaries’ ability to increase their registered capital or distribute profits” and “— Any failure to comply with PRC regulations regarding our employee equity incentive plans may subject the PRC participants in the plans, us or our overseas and PRC subsidiaries to fines and other legal or administrative sanctions.” on page [•] and [•] of this annual report, respectively); |
1
· | our reliance on dividends, loans and other distributions on equity paid by our operating subsidiaries in China, the risk that interventions in or the imposition of restrictions and limitations on the ability of us or our subsidiaries, or the VIEs by the PRC government to transfer cash or assets that are in a business in the PRC or in a PRC entity may limit our ability to fund operations or for other use outside of the PRC |
· | the potential impact of PRC laws and regulations related to Internet advertisement (see “— P4P services are considered, in part, to involve Internet advertisement, which subjects us to other laws, rules and regulations as well as additional obligations” on page [•] of this annual report); |
· | the possibility that we may be subject to PRC income tax on our global income, and potential discontinuation of preferential tax treatments we currently enjoy (see “— We may be treated as a resident enterprise for PRC tax purposes under the PRC Enterprise Income Tax Law, and we may therefore be subject to PRC income tax on our global income” on page [•] of this annual report); and |
· | the possibility that dividends payable to foreign investors and gains on the sale of our securities by our foreign investors may become subject to PRC taxation, and uncertainties with respect to indirect transfers of equity interests in PRC resident enterprises or other assets attributed to a PRC establishment of a non-PRC company (see “— Dividends payable to foreign investors and gains on the sale of our ADSs and/ or ordinary shares by our foreign investors may become subject to PRC taxation” on page [•] of this annual report). |
2
Annex C
To be revised on the 2023 Form 20-F under “Item 3. Key Information — D. Risk Factors — Risks Related to Our Business and Industry”:
Revised and updated proposed risk factor
Our business is subject to complex and evolving domestic and international laws and regulations regarding privacy and data protection, which are subject to change and uncertain interpretation. Complying with these laws and regulations increases our cost of operations and may require changes to our data and other business practices or negatively affect our user growth and engagement. Failure to comply with these laws and regulations could result in claims, regulatory investigations, litigation or penalties, or otherwise negatively affect our business.
Regulatory authorities in China and around the world have recently implemented, and may in the future continue to implement, further legislative and regulatory proposals concerning privacy and data protection, particularly relating to the protection of personal information, cybersecurity and cross-border data transmission. These laws and regulations can be complex and the interpretation and application of these laws and regulations are often uncertain, in flux and complicated.
PRC regulatory authorities have increasingly focused on personal data and privacy protection, and promulgated a number of laws and regulations, including the Personal Information Protection Law and the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications, that stipulate requirements and limitations on the collection, processing and handling of personal information. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Data and Privacy Protection” and “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Mobile Apps.” In the course of our business operations, we collect information of our customers and users, including personal information. Therefore, we are required to comply with applicable laws and regulations relating to personal data and privacy protection. To ensure our compliance with these laws and regulations, we have established relevant protocols and mechanisms. For example, when collecting users’ personal information, we clearly notify them the information collected and the purpose of collecting the information, explain to them what, how and why the information may be shared with third parties and also provide the privacy policy of the third parties with whom we share the information. These personal data privacy protection procedures have increased our compliance and operating costs and changed our data use and business practices. The data privacy laws and regulations also impose penalties and liability on information processors for non-compliant information collection and processing activities, including correction, suspension or termination of their services, confiscation of illegal income, as well as significant fines of up to 5% of revenue and other penalties. We believe that our business operations are compliant with the currently effective PRC laws relating to personal data and privacy protection in all material respects. The Cyberspace Administration of China has previously named certain of our mobile apps for failure to comply with privacy and data security regulations. We have rectified these mobile apps’ data collection and use practices to bring them into compliance.
