Alibaba (BABA) Risk Factors

We collect, utilize and store a large quantity of personal data, including consumers' personal data, in our business operations, and face a number of challenges relating to data from transactions and other activities on our platforms, including: - protecting the data in and hosted on our system, including against attacks on our system or unauthorized use by outside parties or fraudulent behavior or improper use by our employees;- addressing concerns, challenges, negative publicity and litigation related to data privacy, collection, use and actual or perceived sharing for promotional and other purposes (including cooperation and sharing among our own businesses, cooperation with business partners or mandatory disclosure to regulators), and concerns among the public about the alleged discriminatory treatment adopted by Internet platforms based on user profiles, safety, security and other factors that may arise from our existing businesses or new businesses and technologies, such as new forms of data (for example, biometric data, location information and other information); and - complying with applicable laws, rules and regulations relating to the collection (from users and other third-party systems or sources), use, storage, access, transfer, disclosure and security of personal data, including requests from data subjects and regulatory authorities. Improper use or disclosure of our user data by any party could result in a loss of users, businesses and other participants from our ecosystem, loss of confidence or trust in our platforms and has a material adverse effect on our business and prospects. Moreover, we are subject to numerous laws and regulations in many markets relating to the protection of personal information, cybersecurity, data security and cross-border data transmission. These laws and regulations can be complex and the interpretation and application of these laws and regulations are often uncertain, in flux and complicated. Personal Information and Privacy Protection Regulatory authorities in China and around the world have recently implemented, and may in the future continue to implement, further legislative and regulatory proposals concerning data privacy and personal data protection. For instance, PRC regulatory authorities have promulgated a number of laws and regulations, including the Personal Information Protection Law and the Provisions on the Scope of Necessary Personal Information Required for Common Types of Mobile Internet Applications, that stipulate requirements and limitations on the collection, processing and handling of personal information. See "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation of Data and Privacy Protection" and "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation of Mobile Apps." In the course of our business operations, we collect information of our customers and users, including personal information. Therefore, we are required to comply with applicable laws and regulations relating to personal data and privacy protection. To ensure our compliance with these laws and regulations, we have established relevant protocols and mechanisms, such as obtaining consent from users before collecting their personal information, notifying them of the information collected and the purpose of collecting the information, explaining to them what, how and why the information may be shared with third parties. These personal data privacy protection procedures have increased our compliance and operating costs. The data privacy laws and regulations also impose penalties and liability on information processors for non-compliant information collection and processing activities, including correction, suspension or termination of their services, confiscation of illegal income, as well as significant fines of up to 5% of revenue and other penalties. PRC regulatory authorities have also put forward regular inspections and reporting on the compliance of mobile apps, mini-programs, software development kits and other applications with applicable personal data and privacy protection laws and regulations. Moreover, we as a large Internet platform may be subject to more frequent regulatory inspections. We believe that our business operations are compliant with the currently effective PRC laws relating to personal data and privacy protection in all material respects. Nevertheless, as the interpretation and implementation of these laws and regulations are evolving and that PRC regulatory authorities has been enhancing compliance requirements or may require us to adopt recommended compliance practices, we may be required to continuously adjust and upgrade our applications. PRC regulatory agencies have previously named certain of our mobile apps for rectification in compliance with privacy and data security regulations. We have rectified these mobile apps' data collection and use practices to bring them into compliance. Nevertheless, there can be no assurance that our mobiles apps will not be named or that we will not be subject to regulatory investigations in the future. Furthermore, the use of algorithms and generative AI in recommendation services has raised additional data protection concerns, and PRC regulatory authorities have enhanced their regulation in these areas. According to the Administrative Provisions on Internet Information Service Algorithm Recommendation, or the Algorithm Recommendation Provisions,which came into effect on March 1, 2022, algorithm recommendation service providers shall fulfil filing obligations according to regulatory requirements as applicable, clearly inform users of their provision of algorithm recommendation services, and make