Page last updated on April 11, 2024
DATASEA INC. reported their cybersecurity risk management and governance process in a yearly 10-K filed on 2023-09-27 16:31:11 EDT.
Filings
10-K filed on 2023-09-27
DATASEA INC. filed an 10-K at 2023-09-27 16:31:11 EDT
Accession Number: 0001213900-23-079920
Item 1C. Cybersecurity.
Our cybersecurity measure is primarily focused on ensuring the security and protection of computer systems and networks. All pertinent domestic operating entities of the Company shall adhere to a standardized Company Confidentiality System, which shall be centrally overseen and enforced by Shuhai Beijing, subject to oversight by our management and Board of Directors. This Company Confidentiality System shall include specific provisions for information pertaining to network security, data security, and information that, if disclosed, could have detrimental effects on the public interest and the Company. We plan to establish an appropriate confidentiality framework and adhere to relevant document management regulations. The Company and its employees are also required to sign confidentiality agreements for purposes including ensuring cybersecurity. As of the date of this report, we are not aware of any material risks from cybersecurity threats, that have materially affected or are reasonably likely to materially affect the Company, including our business strategy, results of operations, or financial condition.
Item 1A. Risk Factors.
We may be subject to liability if private information that we receive is not secure or if we violate privacy laws and regulations.
Because we store, process and use data, some of which contain personal information, we are subject to complex and evolving federal, state and foreign laws and regulations regarding privacy, data protection and other matters. Many of these laws and regulations are subject to constant evolvement and change and uncertain interpretation. Any violation of these laws could result in investigations, claims, changes to our business practices, increased cost of operations and declines in user growth, retention or engagement, any of which could materially adversely affect our business, results of operations and financial condition.
In November 2016, the Standing Committee of the National People’s Congress passed China’s first cybersecurity law, or CSL, which took effect in June 2017. The CSL systematically lays out cybersecurity and data protection regulatory requirements and subjects many previously under-regulated or unregulated activities in cyberspace and data management to government scrutiny. Compliance costs and other burdens related to CSL as well as China’s regulatory measures on the collection, storage, use and provision of network data may affect users’ use and acceptance of our products and services, and may have a significant adverse impact on our business, directly affecting our market development channels and financial revenue capacity.
The European Union General Data Protection Regulation 2016/679 (“GDPR”), which came into effect on May 25, 2018, includes operational requirements for companies that receive or process personal data of residents of the European Economic Area. The GDPR establishes new requirements applicable to the processing of personal data (i.e., data which identifies an individual or from which an individual is identifiable), affords new data protection rights to individuals (e.g., the right to erasure of personal data) and imposes penalties for serious data breaches. Individuals also have a right to compensation under the GDPR for financial or non-financial losses. Although we do not conduct any business in the European Economic Area, in the event that residents of the European Economic Area access our website and input protected information, we may become subject to provisions of the GDPR. Compliance with the GDPR will impose additional responsibilities and liabilities in relation to our processing of personal data. The GDPR may require us to change our policies and procedures and, if we are not compliant, could materially adversely affect our business, results of operations and financial condition.
We are also subject to laws restricting disclosure of information relating to our employees. We strive to comply with all applicable laws, policies, legal obligations, and industry codes of conduct relating to privacy, data security, cybersecurity and data protection. However, given that the scope, interpretation, and application of these laws and regulations are often uncertain and may be conflicting, it is possible that these obligations may be interpreted and applied in a manner that is inconsistent from one jurisdiction to another and may conflict with other rules or our practices. Any failure or perceived failure by us or our third-party service-providers to comply with our privacy or security policies or privacy-related legal obligations, or any compromise of security that results in the unauthorized release or transfer of personally identifiable information or other user data, may result in governmental enforcement actions, litigation, or negative publicity, and could have an adverse effect on our business and operating results.
Item 1A. Risk Factors.
In light of recent events indicating greater oversight by the CAC over data security, we may be subject to a variety of PRC laws and other obligations regarding cybersecurity and data protection, and any failure to comply with applicable laws and obligations could have a material adverse effect on our business and our securities.
Since 2021, the Chinese government has strengthened its anti-monopoly supervision, mainly in three aspects: (1) establishing the National Anti-Monopoly Bureau; (2) revising and promulgating anti-monopoly laws and regulations, including: the Anti-Monopoly Law (draft Amendment published on October 23, 2021 for public opinions), the anti-monopoly guidelines for various industries, and the detailed Rules for the Implementation of the Fair Competition Review System; and (3) expanding the anti-monopoly law enforcement targeting Internet companies and large enterprises. As of the date of this report, the Chinese government’s recent statements and regulatory actions related to anti-monopoly concerns have not impacted our ability to conduct business, accept foreign investments, or list on a U.S. or other foreign exchange because neither the Company nor its PRC operating entities engage in monopolistic behaviors that are subject to these statements or regulatory actions.