3
PRC regulatory authorities have also enhanced their regulation on algorithm recommendation services. According to the Administrative Provisions on Internet Information Service Algorithm Recommendation, or the Algorithm Recommendation Provisions, which came into effect on March 1, 2022, algorithm recommendation service providers shall clearly inform users of their provision of algorithm recommendation services, and make public the basic principles, intentions and main operating mechanisms of the algorithm recommendation services, and shall also ensure that users may conveniently terminate the algorithm recommendation services. Moreover, algorithm recommendation service providers selling goods or providing services to consumers shall protect consumers’ rights of fair trade, and are prohibited from carrying out illegal conduct such as unreasonable differentiated treatment based on consumers’ preferences, purchase behavior, or such other characteristics. We use algorithmic recommendation in a wide range of our businesses. Accordingly, we need to comply with the Algorithm Recommendation Provisions and other applicable laws and regulations governing algorithm recommendation services, and we may be subject to penalties and liability for non-compliance, which may include administrative liabilities, including warnings, public denouncement, fines, enforcement orders requiring us to correct, or suspending us from posting new information, suspension of business or even criminal liabilities. Complying with PRC regulation on algorithm recommendation services has increased our compliance costs, changed our data use and business practices, and could negatively affect user activities on our platforms. We believe that our business operations are compliant with currently effective PRC laws relating to algorithm recommendation services in all material respects.
PRC regulatory authorities have also stepped up efforts in safeguarding cybersecurity. The PRC Cybersecurity Law, which generally governs the construction, operation, maintenance and use of networks in China, subjects network operators, including us, to various security protection-related obligations. In addition, the PRC Cybersecurity Law provides that personal information and important data collected and generated by operators of critical information infrastructure in the course of their operations in the PRC should be stored in the PRC, and imposes heightened regulation and additional security obligations on operators of critical information infrastructure. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Internet Security.” We believe that we are compliant with PRC Cybersecurity Law, including requirements relating to security protection, user identity verification, cybersecurity emergency response planning and technical assistance, in all material respects. Failure to comply could subject us to fines, suspension of businesses, shutdown of websites and revocation of business licenses.
PRC regulatory authorities have recently promulgated laws and regulations relating to cybersecurity review, including requirements that affect overseas listings by Chinese companies. According to the Revised Cybersecurity Review Measures, which became effective in February 2022, operators of critical information infrastructure who purchase network products and services and network platform operators who carry out data processing activities that affect or may affect national security shall be subject to cybersecurity review. In addition, any network platform operator possessing over one million users’ individual information must apply for cybersecurity review before listing abroad. Relevant PRC governmental authorities may also initiate cybersecurity review if they determine certain network products, services, or data processing activities affect or may affect national security. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Internet Security.” Moreover, in November 2021, the Cybersecurity Administration of China promulgated the Draft Regulations on Network Data Security Management, or the Draft Cyber Data Security Regulations, for public comments, which set forth different scenarios where data processors are required to apply for cybersecurity review, including, among others, overseas listing while processing over one million users’ personal information, Hong Kong listing that affects or may affect national security, and other data processing activities that affect or may affect national security. The Draft Cyber Data Security Regulations also require data policies and rules and any material amendments thereof of large Internet platforms with over 100 million daily active users be evaluated by a third-party organization designated by the Cyberspace Administration of China and approved by the respective local branch of the Cyberspace Administration of China. There is no definite timetable as to when the Draft Cyber Data Security Regulations will be enacted. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Data and Privacy Protection.”