public the basic principles, intentions and main operating mechanisms of the algorithm recommendation services, and shall also ensure that users may conveniently terminate the algorithm recommendation services. Moreover, algorithm recommendation service providers selling goods or providing services to consumers shall protect consumers' rights of fair trade, and are prohibited from carrying out illegal conduct such as unreasonable differentiated treatment based on consumers' preferences, purchase behavior, or such other characteristics. In addition, the Administrative Provisions on Deep Synthesis of Internet Information Services, which took effect in January 2023, impose obligations on providers, technology supporters and users of deep synthesis technology, including verification of user identity, implementing measures to protect data security and personal information, content moderation, labelling content generated using deep synthesis technology, and conducting security assessments and completing filings for provision of certain services. Moreover, the Cyberspace Administration of China, together with other relevant authorities, released the Interim Measures on Generative AI Services, which came into effect on August 15, 2023 and impose compliance requirements on providers of generative AI services. According to the Interim Measures on Generative AI Services, individuals or organizations that provide generative AI services of text, image, audios, videos and other content shall be responsible as the producers of such network information content and as the personal information processors to protect any personal information involved. Providers of generative AI services shall also conduct security assessment and complete certain filings in accordance with the Administrative Provisions on Internet Information Service Algorithm Recommendation. Non-compliance with the Interim Measures on Generative AI Services may subject generative AI services providers to penalties, including warning, public denouncement, rectification orders and suspension of the provision of relevant services. We use algorithmic recommendation, deep synthesis technology and generative AI services in a wide range of our businesses. Accordingly, we need to comply with the Algorithm Recommendation Provisions, the Administrative Provisions on Deep Synthesis of Internet Information Services, the Interim Measures on Generative AI Services and other applicable laws and regulations governing algorithm recommendation services, and we may be subject to penalties and liability for non-compliance, which may include administrative liabilities, including warnings, public denouncement, fines, enforcement orders requiring us to correct, or suspending us from posting new information, suspension of business or even criminal liabilities. Complying with PRC regulations relating to algorithm recommendation services has increased our compliance costs, changed our data use and business practices, and could negatively affect user activities on our platforms. See "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation of Internet Security." We believe that our business operations are compliant with currently effective PRC laws relating to algorithm recommendation services in all material respects. As we further expand our operations into international markets, we have become and will be subject to additional laws in other jurisdictions where we operate and where our consumers, users, merchants, customers and other participants are located. Such laws, rules and regulations of other jurisdictions may be more comprehensive, detailed and nuanced in their scope, and may impose requirements and penalties that conflict with, or are more stringent than, those in China. For example, the European Union has adopted the Digital Markets Act and the Digital Services Act and proposed the European Data Act since 2020, which impose various requirements on data use, data sharing and data protection, among other matters. AliExpress has been designated as a "very large online platform" under the Digital Services Act, and thus is required to fulfil more stringent obligations, including algorithm transparency, content moderation, mandatory reporting of incidents and measures to tackle illegal content, regular risk assessment, annual independent audit, data sharing with relevant regulators and annual supervisory fee. These requirements will create additional operational burdens and compliance costs for us, and we may be subject to significant regulatory penalties for failure to comply with these requirements. Complying with laws and regulations for an increasing number of jurisdictions could require significant resources and costs. Our continued expansion into the cloud business, both in China and elsewhere, will also increase the amount of data hosted on our system, as well as increase the number of jurisdictions in which we have data centers. This, as well as the increasing number of new legal requirements in various jurisdictions, such as the GDPR, present increased challenges and risks in relation to policies and procedures relating to data collection, local storage, access, cross-border transfer, disclosure, protection and privacy, and will impose significant penalties for non-compliance. For example, penalties calculated as a percentage of global revenue may be imposed under the GDPR. The compliance requirements of the GDPR affect a number of our businesses, such as AliExpress, Alibaba.com, Alibaba Cloud and Cainiao. Any failure, or perceived failure, by us to comply with the above and other applicable regulatory requirements or data and privacy protection-related laws, rules and regulations could