`
`
`
`UNITED STATES DISTRICT COURT
`SOUTHERN DISTRICT OF NEW YORK
`- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x
`
`:
`No. 1:21-cv-06013-AKH
`
`:
`
`
`:
`ECF CASE
`In re 360 DigiTech, Inc. Securities Litigation
`:
`Electronically Filed
`:
`
`:
`Oral Argument Requested
`:
`
`:
`
`- - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - x
`
`
`
`
`
`MEMORANDUM OF LAW IN SUPPORT OF
`DEFENDANT 360 DIGITECH, INC.’S MOTION TO
`DISMISS THE AMENDED CONSOLIDATED CLASS ACTION COMPLAINT
`
`
`SKADDEN, ARPS, SLATE,
` MEAGHER & FLOM LLP
`
`Scott D. Musoff
`Robert A. Fumerton
`Michael C. Griffin
`One Manhattan West
`New York, New York 10001
`Telephone: (212) 735-3000
`
` Attorneys for Defendant 360 DigiTech, Inc.
`
`
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 2 of 31
`
`
`
`TABLE OF CONTENTS
`
`TABLE OF AUTHORITIES ......................................................................................................... iii
`
`PRELIMINARY STATEMENT .....................................................................................................1
`
`STATEMENT OF FACTS ..............................................................................................................3
`
`I.
`
`BACKGROUND .................................................................................................................3
`
`II.
`
`360 DigiTech’s Regulatory Challenges ...............................................................................4
`
`A.
`
`B.
`
`China’s Ambiguous Data Security Laws .................................................................4
`
`Chinese Regulators Tighten Rules Governing the Principles of User
`Consent and Necessity .............................................................................................5
`
`III.
`
`360 Digitech’s Disclosures ..................................................................................................7
`
`IV.
`
`SUBSEQUENT REGULATORY DEVELOPMENTS .......................................................8
`
`A.
`
`B.
`
`New Data Privacy Rules Are Announced in March 2021 .......................................8
`
`In April 2021, the Company Was One of 13 Major FinTech Platforms
`That Met with Regulators to Discuss Regulatory Issues .........................................9
`
`V.
`
`PLAINTIFF’S PURPORTED “CORRECTIVE DISCLOSURES” ..................................10
`
`A.
`
`B.
`
`Regulators Named 84 Apps Not in Compliance with the May 1 Provisions.........10
`
`On July 8, 360 Jietiao Was Temporarily Removed from App Stores ...................11
`
`VI.
`
`This Action.........................................................................................................................13
`
`ARGUMENT .................................................................................................................................13
`
`I.
`
`PLAINTIFF FAILS TO ALLEGE ANY MATERIAL MISREPRESENTATION ..........13
`
`A.
`
`The Company Warned of the Precise Risks That Later Emerged .........................14
`
`B.
`
`C.
`
`The Company Had No Duty to Accuse Itself of Regulatory Violations ...............15
`
`Plaintiff Fails to Plead the Company Violated Any Preexisting Chinese
`Law ........................................................................................................................16
`
`D.
`
`Plaintiff Fails to Plead That Any Statement Was False or Misleading ..................20
`
`II.
`
`PLAINTIFF FAILS TO ALLEGE A STRONG INFERENCE OF SCIENTER ..............22
`
`
`
`i
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 3 of 31
`
`III.
`
`PLAINTIFF FAILS TO ALLEGE LOSS CAUSATION ..................................................24
`
`CONCLUSION ..............................................................................................................................25
`
`
`
`
`
`
`ii
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 4 of 31
`
`TABLE OF AUTHORITIES
`
`CASES
`
`
`
`Asay v. Pinduoduo Inc.,
`No. 18-cv-7625 (PKC), 2020 WL 1530745 (S.D.N.Y. Mar. 30, 2020), aff’d, No.