4
PRC laws and regulations relating to cybersecurity review are relatively new, and the applicable scope of these laws and regulations remain subject to uncertainties and further clarifications from PRC regulators. As of the date of this annual report, we have not received any notice from the Cybersecurity Administration of China of a cybersecurity review on us under the Revised Cybersecurity Review Measures. Based on advice from Fangda Partners, our PRC counsel, we do not believe that we are required to undergo cybersecurity review by the Cybersecurity Administration of China for our previous securities offerings. However, given the scale of our business and the number of users on our platforms, we believe that we may be subject to cybersecurity review in the future. If we are subject to cybersecurity review, we may incur significant costs and face challenges, both in the review process and in making enhancements to our cybersecurity measures that may be required. If we are unable to manage these risks, we may be subject to penalties, including fines, suspension of business, prohibition against new user registration (even for a short period of time) and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. In 2021, the PRC government launched cybersecurity reviews on a number of mobile apps operated by several US-listed Chinese companies and prohibited relevant apps from registering new users during the review period. Moreover, if we are required to undergo cybersecurity review in connection with any future securities offerings, our ability to obtain additional capital may be negatively affected. See also “— We may need additional capital but may not be able to obtain it on favorable terms or at all.”
PRC regulatory authorities have also enhanced the supervision and regulation of cross-border data transmission. The Data Security Law which took effect in September 2021 prohibits entities and individuals in China from providing any foreign judicial or law enforcement authority with any data stored in China without approval from competent PRC authority, and sets forth the legal liabilities of entities and individuals found to be in violation of their data protection obligations, including rectification order, warning, fines, suspension of relevant business, and revocation of business permits or licenses. Moreover, the Measures for the Security Assessment of Cross-border Data Transmission promulgated by the Cybersecurity Administration of China came into effect on September 1, 2022. According to these measures, personal data processors are subject to security assessment conducted by the Cyberspace Administration of China prior to any cross-border transfer of important data and personal information. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Data and Privacy Protection.” Any cross-border data transfer activities conducted in violation of the Measures for the Security Assessment of Cross-border Data Transmission before the effectiveness of these measures are required to be rectified by March 2023. We have implemented control procedures to comply with the new requirements. Complying with PRC laws and regulations relating to cross-border data transmission increases our compliance costs and could affect our ability to transfer data across borders. We believe that our business operations are compliant with PRC laws and regulations relating to cross-border data transmission in all material respects.
5
In addition, regulators in China and other jurisdictions in which we operate may implement measures to ensure that encryption of user data does not hinder law enforcement agencies’ access to that data. For example, according to the PRC Cybersecurity Law and relevant regulations, network operators, including us, are obligated to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations. Compliance with these laws and requirements in manners that are perceived as harming privacy could lead to significant damages to our reputation and proceedings and actions against us by regulators and private parties.
As we further expand our operations into international markets, we will be subject to additional laws in other jurisdictions where we operate and where our consumers, users, merchants, customers and other participants are located. For example, the European Commission has proposed the Digital Markets Act, the Digital Service Act and the European Data Act since 2020, which impose various requirements on data use, data sharing and data protection. Such laws, rules and regulations of other jurisdictions may be more comprehensive, detailed and nuanced in their scope, and may impose requirements and penalties that conflict with, or are more stringent than, those in China. In addition, these laws, rules and regulations may restrict the transfer of data across jurisdictions, which could impose additional and substantial operational, administrative and compliance burdens on us, and may also restrict our business activities and expansion plans, as well as impede our data-driven business strategies. Complying with laws and regulations for an increasing number of jurisdictions could require significant resources and costs. Our continued expansion into cloud services, both in China and elsewhere, will also increase the amount of data hosted on our system, as well as increase the number of jurisdictions in which we have IT systems. This, as well as the increasing number of new legal requirements in various jurisdictions, such as the GDPR and the data localization rules to Federal Law on Personal Data of Russia, present increased challenges and risks in relation to policies and procedures relating to data collection, storage, transfer, disclosure, protection and privacy, and will impose significant penalties for non-compliance. For example, penalties calculated as a percentage of global revenue may be imposed under the GDPR. The compliance requirements of the GDPR affect a number of our businesses, such as AliExpress and Alibaba Cloud. Any failure, or perceived failure, by us to comply with the above and other applicable regulatory requirements or privacy protection-related laws, rules and regulations could result in reputational damages or proceedings or actions against us by governmental entities, consumers or others. These proceedings or actions could subject us to significant penalties and negative publicity, require us to change our data and other business practices, increase our costs and severely disrupt our business, hinder our global expansion or negatively affect the trading prices of our ADSs, Shares and/or other securities.