result in suspension of the relevant business or blockage of access to mobile app services, reputational damages or proceedings or actions against us by governmental entities, consumers or others or even criminal liabilities. These proceedings or actions could subject us to significant penalties and negative publicity, require us to change our data and other business practices, increase our costs and severely disrupt our business, hinder our global expansion or negatively affect the trading prices of our ADSs, Shares and/or other securities, our business and prospects. Cybersecurity and Data Security The PRC Cybersecurity Law, which generally governs the construction, operation, maintenance and use of networks in China, subjects network operators, including us, to various security protection-related obligations. In addition, the PRC Cybersecurity Law provides that personal information and important data collected and generated by operators of critical information infrastructure in the course of their operations in the PRC should be stored in the PRC, and imposes heightened regulation and additional security obligations on operators of critical information infrastructure. See "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation of Internet Security." We believe that we are compliant with PRC Cybersecurity Law, including requirements relating to security protection, user identity verification, cybersecurity emergency response planning and technical assistance, in all material respects. Failure to comply could subject us to fines, suspension of businesses, shutdown of websites and revocation of business licenses. PRC regulatory authorities have also promulgated laws and regulations relating to cybersecurity review. According to the Revised Cybersecurity Review Measures, which became effective in February 2022, operators of critical information infrastructure who purchase network products and services and network platform operators who carry out data processing activities that affect or may affect national security shall be subject to cybersecurity review. See "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation of Internet Security." Moreover, in November 2021, the Cyberspace Administration of China promulgated the Draft Regulations on Network Data Security Management, or the Draft Cyber Data Security Regulations, for public comments, which set forth different scenarios where data processors are required to apply for cybersecurity review and require data policies and rules and any material amendments thereof of large Internet platforms with over 100 million daily active users be evaluated by a third-party organization designated by the Cyberspace Administration of China and approved by the respective local branch of the Cyberspace Administration of China. There is no definite timetable as to when the Draft Cyber Data Security Regulations will be enacted. See "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation of Data and Privacy Protection." PRC laws and regulations relating to cybersecurity review are relatively new, and the applicable scope of these laws and regulations remain subject to uncertainties and further clarifications from PRC regulators. In 2021, the PRC government launched cybersecurity reviews on a number of mobile apps operated by several US-listed Chinese companies and prohibited relevant apps from registering new users during the review period. As of the date of this annual report, we have not received any notice from the Cyberspace Administration of China of a cybersecurity review on us under the Revised Cybersecurity Review Measures. Based on advice from Fangda Partners, our PRC counsel, we do not believe that we are required to undergo cybersecurity review by the Cyberspace Administration of China for our previous securities offerings. However, given the scale of our business and the number of users on our platforms, we believe that we may be subject to a cybersecurity review in the future. If we are subject to a cybersecurity review, we may incur significant costs and face challenges, both in the review process and in making enhancements to our cybersecurity measures that may be required. If we are unable to manage these risks, we may be subject to penalties, including fines, suspension of business, prohibition against new user registration (even for a short period of time) and revocation of required licenses, and our reputation and results of operations could be materially and adversely affected. Moreover, the Data Security Law which took effect in September 2021 imposes additional regulatory requirements on processors of important data, including specifying the persons and management bodies responsible for data security and implementing regular data security risk assessment and other data protection measures. If we are unable to manage these risks, we may be subject to penalties, including fines, suspension of business, revocation of required licenses and civil or even criminal liabilities. As of the date of this annual report, we have not received any regulatory notice that we are a processor of important data as mentioned above. We believe that our business operations are compliant with PRC laws and regulations relating to data security in all material respects. Cross-border Data Transmission Regulatory authorities in China and around the world have enhanced supervision and regulation of cross-border data transmission. As our business operations expand across jurisdictions and we collect, process and utilize personal data of our users worldwide, we are subject to and are likely to be required to expend significant capital to ensure ongoing compliance with these laws and regulations