`20-1423, 2021 WL 3871269 (2d Cir. Aug. 31, 2021) .......................................................13
`
`Asay v. Pinduoduo Inc.,
`No. 20-1423, 2021 WL 3871269 (2d Cir. Aug. 31, 2021) ..........................................20, 21
`
`ATSI Communications, Inc. v. Shaar Fund, Ltd.,
`493 F.3d 87 (2d Cir. 2007).......................................................................................3, 22, 25
`
`In re Axis Capital Holdings Ltd. Securities Litigation,
`456 F. Supp. 2d 576 (S.D.N.Y. 2006)..........................................................................13, 16
`
`City of Pontiac Policemen’s & Firemen’s Retirement System v. UBS AG,
`752 F.3d 173 (2d Cir. 2014)...............................................................................................16
`
`Delfonce v. Eltman Law, P.C.,
`No. 16 Civ. 6627 (AMD) (LB), 2017 WL 639249 (E.D.N.Y. Feb. 15, 2017), aff’d,
`712 F. App’x 17 (2d Cir. 2017) ...........................................................................................3
`
`Dura Pharmaceuticals, Inc. v. Broudo,
`544 U.S. 336 (2005) ...........................................................................................................25
`
`In re FBR Inc. Securities Litigation,
`544 F. Supp. 2d 346 (S.D.N.Y. 2008)................................................................................17
`
`Glaser v. The9, Ltd.,
`772 F. Supp. 2d 573 (S.D.N.Y. 2011)..........................................................................23, 24
`
`Hirsch v. Arthur Andersen & Co.,
`72 F.3d 1085 (2d Cir. 1995)...............................................................................................17
`
`Ikeda v. Baidu, Inc.,
`No. 20-CV-02768-LHK, 2021 WL 1299046 (N.D. Cal. Apr. 7, 2021) ............................15
`
`Jackson v. Abernathy,
`960 F.3d 94 (2d Cir. 2020).................................................................................................24
`
`Jiajia Luo v. Sogou, Inc.,
`465 F. Supp. 3d 393 (S.D.N.Y. 2020)..............................................................15, 16, 18, 21
`
`In re Jumei International Holding Ltd. Securities Litigation,
`No. 14cv9826, 2017 WL 95176 (S.D.N.Y. Jan. 10, 2017) ..................................................1
`
`
`
`iii
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 5 of 31
`
`
`
`Kalnit v. Eichler,
`264 F.3d 131 (2d Cir. 2001)...............................................................................................23
`
`In re Keyspan Corp. Securities Litigation,
`383 F. Supp. 2d 358 (E.D.N.Y. 2003) ...................................................................14, 19, 23
`
`Lentell v. Merrill Lynch & Co.,
`396 F.3d 161 (2d Cir. 2005).........................................................................................24, 25
`
`In re Magnum Hunter Resources Corp. Securities Litigation,
`26 F. Supp. 3d 278 (S.D.N.Y. 2014), aff’d, 616 F. App’x 442 (2d Cir. 2015) ..................25
`
`In re Merrill Lynch & Co. Research Reports Securities Litigation,
`289 F. Supp. 2d 416 (S.D.N.Y. 2003)................................................................................25
`
`In re New Energy Systems Securities Litigation,
`66 F. Supp. 3d 401 (S.D.N.Y. 2014)..................................................................................25
`
`Novak v. Kasaks,
`216 F.3d 300 (2d Cir. 2000)...............................................................................................20
`
`Omnicare, Inc. v. Laborers District Council Construction Industry Pension Fund,
`575 U.S. 175 (2015) ...........................................................................................................22
`
`Rumbaugh v. USANA Health Sciences, Inc.,
`No. 2:17-CV-106, 2018 WL 5044240 (D. Utah Oct. 17, 2018) ..................................18, 19
`
`Schaffer v. Horizon Pharma PLC,
`No. 16-CV-1763 (JMF), 2018 WL 481883 (S.D.N.Y. Jan. 18, 2018) ..............................24
`
`Shaffer Smith, 2424, LLC v. Foster,
`168 F. Supp. 3d 654 (S.D.N.Y. 2016)................................................................................24
`
`Singh v. Cigna Corp.,
`918 F.3d 57 (2d Cir. 2019).........................................................................13, 15, 20, 21, 22
`
`Tellabs, Inc. v. Makor Issues & Rights, Ltd.,
`551 U.S. 308 (2007) .....................................................................................................22, 24
`
`In re Time Warner Inc. Securities Litigation,
`9 F.3d 259 (2d Cir. 1993)...................................................................................................15
`
`
`
`
`iv
`
`
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 6 of 31
`
`
`
`Defendant1 360 DigiTech, Inc. (“360 DigiTech” or the “Company”) respectfully submits
`
`this memorandum of law in support of its joint motion to dismiss the Amended Consolidated Class
`
`Action Complaint (ECF No. 41) (“Complaint” or “AC”),2 pursuant to Rules 8(a), 9(b), and
`
`12(b)(6) of the Federal Rules of Civil Procedure and Section 101(b) of the Private Securities
`
`Litigation Reform Act, 15 U.S.C. § 78u-4(b)(2) (the “PSLRA”).