6
While we believe we are compliant with such laws and regulations in all material respects, there are uncertainties with respect to how these laws and regulations will be interpreted, implemented and enforced in practice, especially since many of these laws and regulations only came into effect recently or have not come into effect yet, and we may be subject to regulatory investigations, fines, suspension of businesses and revocation of licenses. In addition, future interpretation and implementation of these laws and regulations, or additional laws and regulations that may come into effect, may result in significant increase in our compliance costs, force us to change our business practices, adversely affect our business performance as well as subject us to negative publicity, which could harm our reputation among users and negatively affect the trading prices of our ADSs, Shares and/or other securities.
Revised and updated proposed risk factor with track changes showing revisions to the 2022 20-F
Our business is subject to complex and evolving domestic and international laws and regulations regarding privacy and data protection.These laws and regulations can be complex and stringent, and manywhich are subject to change and uncertain interpretation, which could result in claims. Complying with these laws and regulations increases our cost of operations and may require changes to our data and other business practices or negatively affect our user growth and engagement. Failure to comply with these laws and regulations could result in claims, regulatory investigations, litigation, or penalties,increased cost of operations, or declines in user growth or engagement, or otherwise negatively affect our business.
Regulatory authorities in China and around the world have recently implemented, and may in the future continue to implement, further legislative and regulatory proposals concerning privacy and data protection,includingparticularly relating to the protection of personal information, cybersecurity and cross-border data transmission., which could impose more stringent requirements on us. In addition, These laws and regulations can be complex and the interpretation and application ofdata protection these laws and regulations are often uncertain, in flux and complicated.It is possible that existing or newly introduced laws and regulations, or their interpretation, application or enforcement, could significantly affect the value of our data, force us to change our data collection, data use and other business practices, cause us to incur significant compliance costs, and subject us to regulatory investigations, fines, suspension of businesses and revocation of licenses.
7
PRC regulatory authorities have increasingly focused on personal data and privacy protection, and promulgated a number of laws and regulationsoverseeing the collection and processing of personal information, including the Personal Information Protection Law and the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications. These laws and regulations, that stipulate requirements and limitations on thethat (i) collection, processing and handling of personal information.should be limited to the minimum scope necessary for achieving the processing purpose, in particular, mobile apps operators may not deny users’ basic functions and services when they opt out of the collection of unnecessary personal information, (ii) processing of personal information must be conducted with a specified and reasonable intention that is directly related to the processing purpose and in a manner that has the least impact on personal rights and interests, and (iii) entities handling personal information shall adopt necessary measures to safeguard the security of the personal information they handle. In addition, the Personal Information Protection Law requires information processors to obtain parental consent before collecting personal information of minors under the age of 14, and to adopt special rules on processing personal information of minors. Information processors are subject to liabilities for their information collection and processing activities, including correction, suspension or termination of their services as well as confiscation of illegal income, significant fines of up to 5% of revenue or other penalties. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Data and Privacy Protection.” and “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Mobile Apps.” In the course of our business operations, we collect information of our customers and users, including personal information. Therefore, we are required to comply with applicable laws and regulations relating to personal data and privacy protection. To ensure our compliance with these laws and regulations, we have established relevant protocols and mechanisms. For example, when collecting users’ personal information, we clearly notify them the information collected and the purpose of collecting the information, explain to them what, how and why the information may be shared with third parties and also provide the privacy policy of the third parties with whom we share the information. These personal data privacy protection procedures have increased our compliance and operating costs and changed our data use and business practices. The data privacy laws and regulations also impose penalties and liability on information processors for non-compliant The Cyberspace Administration of China has previously named certaina number of our mobile apps, including some of ours, in regulatory announcements for failure to comply with privacy and data security regulations. We have rectified these mobile apps’ , and ordered these apps to rectify theirdata collection and use practices to bring them into compliance.Moreover,