on cross-border data transfers. The Data Security Law prohibits entities and individuals in China from providing any foreign judicial or law enforcement authority with any data stored in China without approval from a competent PRC authority, and sets forth the legal liabilities of entities and individuals found to be in violation of their data protection obligations, including rectification order, warning, fines, suspension of relevant business, and revocation of business permits or licenses. The Measures for the Security Assessment of Cross-border Data Transmission promulgated by the Cybersecurity Administration of China came into effect on September 1, 2022. According to these measures, personal data processors are subject to security assessment conducted by the Cyberspace Administration of China prior to any cross-border transfer of important data and personal information. See "Item 4. Information on the Company - B. Business Overview - Regulation - Regulation of Data and Privacy Protection." Furthermore, the Cyberspace Administration of China promulgated the Provisions on the Prescribed Agreement on Cross-border Data Transfer, or the Provisions on Prescribed Agreement, which came into effect on June 1, 2023. We have implemented control procedures to comply with the new requirements. Complying with PRC laws and regulations relating to cross-border data transmission increases our compliance costs and could affect our ability to transfer data across borders. We believe that our business operations are compliant with PRC laws and regulations relating to cross-border data transmission in all material respects. In addition, laws, rules and regulations in other jurisdictions where we operate may restrict the transfer of data across jurisdictions, which could impose additional and substantial operational, administrative and compliance burdens on us, and may also restrict our business activities and expansion plans, as well as impede our data-driven business strategies. For example, the GDPR requires companies to take appropriate safeguard measures and satisfy specific conditions when transferring data outside Europe. On February 28, 2024, the United States released the Executive Order on Preventing Access to Americans' Bulk Sensitive Personal Data and United States Government-Related Data by Countries of Concern, which will place restrictions on the transfer of certain data from the U.S. to countries of concern. Failure to comply with GDPR requirements and other laws relating to cross-border data transfers may result in suspension of the relevant business, significant amounts of fines and other administrative penalties, regulatory investigations and actions against us, significant damage to our reputation or even criminal liabilities. As permitted by applicable laws and regulations, our privacy policies and user agreements, we grant expressly limited access to specified data on our data platform to certain participants in our ecosystem that provide services to consumers, merchants, brands, retailers and other ecosystem participants. In addition, we and Ant Group may negotiate the terms of data sharing arrangements on a case-by-case basis, to the extent necessary for each party to provide services to our respective customers and as permitted by applicable laws and regulations. Participants in our ecosystem, including Ant Group, face the same challenges inherent in handling and protecting large volumes of data. Any actual or perceived improper use of data by us or them, and any systems failure or security breach or lapse on our or their part that results in the release of user data could harm our reputation and brand and, consequently, our business, in addition to exposing us to potential legal liability or regulatory actions. This could also attract negative publicity from media outlets, privacy advocates, our competitors or others and could adversely affect the trading prices of our ADSs, Shares and/or other securities. While we believe we are compliant with laws and regulations on privacy and data protection and cybersecurity in all material respects, there are uncertainties with respect to how these laws and regulations will be interpreted, implemented and enforced in practice, especially since many of these laws and regulations only came into effect recently or have not come into effect yet. We expect that data security and personal information protection will continue to attract public scrutiny and receive greater attention and focus from regulators. Future interpretation and implementation of these laws and regulations, or additional laws and regulations that may come into effect, may further increase our compliance costs, force us to change our business practices, adversely affect our business performance as well as subject us to administrative and legal liabilities, which could harm our reputation and negatively affect the trading prices of our ADSs, Shares and/or other securities. On the other hand, regulators in China and other jurisdictions in which we operate may implement measures to ensure that encryption of user data does not hinder law enforcement agencies' access to that data. For example, according to the PRC Cybersecurity Law and relevant regulations, network operators, including us, are obligated to provide assistance and support in accordance with the law for public security and national security authorities to protect national security or assist with criminal investigations. Non-compliance or compliance with these laws and requirements in manners that are perceived as harming privacy could lead to significant damages to our reputation and proceedings and actions against us by regulators and private parties.