On November 14, 2021, the Cyberspace Administration of China (“CAC”) released the Regulations on the Network Data Security Management (Draft for Comments), or the Data Security Management Regulations Draft, to solicit public opinion and comments till December 13, 2021, which has not been promulgated as of the date of this report. Pursuant to the Data Security Management Regulations Draft, data processors holding more than one million users/users’ individual information shall be subject to cybersecurity review before listing abroad. Data processing activities refers to activities such as the collection, retention, use, processing, transmission, provision, disclosure, or deletion of data. According to the latest amended Cybersecurity Review Measures, which was promulgated on November 16, 2021 and became effective on February 15, 2022, an online platform operator holding more than one million users/users’ individual information shall be subject to cybersecurity review before listing abroad.
As of the date of this report, Datasea, its subsidiaries, the VIE and VIE’s subsidiaries have not received any notice from any authorities requiring the PRC subsidiaries to go through cybersecurity review or network data security review by the CAC. Given that Datasea, its subsidiaries, the VIE and VIE’s subsidiaries do not possess personal data of at least one million individual clients and do not collect data that affects or may affect national security in their business operations as of the date of this report and do not anticipate that they will be collecting over one million users’ personal information or data that affects or may affect national security in the near future. There remains uncertainty, however, as to how the Cybersecurity Review Measures and the Security Administration Draft will be interpreted or implemented and whether the PRC regulatory agencies, including the CAC, may adopt new laws, regulations, rules, or detailed implementation and interpretation related to the Cybersecurity Review Measures and the Security Administration Draft. If any such new laws, regulations, rules, or implementation and interpretation come into effect, we will take all reasonable measures and actions to comply and to minimize the adverse effect of such laws on us. We cannot guarantee, however, that we will not be subject to cybersecurity review and network data security review in the future, which could materially and adversely affect our business, financial conditions, and results of operations.
Item 1A. Risk Factors.
Compliance with China’s new Data Security Law, Measures on Cybersecurity Review (revised draft for public consultation), Personal Information Protection Law (second draft for consultation), regulations and guidelines relating to the multi-level protection scheme and any other future laws and regulations may entail significant expenses and could materially affect our business.
China has implemented or will implement rules and is considering a number of additional proposals relating to data protection. China’s new Data Security Law promulgated by the Standing Committee of the National People’s Congress of China in June 2021, or the Data Security Law, will take effect in September 2021. The Data Security Law provides that the data processing activities must be conducted based on “data classification and hierarchical protection system” for the purpose of data protection and prohibits entities in China from transferring data stored in China to foreign law enforcement agencies or judicial authorities without prior approval by the Chinese government. As the Data Security Law has not yet come into effect, we may need to make adjustments to our data processing practices to comply with this law.
Additionally, China’s Cyber Security Law, requires companies to take certain organizational, technical and administrative measures and other necessary measures to ensure the security of their networks and data stored on their networks. Specifically, the Cyber Security Law provides that China adopt a multi-level protection scheme (MLPS), under which network operators are required to perform obligations of security protection to ensure that the network is free from interference, disruption or unauthorized access, and prevent network data from being disclosed, stolen or tampered. Under the MLPS, entities operating information systems must have a thorough assessment of the risks and the conditions of their information and network systems to determine the level to which the entity’s information and network systems belong-from the lowest Level 1 to the highest Level 5 pursuant to the Measures for the Graded Protection and the Guidelines for Grading of Classified Protection of Cyber Security. The grading result will determine the set of security protection obligations that entities must comply with. Entities classified as Level 2 or above should report the grade to the relevant government authority for examination and approval.
Recently, the Cyberspace Administration of China has taken action against several Chinese internet companies in connection with their initial public offerings on U.S. securities exchanges, for alleged national security risks and improper collection and use of the personal information of Chinese data subjects. According to the official announcement, the action was initiated based on the National Security Law, the Cyber Security Law and the Measures on Cybersecurity Review, which are aimed at “preventing national data security risks, maintaining national security and safeguarding public interests.” On July 10, 2021, the Cyberspace Administration of China published a revised draft of the Measures on Cybersecurity Review, expanding the cybersecurity review to data processing operators in possession of personal information of over 1 million users if the operators intend to list their securities in a foreign country.
It is unclear at the present time how widespread the cybersecurity review requirement and the enforcement action will be and what effect they will have on the life sciences sector generally and the Company in particular. China’s regulators may impose penalties for non-compliance ranging from fines or suspension of operations, and this could lead to us delisting from the U.S. stock market.