PRC regulatory authorities have also enhanced their regulation on algorithm recommendation services. According to the Administrative Provisions on Internet Information Service Algorithm Recommendation, or the Algorithm Recommendation Provisions, which came into effect on March 1, 2022, algorithm recommendation service providers shall clearly inform users of their provision of algorithm recommendation services, and make public the basic principles, intentions, and main operating mechanisms of the algorithm recommendation services. Algorithm, and shall also ensure that users may conveniently terminate the algorithm recommendation services. Moreover, algorithm recommendation service providers selling goods or providing services to consumers shallalsoprotect consumers’ rights of fair trade, and are prohibited from carrying out illegal conduct such as unreasonable differentiated treatment based on consumers’ preferences, purchase behavior, or such other characteristics.In the course of our business operations, we collect information of our customers and users, including personal information, and We use algorithmic recommendationservice is extensively used in in a wide range of our businesses.Any failure Accordingly, we need to comply with the Algorithm Recommendation Provisions and other applicable laws and regulations relevant to personal data and privacy may result in governing algorithm recommendation services, and we may be subject to penalties and liability for non-compliance, which may include administrative liabilities, including warnings, public denouncement, fines, enforcement orders requiring us to correct, or suspending us from posting new information, suspension of business or even criminal liabilities. Complying with PRC regulation on algorithm recommendation services has increased our compliance costs, changed our data use and business practices, and could negatively affect user activities on our platforms. We believe that our business operations are compliant with currently effective PRC laws relating to algorithm recommendation services in all material respects.
8
PRC regulatory authorities have also stepped up efforts in safeguarding cybersecuritythrough conducting cybersecurity reviews. The PRC. The PRC Cybersecurity Law, which generally governs the construction, operation, maintenance and use of networks in China, subjects network operators, including us, to various security protection-related obligations. In addition, the PRC Cybersecurity Law provides that personal information and important data collected and generated by operators of critical information infrastructure in the course of their operations in the PRC should be stored in the PRC, andthe law imposes heightened regulation and additional security obligations on operators of critical information infrastructure. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Internet Security.” We believe that we are compliant with PRC Cybersecurity Law, including requirements relating to security protection, user identity verification, cybersecurity emergency response planning and technical assistance, in all material respects. Failure to comply could subject us to fines, suspension of businesses, shutdown of websites and revocation of business licenses.
PRC regulatory authorities have recently promulgated laws and regulations relating to cybersecurity review, including requirements that affect overseas listings by Chinese companies. According to the Revised Cybersecurity Review Measures, which became effective in February 2022, operators of critical information infrastructure who purchase network products and services and network platform operators who carry out data processing activities that affect or may affect national security shall be subject to cybersecurity review. In addition, any network platform operator possessing over one million users’ individual information must apply for cybersecurity review before listing abroad. Relevant PRC governmental authorities may also initiate cybersecurity review if they determine certain network products, services, or data processing activities affect or may affect national security. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Internet Security.”However, the scope of “network products or services or data processing activities that will or may affect national security” and the scope of operators of “critical information infrastructure” remain unclear. In 2021, the PRC government launched cybersecurity reviews against a number of mobile apps operated by several US-listed Chinese companies and prohibited relevant apps from registering new users during the review period. We expect that these areas will receive greater and continued attention and scrutiny from regulators and the public going forward, which could increase our compliance costs and subject us to heightened risks and challenges associated with data security and protection, as well as negative publicity. If we are unable to manage these risks, we could become subject to penalties, including fines, suspension of business, prohibition against new user registration (even for a short period of time) and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. Moreover, in November 2021, the Cybersecurity Administration of China promulgated the Draft Regulations on Network Data Security Management, or the Draft Cyber Data Security Regulations, for public comments, which set forth different scenarios where data processorsshallare required to apply for cybersecurity review, including, among others,(i) merger, reorganization or division of Internet platform operators with significant data resources related to national security, economic development or public interests that affects or may affect national security; (ii) overseas listing while processing over one million users’ personal information; (iii) Hong Kong listing that affects or may affect national security; or (iv), and other data processing activities that affect or may affect national security.In addition, The Draft Cyber Data Security Regulations also require data policies and rules and any material amendments thereof of large Internet platforms with over 100 million daily active users shall be evaluated by a third-party organization designated by the Cyberspace Administration of China and approved by the respective local branch of the Cyberspace Administration of China. There is no definite timetable as to whenthis draft the Draft Cyber Data Security Regulations will be enacted.As such, substantial uncertainties exist with respect to the enactment timetable, final content, interpretation and implementation of such measures. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Data and Privacy Protection.”