Our cybersecurity measures may not detect, prevent or control all attempts to compromise our systems or risks to our systems, including distributed denial-of-service attacks, viruses, Trojan horses, malicious software, break-ins, phishing attacks, third-party manipulation, security breaches, employee misconduct or negligence or other attacks, risks, data leakage and similar disruptions that may jeopardize the security of data stored in and transmitted by our systems or that we otherwise maintain. Moreover, if we fail to implement adequate encryption of data transmitted through the networks of the telecommunications and Internet operators we rely upon, there is a risk that telecommunications and Internet operators or their business partners may misappropriate our data. Breaches or failures of our cybersecurity measures could result in unauthorized access to our systems, misappropriation of information or data, deletion or modification of user information, or denial-of-service or other interruptions to our business operations. If the security of domain names is compromised, we will be unable to use the domain names in our business operations. We may not have the resources or technical sophistication to anticipate or prevent rapidly evolving cyber-attacks. As techniques used to obtain unauthorized access to or sabotage systems change frequently and may not be known until launched against us, there can be no assurance that we will be able to anticipate, or implement adequate measures to protect against, these attacks. We could also be subject to an attack, breach or leakage, which we do not discover at the time or the consequences of which are not apparent until a later point in time. We only carry limited cybersecurity insurance, and actual or anticipated attacks and risks may cause us to incur significantly higher costs, including costs to deploy additional personnel and network protection technologies, train employees, and engage third-party experts and consultants. Cyber-attacks may target us, our merchants, consumers, users, customers, key service providers or other participants in our ecosystem, or the communication infrastructure on which we depend. In particular, breaches or failures of our third-party service providers' systems and cybersecurity measures could also result in unauthorized access to our data, our consumers' and customers' data and user information and business interruptions. In addition, we develop systems for customers through our cloud or other services. If these systems suffer attacks, breaches and data leakage, whether or not we are involved in managing or operating such systems, we could be subject to negative publicity, potential liabilities and regulatory investigations, including extensive cybersecurity review, which could result in significant losses to us, and materially and adversely affect our reputation, business growth and prospects. We, our third-party service providers and customers that use systems we have developed have been in the past and are likely again in the future to be subject to these types of attacks, breaches and data leakage. For example, in October 2020, Lazada reported a data breach of a legacy RedMart database hosted by a third-party service provider, which resulted in the leakage of certain personal information of 1.1 million RedMart user accounts. Further, in May 2021, a court in China ruled in a criminal case that a software developer illegally collected approximately 1.2 billion pieces of user log-in IDs, alias and phone numbers from the Taobao website using a web crawler, which we discovered and reported to law enforcement in August 2020. Cyber-attacks and security breaches, whether or not related to our systems or attributable to us, could result in business interruptions and subject us to negative publicity, regulatory investigations and significant legal and financial liability, harm our reputation and result in substantial revenue loss from lost sales and customer dissatisfaction, materially decrease our revenue and net income, and negatively affect the trading prices of our ADSs and Shares.

We rely on a wide range and large number of third-party service providers, including retail operating partners, logistics service providers, mobile app developers, independent software vendors, or ISVs, cloud-based developers, marketing affiliates, livestreaming hosts and key opinion leaders, or KOLs, financial institutions, accountants and auditors, legal counsel and other professional service providers, to provide services to us as well as to users on our platforms, including consumers, merchants, brands, retailers and users of our cloud computing services. To the extent these ecosystem participants and service providers are unable to provide satisfactory services to us as well as our users on or off our platforms, on commercially acceptable terms, or at all, or if we fail to retain existing or attract new quality service providers to our platforms, our business, financial condition and results of operations may be materially and adversely affected. In addition, we share our user data with certain of these third-party service providers in our ecosystem in accordance with our privacy policies, agreements and applicable laws. Third-party service providers and ecosystem participants may engage in a broad range of other business activities on and outside of our platforms, and may have broad user bases and social influence that create substantial business opportunities and economic returns to themselves and our business. If our third-party service providers and ecosystem participants engage in activities that are negligent, fraudulent, illegal or otherwise harm the trustworthiness and security of our ecosystem, including, for example, the leakage or negligent use of data, the handling, transport and delivery of prohibited or restricted content or items, inappropriate use or ineffective implementation of AI technologies, cease their business relationship with us or fail to perform their contractual obligations or professional duties, fail to comply with any laws, regulations, professional code of conduct and practice standards or government requirements, become subject to regulatory investigations, enforcement actions, fines or penalties, or cause any property damage or personal injuries, their ability to provide services to us or our ecosystem more broadly could be materially and adversely affected, which could cause us to suffer loss of business and revenue, reputational harm, liabilities, or be subject to regulatory scrutiny, investigation or actions, and could have a material adverse effect on the trading prices of our ADSs, Shares or other securities, even if these activities are not related to, attributable to or caused by us, or within our control.