In addition, our securities may be prohibited from trading on a national exchange or over-the-counter in the United States under the Holding Foreign Companies Accountable Act, if the PCAOB determines that it cannot inspect or fully investigate our auditors for two consecutive years.
Also, on August 20, 2021, the National People’s Congress passed the Personal Information Protection Law, which will be implemented on November 1, 2021. The law creates a comprehensive set of data privacy and protection requirements that apply to the processing of personal information and expands data protection compliance obligations to cover the processing of personal information of persons by organizations and individuals in China, and the processing of personal information of persons in China outside of China if such processing is for purposes of providing products and services to, or analyzing and evaluating the behavior of, persons in China. The law also proposes that critical information infrastructure operators and personal information processing entities who process personal information meeting a volume threshold to-be-set by Chinese cyberspace regulators are also required to store in China personal information generated or collected in China, and to pass a security assessment administered by Chinese cyberspace regulators for any export of such personal information. Lastly, the draft contains proposals for significant fines for serious violations of up to RMB 50 million or 5% of annual revenues from the prior year.
nterpretation, application and enforcement of these laws, rules and regulations evolve from time to time and their scope may continually change, through new legislation, amendments to existing legislation and changes in enforcement. Compliance with the Cyber Security Law and the Data Security Law could significantly increase the cost to us of providing our service offerings, require significant changes to our operations or even prevent us from providing certain service offerings in jurisdictions in which we currently operate or in which we may operate in the future. Despite our efforts to comply with applicable laws, regulations and other obligations relating to privacy, data protection and information security, it is possible that our practices, offerings or platform could fail to meet all of the requirements imposed on us by the Cyber Security Law, the Data Security Law and/or related implementing regulations. Any failure on our part to comply with such law or regulations or any other obligations relating to privacy, data protection or information security, or any compromise of security that results in unauthorized access, use or release of personally identifiable information or other data, or the perception or allegation that any of the foregoing types of failure or compromise has occurred, could damage our reputation, discourage new and existing counterparties from contracting with us or result in investigations, fines, suspension or other penalties by Chinese government authorities and private claims or litigation, any of which could materially adversely affect our business, financial condition and results of operations. Even if our practices are not subject to legal challenge, the perception of privacy concerns, whether or not valid, may harm our reputation and brand and adversely affect our business, financial condition and results of operations. Moreover, the legal uncertainty created by the Data Security Law and the recent Chinese government actions could materially adversely affect our ability, on favorable terms, to raise capital, including engaging in follow-on offerings of our securities in the U.S. market.
On November 14, 2021, the Cyberspace Administration of China released the Regulations on the Network Data Security Management (Draft for Comments), or the Data Security Management Regulations Draft, to solicit public opinion and comments till December 13, 2021, which has not been promulgated as of the date of this report. Pursuant to the Data Security Management Regulations Draft, data processors holding more than one million users/users’ individual information shall be subject to cybersecurity review before listing abroad. Data processing activities refers to activities such as the collection, retention, use, processing, transmission, provision, disclosure, or deletion of data. According to the latest amended Cybersecurity Review Measures, which was promulgated on November 16, 2021 and became effective on February 15, 2022, an online platform operator holding more than one million users/users’ individual information shall be subject to cybersecurity review before listing abroad.
As of the date of this report, Datasea, its subsidiaries and VIE entities have not received any notice from any authorities requiring the PRC subsidiaries to go through cybersecurity review or network data security review by the CAC. Given that the PRC subsidiaries do not possess personal data of at least one million individual clients and do not collect data that affects or may affect national security in their business operations as of the date of this report and do not anticipate that they will be collecting over one million users’ personal information or data that affects or may affect national security in the near future. There remains uncertainty, however, as to how the Cybersecurity Review Measures and the Security Administration Draft will be interpreted or implemented and whether the PRC regulatory agencies, including the CAC, may adopt new laws, regulations, rules, or detailed implementation and interpretation related to the Cybersecurity Review Measures and the Security Administration Draft. If any such new laws, regulations, rules, or implementation and interpretation come into effect, we will take all reasonable measures and actions to comply and to minimize the adverse effect of such laws on us. We cannot guarantee, however, that we will not be subject to cybersecurity review and network data security review in the future, which could materially and adversely affect our business, financial conditions, and results of operations.
Company Information
| Name | DATASEA INC. |
| CIK | 0001631282 |
| SIC Description | Services-Prepackaged Software |
| Ticker | DTSS - Nasdaq |
| Website | |
| Category | Non-accelerated filer Smaller reporting company |
| Fiscal Year End | June 29 |