9
PRC laws and regulations relating to cybersecurity review are relatively new, and the applicable scope of these laws and regulations remain subject to uncertainties and further clarifications from PRC regulators. As of the date of this annual report, we have not received any notice from the Cybersecurity Administration of China of a cybersecurity review on us under the Revised Cybersecurity Review Measures. Based on advice from Fangda Partners, our PRC counsel, we do not believe that we are required to undergo cybersecurity review by the Cybersecurity Administration of China for our previous securities offerings. However, given the scale of our business and the number of users on our platforms, we believe that we may be subject to cybersecurity review in the future. If we are subject to cybersecurity review, we may incur significant costs and face challenges, both in the review process and in making enhancements to our cybersecurity measures that may be required. If we are unable to manage these risks, we may be subject to penalties, including fines, suspension of business, prohibition against new user registration (even for a short period of time) and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. In 2021, the PRC government launched cybersecurity reviews on a number of mobile apps operated by several US-listed Chinese companies and prohibited relevant apps from registering new users during the review period. Moreover, if we are required to undergo cybersecurity review in connection with any future securities offerings, our ability to obtain additional capital may be negatively affected. See also “— We may need additional capital but may not be able to obtain it on favorable terms or at all.”
PRC regulatory authorities have also enhanced the supervision and regulation of cross-border data transmission. The Data Security Law which took effect in September 2021 prohibits entities and individuals in China from providing any foreign judicial or law enforcement authority with any data stored in China without approval from competent PRC authority, and sets forth the legal liabilities of entities and individuals found to be in violation of their data protection obligations, including rectification order, warning, fines, suspension of relevant business, and revocation of business permits or licenses. Moreover,on July 7, 2022, the Cybersecurity Administration of China promulgated the Measures for the Security Assessment of Cross-border Data Transmission, which will come promulgated by the Cybersecurity Administration of China came into effect on September 1, 2022. According to these measures, personal data processorswill be are subject to security assessment conducted by the Cyberspace Administration of China prior to any cross-border transfer ofdata if the transfer involves (i) important data; (ii) and personal information. See “Item 4. Information on the Company — B. Business Overview — Regulation — Regulation of Data and Privacy Protection.” transferred overseas by operators of critical information infrastructure or a data processor that has processed personal data of more than one million persons; (iii) personal information transferred overseas by a data processor who has already provided personal data of 100,000 persons or sensitive personal data of 10,000 persons overseas since January 1 of last year; or (iv) other circumstances as requested by the Cyberspace Administration of China. According to the official interpretation of the Cyberspace Administration of China, the Measures for the Security Assessment of Cross-border Data Transmission cover (1) overseas transmission and storage by data processors of data generated during PRC domestic operations, and (2) access to or use of the data collected and generated by data processors and stored in the PRC by overseas institutions, organizations or individuals. Furthermore, Any cross-border data transfer activities conducted in violation of the Measures for the Security Assessment of Cross-border Data Transmission before the effectiveness of these measures are required to be rectified by March 2023.As of the date of this annual report, these measures have not taken effect, and substantial uncertainties still exist with respect to the interpretation and implementation of these measures in practice and how they will affect our business operation. We have implemented control procedures to comply with the new requirements. Complying with PRC laws and regulations relating to cross-border data transmission increases our compliance costs and could affect our ability to transfer data across borders. We believe that our business operations are compliant with PRC laws and regulations relating to cross-border data transmission in all material respects.