We have obtained insurance to cover certain potential risks and liabilities, such as property damage, business interruptions, public liabilities and product liability insurance for certain businesses we operate. However, insurance companies in China and other jurisdictions in which we operate may offer limited business insurance products or we may not be able to obtain such insurance on favorable terms. As a result, we do not maintain insurance for all types of risks we face in our operations in China and elsewhere, and our coverage may not be adequate to compensate for all losses that may occur, particularly with respect to loss of business or operations. We do not maintain product liability insurance for products and services transacted on our marketplaces or other businesses we operate, and our rights of indemnity from the merchants in our ecosystem may not adequately cover us for any liability we may incur. We also do not maintain key-man life insurance. This potentially insufficient coverage could expose us to potential claims and losses. Any business disruption, litigation, regulatory action, outbreak of epidemic disease or natural disaster could also expose us to substantial costs and diversion of resources. There can be no assurance that our insurance coverage is sufficient to prevent us from any loss or that we will be able to successfully claim our losses under our current insurance policy on a timely basis, or at all. If we incur any loss that is not covered by our insurance policies, or the compensated amount is significantly less than our actual loss, our business, financial condition and results of operations could be materially and adversely affected.

Ant Group offers a variety of services and products that have become essential parts of the services and experience we offer to consumers and merchants on our platforms. These services and products are critical to our marketplaces and the development of our ecosystem. In particular, given the significant transaction volume on our platforms, Alipay provides convenient payment processing and escrow services to us on preferential terms. We also leverage the convenience, availability and ease of use of Alipay and Ant Group's other products and services, such as consumer loans and insurance, to provide high quality experience and services to users, merchants and other participants in our ecosystem. If the availability, quality, utility, convenience or attractiveness of Alipay's and Ant Group's other services and products declines or changes for commercial, regulatory, compliance or any other reason, the attractiveness of our marketplaces and the level of activities on our marketplaces could be materially and adversely affected. Particularly, Alipay's business is subject to a number of risks that could materially and adversely affect its ability to provide payment processing and escrow services to us, including: - dissatisfaction with Alipay's services or lower use of Alipay by consumers, merchants, brands and retailers;- increasing competition, including from other established Chinese Internet companies, payment service providers and companies engaged in other financial technology services;- changes to rules or practices applicable to payment systems that link to Alipay;- breach of users' privacy and concerns over the use and security of information collected from customers and any related negative publicity relating thereto;- service outages, system failures or failure to effectively scale the system to handle large and growing transaction volumes;- increasing costs to Alipay, including fees charged by banks to process transactions through Alipay, which would also increase our cost of revenues;- negative news about and social media coverage on Alipay, its business, its product and service offerings or matters relating to Alipay's data security and privacy; and - failure to manage user funds accurately or loss of user funds, whether due to employee fraud, security breaches, technical errors or otherwise. In addition, certain commercial banks in China impose limits on the amounts that may be transferred by automated payment from users' bank accounts to their linked accounts with third-party payment services. Although we believe the impact of these restrictions has not been and will not be significant in terms of the overall volume of payments processed for Taobao and Tmall, and automated payment services linked to bank accounts represent only one of many payment mechanisms that consumers may use to settle transactions, we cannot predict whether these and any additional restrictions that could be put in place would have a material adverse effect on our marketplaces. Alipay's and Ant Group's other businesses are highly regulated and are required to comply with numerous complex and evolving laws, rules and regulations, including in the areas of online and mobile payment services, wealth management, financing, cross-border money transmission, anti-money laundering, consumer protection and insurance. As Alipay and Ant Group's other businesses expand their