`
`PRELIMINARY STATEMENT
`
`This putative securities fraud class action improperly seeks to hold the Company liable for
`
`failing to predict that its existing data privacy practices, previously lauded by Chinese regulators
`
`during the Class Period, would later be deemed non-compliant with new regulations. 360
`
`DigiTech is a leading Chinese financial technology platform that connects individual borrowers
`
`with financial institutions, primarily through its core product, the 360 Jietiao mobile application.
`
`Even after Chinese authorities began launching a widely reported “special crackdown” on data-
`
`rich technology companies in 2019, Chinese regulators awarded 360 DigiTech the highest level
`
`rating available in data privacy and security in June 2020. But the goalposts shifted a year later
`
`when Chinese regulators imposed new requirements that necessitated changes to the Company’s
`
`existing data privacy measures. In particular, on May 10, 2021, regulators announced that 84 apps,
`
`including 360 Jietiao, were not in compliance with a new regulation that went into effect just nine
`
`days before, and ordered those companies to rectify. About two months later, regulators
`
`
`1 Although none of the Individual Defendants, including CEO Haisheng Wu, former CFO Jiang
`Wu, current CFO Zuoli (Alex) Xu, and Chairman of the Board Hongyi Zhou, have been served,
`the Court may still dismiss the Complaint in its entirety. In re Jumei Int’l Holding Ltd. Sec.
`Litig., No. 14cv9826, 2017 WL 95176, at *1 n.1, *6 (S.D.N.Y. Jan. 10, 2017).
`
`2 A true and correct copy of the Complaint is attached as Exhibit Z to the Declaration of Robert
`A. Fumerton, dated March 15, 2022, exhibits to which are otherwise cited herein as “Ex. __.”
`Pincites for all exhibits reference the original pagination at the bottom of the page. All citations
`and quotations marks are omitted, and all emphases are added, unless otherwise indicated.
`
`
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 7 of 31
`
`
`
`temporarily removed the 360 Jietiao app from most app stores in China to allow the Company
`
`additional time to implement program updates to “optimiz[e] the product design and offer[]
`
`improved user data privacy protection.” (Ex. P, Form 6-K (Aug. 9, 2021) at 1.)
`
`Viewing these events with the luxury of 20/20 hindsight, Plaintiff brings this action
`
`alleging that the Company misrepresented its compliance with Chinese data privacy laws, in
`
`violation of Sections 10(b) and 20(a) of the Securities Exchange Act of 1934 (“Exchange Act”).
`
`For several independently dispositive reasons, Plaintiff fails to state a claim for securities fraud.
`
`First, Plaintiff fails to allege an actionable misrepresentation or omission. Although the
`
`Company had no duty to accuse itself of regulatory violations, it disclosed the regulatory risks
`
`affecting its business, including that it could be subject to adverse regulatory action if its existing
`
`measures were deemed non-compliant with new data privacy regulations. Moreover, Plaintiff fails
`
`to allege that the Company violated any preexisting regulations during the Class Period. Even if
`
`he had pled such facts, none of the statements challenged in the Complaint would state a securities
`
`fraud claim, as they are statements of puffery or opinion that are inactionable as a matter of law.
`
`Second, Plaintiff fails to plead the requisite “strong inference” of scienter. Unable to plead
`
`motive, Plaintiff resorts to “core operations” allegations and generic references to well-known
`
`market events that courts routinely reject as insufficient, particularly where, as here, Plaintiff fails
`
`to plead particularized facts that any Defendant knew their statements were false when made.
`
`Finally, Plaintiff fails to plead loss causation. The alleged “corrective disclosures” here
`
`coincided with the Chinese authorities’ general crackdown on Chinese consumer technology
`
`companies. Plaintiff’s failure to plead any facts to disaggregate his alleged losses from an industry-
`
`wide event triggering stock drops among numerous Chinese companies is fatal to his claim.
