EX-99.3 4 d37906dex993.htm EX-99.3 EX-99.3

Exhibit 99.3


The following section sets forth our risk factors, which have been updated and/or supplemented since the filing of our annual report on Form 20-F for the fiscal year ended December 31, 2020 and should be read in conjunction with such annual report, our Registration Statement on Form F-3 filed with the SEC on February 5, 2021 and the related prospectus supplement filed with the SEC.

Risks Related to Our Business and Industry

Failure to comply with existing or future laws and regulations related to privacy or data security could lead to government enforcement actions, which could include civil or criminal fines or penalties, private litigation, other liabilities, and/or adverse publicity. Compliance or the failure to comply with such laws could increase the costs of our products and services, could limit their use or adoption, and could otherwise negatively affect our operating results and business.

The regulatory framework for the collection, use, safeguarding, sharing, transfer and other processing of personal information worldwide is rapidly evolving and is likely to remain uncertain for the foreseeable future. Regulatory authorities in virtually every jurisdiction in which we operate have implemented and are considering a number of legislative and regulatory proposals concerning personal data protection.

Regulatory authorities in China have implemented and are considering a number of legislative and regulatory proposals concerning data protection. For example, China’s Cyber Security Law, which became effective in June 2017, created China’s first national-level data protection for “network operators,” which may include all organizations in China that provide services over the internet or another information network. Numerous regulations, guidelines and other measures are expected to be adopted under the umbrella of the Cyber Security Law. Drafts of some of these measures have now been published, including the draft rules on cross-border transfers published by the China Cyberspace Administration in 2017, which may, upon enactment, require security review before transferring human health-related data out of China. In addition, certain industry-specific laws and regulations affect the collection and transfer of personal data in China. For example, the PRC State Council promulgated Regulations on the Administration of Human Genetic Resources (effective in July 2019), which require approval from the Science and Technology Administration Department of the State Council where human genetic resources, or HGR, are involved in any international collaborative project and additional approval for any export or cross-border transfer of the HGR samples or associated data. It is possible that these laws may be interpreted and applied in a manner that is inconsistent with our practices, potentially resulting in confiscation of HGR samples and associated data, administrative fines and criminal liabilities. In addition, the interpretation and application of data protection laws in China and elsewhere are often uncertain and in flux. Furthermore, on August 20, 2021, the Standing Committee of the National People’s Congress promulgated the Personal Information Protection Law, which will take effect on November 1, 2021. The Personal Information Protection Law requires, among others, that the processing of personal information should have a specific and reasonable purpose, and shall be conducted in a way that has the least impact on personal rights and interests, and should be limited to the minimum scope necessary to achieve the processing purpose. These laws and regulations are continually evolving and not always clear, and the measures we take to comply with these laws, regulations and industry standards may not always be effective. We cannot assure you that we will comply with such laws and regulations regarding cybersecurity, information security, privacy and data protection in all respects and any failure or perceived failure to comply with these laws, regulations or policy may result in inquiries, penalties and other proceedings or actions against us by governmental authorities, customers or others, such as warnings, fines, making certain required rectification, service suspension and/or other sanctions, as well as negative publicity and damage to our reputation.

In the United States, we are subject to laws and regulations that address privacy, personal information protection and data security at both the federal and state levels. Numerous laws and regulations, including security breach notification laws, health information privacy laws, and consumer protection laws, govern the collection, use, disclosure and protection of health-related and other personal information. Given the variability and evolving state of these laws, we face uncertainty as to the exact interpretation of the new requirements, and we may be unsuccessful in implementing all measures required by regulators or courts in their interpretation.



Regulatory authorities in Europe have implemented and are considering a number of legislative and regulatory proposals concerning data protection. For example, the General Data Protection Regulation (EU) 2016/679, or GDPR, which became effective in May 2018, imposes a broad range of strict requirements on companies subject to the GDPR, such as us, including, but not limited to, requirements relating to having legal bases for processing personal information relating to identifiable individuals and transferring such information outside the European Economic Area (including to the United States), providing details to those individuals regarding the processing of their personal information, keeping personal information secure, having data processing agreements with third parties who process personal information, responding to individuals’ requests to exercise their rights in respect of their personal information, reporting security breaches involving personal data to the competent national data protection authority and affected individuals, and recordkeeping. The GDPR substantially increases the penalties to which we could be subject in the event of any non-compliance, including fines of up to 10,000,000 Euros or up to 2% of our total worldwide annual turnover for certain comparatively minor offenses, or up to 20,000,000 Euros or up to 4% of our total worldwide annual turnover for more serious offenses. Given the new law, we face uncertainty as to the exact interpretation of the new requirements, and we may be unsuccessful in implementing all measures required by data protection authorities or courts in interpretation of the new law. National laws of member states of the European Union are in the process of being adapted to the requirements under the GDPR. Because the GDPR specifically gives member states flexibility with respect to certain matters, national laws may partially deviate from the GDPR and impose different obligations from country to country, leading to additional complexity and uncertainty.