businesses and operations into more international markets, they will become subject to additional legal and regulatory risks and scrutiny. For example, Alipay or Ant Group's other affiliates are required to maintain payment business licenses in the PRC and are also required to obtain and maintain other applicable payment, money transmitter or other related licenses and approvals in other countries or regions where they operate. In certain jurisdictions where Ant Group currently does not have the required licenses, Ant Group provides payment processing and escrow services through third-party service providers. If Ant Group or any of its partners fails to obtain and maintain all required licenses and approvals or otherwise fails to manage the risks relating to their businesses, if new laws, rules or regulations come into effect that impact Ant Group or its partners' businesses, or if any of Ant Group's partners ceases to provide services to Ant Group, its services could be suspended or severely disrupted, and its ability to continue to deliver payment services to us on preferential terms and other services and products to our consumers, merchants and other ecosystem participants may be undermined. We do not control Ant Group or Alipay. There can be no assurance that we will be able to maintain or negotiate commercial terms that are no less favorable than those we currently enjoy or are commercially acceptable. Furthermore, our commercial arrangements with Alipay and Ant Group may be subject to anti-competition challenges. If we need to migrate to another third-party payment service or significantly expand our relationship with other third-party payment services, the transition would require significant time and management resources, and the third-party payment service may not be as effective, efficient or well-received by consumers, merchants, brands and retailers on our marketplaces. These third-party payment services also may not provide escrow services, and we may not be able to receive commissions based on GMV settled through these systems. We would also receive less, or lose entirely, the benefit of the commercial agreement with Ant Group and Alipay and may be required to pay more for payment processing and escrow services than we currently pay. There can be no assurance that we would be able to reach an agreement with an alternative payment service provider on acceptable terms or at all, and our business, financial condition and results of operations may be materially and adversely affected. Other conflicts of interest between us, on the one hand, and Alipay and Ant Group, on the other hand, may arise relating to commercial or strategic opportunities or initiatives. Although we and Ant Group have each agreed to certain non-competition undertakings, Ant Group may from time to time provide services to our competitors or engage in certain businesses that fall within our scope, and there can be no assurance that Ant Group would not pursue other opportunities that would conflict with our interests. See "Item 7. Major Shareholders and Related Party Transactions - B. Related Party Transactions - Agreements and Transactions Related to Ant Group and Its Subsidiaries - Our Commercial Arrangements with Ant Group and Alipay -Restructuring of Our Relationship with Ant Group and Alipay, 2019 Equity Issuance, and Related Amendments - Non-competition Undertakings." Because of our equity interest in Ant Group, Ant Group's financial results and valuation may materially affect our financial results and the trading prices of our ADSs, Shares and/or other securities. Moreover, because of our close association with Ant Group and overlapping user bases, regulatory developments, litigation or proceedings, media and other reports, whether or not true, and other events that affect Ant Group could also negatively affect customers', regulators', investors' and other third parties' perception of us. For example, shortly after Ant Group's announcement of the suspension of its proposed dual-listing and IPO in November 2020, the trading prices of our ADSs and Shares declined significantly. In addition, Ant Group has been in discussions with PRC regulators about its business rectification plan, and on April 12, 2021, Ant Group announced that it would apply to set up a financial holding company to ensure its financial-related businesses are fully regulated. To implement the rectification plan and comply with applicable new measures and rules, Ant Group may be required to spend significant time and resources and make changes to its businesses, which could materially and adversely affect its business operations and growth prospects. On July 7, 2023, PRC regulators announced a RMB7.07 billion fine for Ant Group and Ant Group has completed the related work on the rectification. Changes in Ant Group's business and future prospects, or speculation of such changes, as well as additional regulatory requirements placed on Ant Group, could in turn have a material adverse effect on us and the trading prices of our ADSs, Shares and/or other securities.