`
`For the reasons set forth below, the Complaint should be dismissed with prejudice.
`
`
`
`
`2
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 8 of 31
`
`
`
`I.
`
`BACKGROUND
`
`STATEMENT OF FACTS3
`
`360 DigiTech (formerly 360 Finance) is a leading Chinese financial technology platform
`
`that enables financial institutions to provide tailored financial products and services to prospective
`
`borrowers in China. (AC ¶ 49; Ex. A, 2020 Annual Report at 53.) The Company accomplishes
`
`this objective primarily through its user-friendly mobile application, 360 Jietiao. (AC ¶ 51; Ex. A
`
`at 53.) As of December 31, 2020, the Company has facilitated or originated over RMB573.2
`
`billion (US$87.8 billion) in loans to over 19 million borrowers. (Ex. A at 53.)
`
`Because the Company’s business as a loan facilitation service requires it to collect and
`
`analyze prospective borrowers’ personal data, it has adopted various “policies to make sure [it]
`
`always obtain[s] users’ consent for [its] use of their data and enquires made to other sources of
`
`their information.” (Ex. A at 59.) The Company uses, among other things, “artificial intelligence
`
`and other advanced data tools to . . . translate complex user data into insights relating to a user’s
`
`financial status and creditworthiness.” (Id. at 59–60.) These data tools enable the Company to
`
`“avoid unnecessary privacy invasion” by minimizing risks associated with “human review or
`
`intervention.” (Id.) In June 2020, more than a month after the start of the Class Period, the
`
`Company received a level-three rating—the highest possible rating—for both app privacy and data
`
`security from China’s National Computer Virus Emergency Response Center (“NCVERC”), the
`
`official Chinese agency responsible for anti-virus and internet security. (Id. at 60.)
`
`
`3 The facts set forth herein are drawn from the well-pled allegations in the Complaint and
`“documents attached as exhibits or incorporated into the complaint by reference, matters of
`which judicial notice may be taken, [and] documents integral to the complaint.” Delfonce v.
`Eltman L., P.C., No. 16 Civ. 6627 (AMD) (LB), 2017 WL 639249, at *2 (E.D.N.Y. Feb. 15,
`2017), aff’d, 712 F. App’x 17 (2d Cir. 2017). The Court may also consider “legally required
`public disclosure documents filed with the SEC, and documents possessed by or known to the
`plaintiff and upon which it relied in bringing the suit.” ATSI Commc’ns, Inc. v. Shaar Fund,
`Ltd., 493 F.3d 87, 98 (2d Cir. 2007).
`
`
`
`
`3
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 9 of 31
`
`
`
`II.
`
`360 DIGITECH’S REGULATORY CHALLENGES
`
`A.
`
`China’s Ambiguous Data Security Laws
`
`As detailed in the Complaint, Chinese technology companies, including 360 DigiTech, are
`
`subject to an evolving—and often, uncertain—regulatory landscape. (AC ¶¶ 57–67; Ex. A at 7.)
`
`Chinese data privacy laws, in particular, contain ambiguities and “uncertaint[ies] as to the
`
`interpretation and application of such laws.” (Ex. A at 23.) Hence, despite 360 DigiTech’s strong
`
`compliance record—evidenced by the official accolades it received even while Chinese regulators
`
`were starting to scrutinize Chinese consumer technology companies’ data collection practices with
`
`increasing intensity (id. at 60)—the Company warned investors that “[w]e cannot assure you that
`
`our existing user information protection system and technical measures will be considered
`
`sufficient under applicable laws and regulations.” (Id. at 23; Ex. B, 2019 Annual Report at 21.)