We expect that we will continue to face uncertainty as to whether our efforts to comply with evolving obligations under global data protection, privacy and security laws will be sufficient. Any failure or perceived failure by us to comply with applicable laws and regulations could result in reputational damage or proceedings or actions against us by governmental entities, individuals or others. These proceedings or actions could subject us to significant civil or criminal penalties and negative publicity, result in the delayed or halted transfer or confiscation of certain personal information, require us to change our business practices, increase our costs and materially harm our business, prospects, financial condition and results of operations. In addition, our current and future relationships with customers, vendors, pharmaceutical partners and other third parties could be negatively affected by any proceedings or actions against us or current or future data protection obligations imposed on them under applicable laws, including the GDPR. In addition, a data breach affecting personal information, including health information, could result in significant legal and financial exposure and reputational damage that could potentially have an adverse effect on our business.

Risks Related to Doing Business in China

The PRC government’s significant oversight and discretion over our business operations could result in a material adverse change in our operations and the value of our ADSs.

We conduct our businesses primarily through our PRC subsidiaries in China. Our operations in China are governed by PRC laws and regulations. The PRC government has significant oversight over the conduct of our business and has significant authority to exert influence on the ability of a China-based issuer, such as our company, to conduct its business. The PRC government may intervene or influence our operations at any time, which could result in a material adverse change in our operation and the value of our ADSs.

The PRC government has recently tightened and may continue to tighten regulations of certain industries, such as private education, online gaming and housing industries. Although we are not currently affected by the recent regulatory developments, we cannot assure you that our business will not be subject to tightened or new regulations in the future, which could cause the value of our ADSs to significantly decline. Furthermore, if the PRC government exerts more oversight and control over offerings that are conducted overseas or foreign investment in China-based issuers, it may significantly limit or completely hinder our ability to offer or continue to offer securities to investors and cause the value of our securities to significantly decline.



Uncertainties with respect to the PRC legal system could materially and adversely affect us.

The PRC legal system is a civil law system based on written statutes. Unlike the common law system, prior court decisions under the civil law system may be cited for reference but have limited precedential value. The overall effect of legislation over the past four decades has significantly enhanced the protections afforded to various forms of foreign investments in China. However, China has not developed a fully integrated legal system, and recently enacted laws and regulations may not sufficiently cover all aspects of economic activities in China. Since these laws and regulations are relatively new and may be amended from time to time, and the PRC legal system continues to rapidly evolve, and because of the limited number of published decisions and the nonbinding nature of such decisions, and because the laws and regulations often give the relevant regulator significant discretion in how to enforce them, the interpretations of many laws, regulations and rules may not be uniform and enforcement of these laws, regulations and rules involves uncertainties. These uncertainties may affect our judgment on the relevance of legal requirements and our ability to enforce our contractual rights or tort claims. Besides, the PRC is geographically large and divided into various provinces and municipalities and, as such, different laws, rules, regulations and policies may have different and varying applications and interpretations in different parts of the PRC. Legislation or regulations, particularly in local applications, may be enacted without sufficient prior notice or announcement to the public. In addition, the regulatory uncertainties may be exploited through unmerited or frivolous legal actions or threats in attempts to extract payments or benefits from us. Furthermore, the PRC legal system is based in part on government policies and internal rules, some of which are not published on a timely basis, or at all, and may have a retroactive effect. As a result, we may not be aware of our violation of any of these policies and rules until sometime after the violation. Agreements that are governed by PRC laws may be more difficult to enforce by legal or arbitral proceedings in the PRC than that in other countries with different legal systems. In addition, any administrative and court proceedings in China may be protracted, resulting in substantial costs and diversion of resources and management attention.

Any failure to comply with the various applicable laws and regulations related to data security, cybersecurity and personal information and privacy protection could affect our offshore offerings and lead to liabilities, penalties or other regulatory actions, which could have a material and adverse effect on our business, financial condition and results of operations.