We process an extremely large number of transactions on a daily basis on our marketplaces and other businesses we operate, and the high volume of transactions taking place in our ecosystem and publicity about our business creates the possibility of heightened attention from the public, regulators, the media and participants in our ecosystem. Changes in our services or policies have resulted and could result in objections by members of the public, the media, including social media, participants in our ecosystem or others. We may also become subject to public scrutiny relating to our workplace environment, work culture and other practices. From time to time, these objections, complaints and negative media coverage, regardless of their veracity, may result in negative publicity or public relations crisis, which could result in regulatory inquiry or harm our reputation and brand, and adversely affect the price of our ADSs, Shares and/or other securities. Corporate transactions we or our related parties undertake, such as changes to our corporate structures, our transactions with Ant Group, initiatives to grow our businesses, develop new business models and expand into international markets, our various business practices as well as our capital markets transactions, such as potential IPOs, spin-offs and other financings of certain of our subsidiaries, and dividends and share repurchases may also subject us to increased media exposure and public scrutiny. There can be no assurance that we would not become a target for regulatory or public scrutiny in the future or that scrutiny and public exposure would not severely damage our reputation and brand as well as our business and prospects. In addition, our founders, directors, management and employees have been, and continue to be, subject to scrutiny by the media and the public regarding their activities in and outside of Alibaba Group, which may result in negative, unverified, inaccurate or misleading information about them being reported by the press. Negative publicity about our founders, directors, management or employees, even if unrelated to the products or services we offer, or even if untrue or inaccurate, may harm our reputation and brand, and adversely affect the price of our ADSs, Shares and/or other securities. Furthermore, due to intense competition in our industry, we have been and may be the target of incomplete, inaccurate and false statements and complaints about us and our products and services that could damage our reputation and brand and materially deter consumers and customers from spending in our ecosystem. Competitors have used, and may continue to use, methods such as lodging complaints with regulators, initiating intellectual property and competition claims (whether or not meritorious) or frivolous and nuisance lawsuits, and other forms of attack litigation and "lawfare" that attempt to harm our reputation and brand, hinder our operations, force us to expend resources on responding to and defending against these claims, and otherwise gain a competitive advantage over us by means of litigious and accusatory behavior. Our ability to respond on share price-sensitive information to our competitors' misleading marketing efforts, including lawfare, may be limited during our self-imposed quiet periods around quarter ends consistent with our internal policies or due to legal prohibitions on permissible public communications by us during certain other periods.

Although we have operating subsidiaries located in various countries and regions, our operations in China currently contribute the large majority of our revenue. The PRC government has significant oversight and discretion over the conduct of our business, and may intervene in or influence our operations through adopting and enforcing rules and regulatory requirements. Accordingly, our financial condition and results of operations are affected to a significant extent by economic, political and legal developments in the PRC. The PRC economy differs from the economies of most developed countries in many respects, including the level of development, growth rate, extent of government involvement, control of foreign exchange and allocation of resources. A substantial portion of productive assets in China is still managed by the government. In addition, the PRC government regulates industry development by imposing industrial policies. The PRC government also plays a significant role in China's economic growth by allocating resources, controlling payment of foreign currency-denominated obligations, setting monetary policy and regulating financial services and institutions. While the PRC economy has experienced significant growth in the past four decades, growth has been uneven, both geographically and among various sectors of the economy. The PRC government has implemented various measures to encourage economic growth and guide the allocation of resources. Some of these measures may benefit the overall PRC economy, but may also have a negative effect on us. Our financial condition and results of operations could be materially and adversely affected by government control over capital investments or changes in tax regulations that are applicable to us. In addition, the PRC government has implemented in the past certain measures, including interest rate increases, to manage the pace of economic growth and prevent the economy from overheating. Any prolonged slowdown in the economy could lead to a reduction in demand for our services and consequently have a material adverse effect on our businesses, financial condition and results of operations.

Our business could be materially and adversely affected by natural disasters, such as earthquakes, snowstorms, storm surges, floods, fires, droughts and other extreme weather events and other effects of climate change; the outbreak of a widespread health epidemic, such as COVID-19, swine flu, avian influenza, severe acute respiratory syndrome, Ebola and Zika; or other events, such as wars, acts of terrorism, environmental accidents, power shortages or communication interruptions. The occurrence of a natural disaster or a prolonged outbreak of an epidemic illness or other adverse public health developments in China or elsewhere in the world could materially disrupt our industry and our business and operations, and have a material adverse effect on our business, financial condition and results of operations. For example, these events could cause a temporary closure of the facilities we use for our operations, affect the health of our employees and their work efficiency, significantly disrupt supply chains and logistics services or severely impact consumer behaviors and the operations of merchants, business partners and other participants in our ecosystem. Our operations could also be disrupted if any of our employees or employees of our business partners are suspected of contracting an epidemic disease, since this could require us or our business partners to quarantine some or all of these employees or disinfect the facilities used for our operations. In addition, our revenue and profitability could be materially reduced to the extent that a natural disaster, health epidemic or other outbreak or any change in regulatory, corporate and public actions in response to such event harms the global or PRC economy in general.