In addition, regulators in China and other jurisdictions in which we operate may implement measures to ensure that encryption of user data does not hinder law enforcement agencies’ access to that data. For example, according to the PRC Cybersecurity Law and relevant regulations, network operators, including us, are obligated to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations. Compliance with these laws and requirements in manners that are perceived as harming privacy could lead to significant damages to our reputation and proceedings and actions against us by regulators and private parties.
10
Compliance with the PRC Cybersecurity Law, the PRC National Security Law, the Data Security Law, the Personal Information Protection Law, the Cybersecurity Review Measures, as well as additional laws and regulations that may come into effect in the future, including the Measures for the Security Assessment of Cross-border Data Transmission, the Draft Cyber Data Security Regulations and other data security and personal information protection laws and regulations, may result in significant increase in our compliance costs, force us to change our business practices, adversely affect our business performance as well as subject us to negative publicity, which could harm our reputation among users and negatively affect the trading prices of our ADSs, Shares and/or other securities. As many of these laws and regulations have not come into effect yet, or only came to effect recently, there are uncertainties with respect to how they will be interpreted, implemented and enforced in practice, and we may be subject to regulatory investigations, fines, suspension of businesses and revocation of licenses.
As we further expand our operations into international markets, we will be subject to additional laws in other jurisdictions where we operate and where our consumers, users, merchants, customers and other participants are located. For example, the European Commission has proposed the Digital Markets Act, the Digital Service Act and the European Data Act since 2020, which impose various requirements on data use, data sharing and data protection. Such laws, rules and regulations of other jurisdictions may be more comprehensive, detailed and nuanced in their scope, and may impose requirements and penalties that conflict with, or are more stringent than, those in China. In addition, these laws, rules and regulations may restrict the transfer of data across jurisdictions, which could impose additional and substantial operational, administrative and compliance burdens on us, and may also restrict our business activities and expansion plans, as well as impede our data-driven business strategies. Complying with laws and regulations for an increasing number of jurisdictions could require significant resources and costs. Our continued expansion into cloud services, both in China and elsewhere, will also increase the amount of data hosted on our system, as well as increase the number of jurisdictions in which we have IT systems. This, as well as the increasing number of new legal requirements in various jurisdictions, such as the GDPR and the data localization rules to Federal Law on Personal Data of Russia, present increased challenges and risks in relation to policies and procedures relating to data collection, storage, transfer, disclosure, protection and privacy, and will impose significant penalties for non-compliance. For example, penalties calculated as a percentage of global revenue may be imposed under the GDPR. The compliance requirements of the GDPR affect a number of our businesses, such as AliExpress and Alibaba Cloud. Any failure, or perceived failure, by us to comply with the above and other applicable regulatory requirements or privacy protection-related laws, rules and regulations could result in reputational damages or proceedings or actions against us by governmental entities, consumers or others. These proceedings or actions could subject us to significant penalties and negative publicity, require us to change our data and other business practices, increase our costs and severely disrupt our business, hinder our global expansion or negatively affect the trading prices of our ADSs, Shares and/or other securities.
While we believe we are compliant with such laws and regulations in all material respects, there are uncertainties with respect to how these laws and regulations will be interpreted, implemented and enforced in practice, especially since many of these laws and regulations only came into effect recently or have not come into effect yet, and we may be subject to regulatory investigations, fines, suspension of businesses and revocation of licenses. In addition, future interpretation and implementation of these laws and regulations, or additional laws and regulations that may come into effect , may result in significant increase in our compliance costs, force us to change our business practices, adversely affect our business performance as well as subject us to negative publicity, which could harm our reputation among users and negatively affect the trading prices of our ADSs, Shares and/or other securities.
11