On June 10, 2021, the Standing Committee of the National People’s Congress promulgated the PRC Data Security Law, which took effect on September 1, 2021. The Data Security Law, among other things, provides for a security review procedure for the data activities that may affect national security. Furthermore, Measures for Cybersecurity Review, which became effective on June 1, 2020, set forth the cybersecurity review mechanism for critical information infrastructure operators, and provided that critical information infrastructure operators who procure internet products and services that affect or may affect national security shall be subject to a cybersecurity review. On July 10, 2021, the Cyberspace Administration of China published the Measures for Cybersecurity Review (Revised Draft for Comments), which will replace the current Measures for Cybersecurity Review after it is adopted and becomes effective and further restates and expands the applicable scope of the cybersecurity review. Pursuant to the draft measures, critical information infrastructure operators that procure internet products and services, and data processing operators engaging in data processing activities, must be subject to the cybersecurity review if their activities affect or may affect national security. The draft measures further stipulate that critical information infrastructure operators or data processing operators holding over one million users’ personal information shall apply to the Cybersecurity Review Office for a cybersecurity review before any public offering at a foreign stock exchange. The draft measures were released for public comment only, and its provisions and the anticipated adoption or effective date may be subject to change with substantial uncertainty. On July 30, 2021, the state council promulgated the Regulations on Security Protection of Critical Information Infrastructure, which became effective on September 1, 2021. Pursuant to the Regulations on Security Protection of Critical Information Infrastructure, critical information infrastructure shall mean any important network facilities or information systems of the important industry or field such as public communication and information service, energy, communications, water conservation, finance, public services, e-government affairs and national defense science, which may endanger national security, people’s livelihood and public interest in case of damage, function loss or data leakage. In addition, relevant administration departments of each critical industry and sector, or Protection Departments, shall be responsible to formulate eligibility criteria and determine the critical information infrastructure operators in the respective industry or sector. The operators shall be informed about the final determination as to whether they are categorized as critical information infrastructure operators.



No detailed rules or implementation has been issued by any Protection Departments and we have not been informed as a critical information infrastructure operator by any governmental authorities. Furthermore, the exact scope of “critical information infrastructure operators” under the current regulatory regime remains unclear, and the PRC governmental authorities may have wide discretion in the interpretation and enforcement of these laws. Therefore, it is uncertain whether we would be deemed as a critical information infrastructure operator under PRC law. It also remains uncertain whether the future regulatory changes would impose additional restrictions on companies like us. We cannot predict the impact of the draft measures, if any, at this stage, and we will closely monitor and assess any development in the rule-making process. If the enacted version of the draft measures mandates clearance of cybersecurity review and other specific actions to be completed by companies like us, we face uncertainties as to whether such clearance can be timely obtained, or at all. If we are not able to comply with the cybersecurity and data privacy requirements in a timely manner, or at all, we may be subject to government enforcement actions and investigations, fines, penalties or suspension of our non-compliant operations, which could materially and adversely affect our business and results of operations. We have not been involved in any investigations on cybersecurity review made by the Cyberspace Administration of China on such basis, and we have not received any inquiry, notice, warning, or sanctions in such respect.

Our auditor is currently not subject to inspections by the PCAOB. Our ADSs may be delisted under the Holding Foreign Companies Accountable Act if the PCAOB is unable to inspect auditors who are located in China. The delisting of our ADSs, or the threat of their being delisted, may materially and adversely affect the value of your investment.

The Holding Foreign Companies Accountable Act, or the HFCA Act, was enacted on December 18, 2020. The HFCA Act states if the SEC determines that we have filed audit reports issued by a registered public accounting firm that has not been subject to inspection by the PCAOB for three consecutive years beginning in 2021, the SEC shall prohibit our shares or ADSs from being traded on a national securities exchange or in the over the counter trading market in the U.S.

Our auditor, the independent registered public accounting firm that issues the audit report included elsewhere in this annual report as an auditor of companies that are traded publicly in the United States and a firm registered with the PCAOB, is subject to laws in the United States pursuant to which the PCAOB conducts regular inspections to assess its compliance with the applicable professional standards. Since our auditor is located in China, a jurisdiction where the PCAOB has been unable to conduct inspections without the approval of the Chinese authorities, our auditor is currently not inspected by the PCAOB.

On March 24, 2021, the SEC adopted interim final rules relating to the implementation of certain disclosure and documentation requirements of the HFCA Act. We will be required to comply with these rules if the SEC identifies us as having a “non-inspection” year under a process to be subsequently established by the SEC. The SEC is assessing how to implement other requirements of the HFCA Act, including the listing and trading prohibition requirements described above.