`
`Two regulatory concepts are of particular relevance to this case: (i) the principle of
`
`necessity, which generally requires that personal information collected from users be necessary to
`
`the provision of services; and (ii) the principle of consent, which generally requires users to consent
`
`ahead of time to the collection and use of their personal information. The precise contours of both
`
`rules are, however, ambiguous, and interpretations and applications have changed over time. For
`
`example, the Provisions on Standardizing the Internet Information Service Market (“2011
`
`Provisions”), promulgated in 2011, provide that companies shall not use or “collect [personal]
`
`information other than [that] necessary for the provision of services.” (Ex. C, 2011 Provisions at
`
`Art. 11.) However, China’s Cybersecurity Law, promulgated in 2016 (“Cybersecurity Law”), sets
`
`forth a different formulation, requiring “[n]etwork operators” to comply with “lawful, justifiable,
`
`and necessary” principles and prohibits the collection of “personal information that is not related
`
`to the services it provides.” (Ex. D, Cybersecurity Law, at Art. 41.) Neither the 2011 Provisions,
`
`nor the 2016 Cybersecurity Law, defines what information is deemed “necessary” and what
`
`
`
`
`4
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 10 of 31
`
`
`
`information is deemed “not related” to services that a company provides. Furthermore, although
`
`the Cybersecurity Law provides that companies must obtain the consent of the person whose
`
`personal information is to be collected, it does not explain how such consent should be obtained
`
`and what standards should be used to ascertain whether a user has “consent[ed].” (Id.) The
`
`consensus view, at least among Western commentators, was that the Cybersecurity Law was a
`
`“basic law” whose provisions were “vague enough that the [Chinese] government will determine
`
`their meaning on the fly,” and that the law would require “follow-up laws or interpretations to
`
`specify the standards.” (Ex. E, China’s Internet Controls Will Get Stricter, to Dismay of Foreign
`
`Business, The New York Times (Nov. 7, 2016) at 1.)
`
`B.
`
`Chinese Regulators Tighten Rules Governing the Principles of
`User Consent and Necessity
`
`In 2019, prior to the start of the Class Period, Chinese regulators began expanding the range
`
`of data collection practices that would be deemed to violate the principles of necessity and user
`
`consent. As shown below, these new rules would require Chinese consumer technology companies
`
`to adjust their data privacy measures to bring them in line with the new regulations.
`
`In January 2019, Chinese regulators, including the Cyberspace Administration of China
`
`(“CAC”), announced the launch of a year-long “special crackdown” to purge apps deemed to
`
`violate the Cybersecurity Law and other consumer protection laws (“2019 Crackdown”). (Ex. F,
`
`Announcement of Launching Special Crackdown Against Illegal Collection and Use of Personal
`
`Information by Apps (“January 2019 Announcement”) (Jan. 23, 2019) at 1.) In the January 2019
`
`Announcement, regulators stated that companies must allow users to “independently choose
`
`consents,” rather than “force the users to make authorization in the forms of default, bundling,
`
`stopping installation and use, etc.” (Id. at 2.) While it clarified the principle of user consent, the
`
`January 2019 Announcement did not provide additional guidance on the principle of necessity.
`
`
`
`
`5
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 11 of 31
`
`On November 28, 2019, Chinese regulators issued the Definition of Apps’ Illegal and
`
`Irregular Collection and Use of Personal Information (“November 2019 Definitions”) (AC ¶ 16),
`
`which further clarified the types of data collection practices that would be considered violations of
`
`the principle of user consent:
`
`
`
`(1) commencing the collection of personal information . . . before obtaining the consent of
`users; (2) after a user clearly expresses disagreement, still collecting personal information
`or . . . frequently asking for the user’s consent and interfering with the normal use of a user;
`(3) the personal information collected . . . is beyond the scope of users’ authorization; (4)
`[t]he consent of users is sought by non-express means such as consent to privacy policy by
`default; (5) change the status of collectable personal information authority set by a user
`without the user’s consent, such as automatically restoring user settings to the default status
`when the App is updated; (6) utilizing users’ personal information and algorithms to push
`information from targeted sources, but failing to provide options for non-targeted push
`information; (7) misleading users into agreeing to collect personal information . . . by fraud,
`deception or other improper means, such as deliberately deceiving or concealing the true
`purpose of collecting or using personal information; (8) failing to provide users with
`channels and methods for withdrawing consent to collect personal information; and (9)
`collect and use personal information in violation of its stated collection and use rules. (Ex.
`G, November 2019 Definitions at 3–4.)