On June 22, 2021, the U.S. Senate passed a bill which, if passed by the U.S. House of Representatives and signed into law, would reduce the number of consecutive non-inspection years required for triggering the prohibitions under the HFCA Act from three years to two.

On November 5, 2021, the SEC approved the PCAOB Rule 6100 related to the PCAOB’s responsibilities under the HFCA Act, which provides a framework for the PCAOB to use when determining, as contemplated under the HFCA Act, whether it is unable to inspect or investigate completely registered public accounting firms located in a foreign jurisdiction because of a position taken by one or more authorities in that jurisdiction.

The SEC may propose additional rules or guidance that could impact us if our auditor is not subject to PCAOB inspection. For example, on August 6, 2020, the President’s Working Group on Financial Markets, or the PWG, issued the Report on Protecting United States Investors from Significant Risks from Chinese Companies to the then President of the United States. This report recommended the SEC implement five recommendations to address companies from jurisdictions that do not provide the PCAOB with sufficient access to fulfil its statutory mandate. Some of the concepts of these recommendations were implemented with the enactment of the HFCA Act. However, some of the recommendations were more stringent than the HFCA Act. For example, if a company was not subject to PCAOB inspection, the report recommended that the transition period before a company would be delisted would end on January 1, 2022.

The SEC has announced that the SEC staff is preparing a consolidated proposal for the rules regarding the implementation of the HFCA Act and to address the recommendations in the PWG report. It is unclear when the SEC will complete its rulemaking and when such rules will become effective and what, if any, of the PWG recommendations will be adopted. The implications of this possible regulation in addition the requirements of the HFCA Act are uncertain. Such uncertainty could cause the market price of our ADSs to be materially and adversely affected, and our securities could be delisted or prohibited from being traded “over-the-counter” earlier than would be required by the HFCA Act. If our securities are unable to be listed on another securities exchange by then, such a delisting would substantially impair your ability to sell or purchase our ADSs when you wish to do so, and the risk and uncertainty associated with a potential delisting would have a negative impact on the price of our ADSs.



The PCAOB’s inability to conduct inspections in China prevents it from fully evaluating the audits and quality control procedures of our independent registered public accounting firm. As a result, we and investors in our ordinary shares are deprived of the benefits of such PCAOB inspections. The inability of the PCAOB to conduct inspections of auditors in China makes it more difficult to evaluate the effectiveness of our independent registered public accounting firm’s audit procedures or quality control procedures as compared to auditors outside of China that are subject to the PCAOB inspections, which could cause investors and potential investors in our stock to lose confidence in our audit procedures and reported financial information and the quality of our financial statements.

In May 2013, the PCAOB announced that it had entered into a Memorandum of Understanding on Enforcement Cooperation with the CSRC and the PRC Ministry of Finance, which establishes a cooperative framework between the parties for the production and exchange of audit documents relevant to investigations undertaken by the PCAOB in the PRC or by the CSRC or the PRC Ministry of Finance in the United States. The PCAOB continues to be in discussions with the CSRC and the PRC Ministry of Finance to permit joint inspections in the PRC of audit firms that are registered with the PCAOB and audit Chinese companies that trade on U.S. exchanges.

The ability of U.S. authorities to bring actions for violations of U.S. securities law and regulations against us, our directors or executive officers may be limited. Therefore, you may not be afforded the same protection as provided to investors in U.S. domestic companies.

The SEC, the U.S. Department of Justice, or the DOJ, and other U.S. authorities often have substantial difficulties in bringing and enforcing actions against non-U.S. companies and non-U.S. persons. Due to jurisdictional limitations, matters of comity and various other factors, the SEC, the DOJ and other U.S. authorities may be limited in their ability to pursue bad actors, including in instances of fraud, in emerging markets such as China. We conduct our operations mainly in China and our assets are mainly located in China. In addition, a majority of our directors and executive officers reside within China. There are significant legal and other obstacles for U.S. authorities to obtain information needed for investigations or litigation against us or our directors or executive officers in case we or any of these individuals engage in fraud or other wrongdoing. In addition, local authorities in China may be constrained in their ability to assist U.S. authorities and overseas investors in connection with legal proceedings. As a result, if we, our directors or executive officers commit any securities law violation, fraud or other financial misconduct, the U.S. authorities may not be able to conduct effective investigations or bring and enforce actions against us, our directors, executive officers or other gatekeepers. Therefore, you may not be able to enjoy the same protection provided by various U.S. authorities as it is provided to investors in U.S. domestic companies.