`
`The November 2019 Definitions, for the first time, also specified practices that would be
`
`deemed to “violat[e] . . . the principle of necessity”:
`
`(1) the type of personal information collected . . . is irrelevant to existing business
`functions; (2) refusing to provide business functions because users do not agree to collect
`unnecessary personal information . . . ; (3) [t]he personal information collected by an App
`under the application for new business functions exceeds the scope originally approved by
`a user. If the user disagrees, the App will refuse to provide the user with the original
`business functions, except that the new business functions replace the original ones; (4) the
`frequency of collecting personal information is beyond the actual needs of business
`functions; (5) forcing users to agree to collect personal information for the sole reason of
`improving service quality, boosting user experience, pushing targeted information,
`researching and developing new products, etc.; and (6) [r]equiring a user to consent to open
`multiple authority to collect personal information at one time, and the user cannot use the
`App without consent. (Id. at 4.)4
`
`
`4 The Complaint also cites the Preliminary Measures on Commercial Bank Internet Finance
`Administration, which announced data privacy measures applicable to commercial banks, and
`the Notice on Strengthening the Supervision and Administration of Micro-loan Companies,
`which announced measures applicable to micro-loan companies. (AC ¶¶ 65, 66.) Plaintiff
`does not explain how these measures apply to 360 DigiTech, a financial technology company.
`
`
`
`
`6
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 12 of 31
`
`
`
`
`Although “hundreds of app operators [were] fined, issued rectification orders, or warned
`
`for their lack of privacy protections” during the 2019 Crackdown (AC ¶ 17), Plaintiff does not and
`
`cannot allege that 360 DigiTech was among them. To the contrary, in June 2020, a month after
`
`the start of the Class Period, and six months after the end of the 2019 Crackdown, the NCVERC,
`
`the “designated testing body” for the 2019 Crackdown, awarded 360 Jietiao the highest rating for
`
`both app privacy and data security and conferred on the Company certifications in both app
`
`security and information security. (Ex. A at 60.)
`
`III.
`
`360 DIGITECH’S DISCLOSURES
`
`Throughout the Class Period, 360 DigiTech disclosed to investors the data privacy laws
`
`and regulations to which it was subject, including the 2011 Provisions, the Cybersecurity Law, the
`
`January 2019 Announcement, and the November 2019 Definitions. (Id. at 71–73.) Although the
`
`Company disclosed that it had “obtained the consents from our borrowers to use their personal
`
`information within the scope of authorization” (id. at 23; Ex. B, 2019 Annual Report at 21), the
`
`Company cautioned that uncertainties clouded the interpretation and application of data privacy
`
`laws, and it could be subject to adverse regulatory action if such interpretations changed:
`
`[T]here is uncertainty as to the interpretation and application of such laws which may
`be interpreted and applied in a manner inconsistent with our current policies and
`practices or require changes to the features of our system. Any non-compliance or
`perceived non-compliance with these laws, regulations or policies may lead to warnings,
`fines, investigations, . . . closedown of websites or even criminal liabilities against us by
`government agencies or other individuals. We cannot assure you that our existing user
`information protection system and technical measures will be considered sufficient
`under applicable laws and regulations. If we are unable to address any information
`protection concerns, or to comply with the then applicable laws and regulations, we may
`incur additional costs and liability and our reputation, business and operations might be
`adversely affected. (Ex. A at 23; Ex. B at 21.)
`
`The Company also warned that, given the nature of the Chinese legal system, it could be
`
`subject to unwritten rules or new rules with retroactive effect, making it difficult to know or predict
`
`
`
`
`7
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 13 of 31
`
`
`
`whether its data collection practices would be deemed compliant by regulators:
`
`[T]he PRC legal system is based in part on government policies and internal rules (some
`of which are not published in a timely manner or at all) that may have retroactive effect.
`As a result, we may not be aware of our violation of these policies and rules until
`sometime after the violation. (Ex. A at 33; Ex. B at 31.)
`
`In view of the above, the Company warned investors that they should “consider our
`
`business and prospects in light of the risks and challenges we encounter or may encounter given
`
`the rapidly evolving market in which we operate” including “our ability to . . . navigate a complex
`
`and evolving regulatory environment.” (Ex. A at 7–8; Ex. B at 8.)
`
`IV.
`
`SUBSEQUENT REGULATORY DEVELOPMENTS
`
`A.
`
`New Data Privacy Rules Are Announced in March 2021
`
`In March 2021, four Chinese regulators, including the CAC, issued the Rules on the Scope
`
`of Necessary Personal Information for Common Types of Mobile Internet Applications, which took
`
`effect on May 1, 2021 (“May 1 Provisions”). (Ex. H, May 1 Provisions.) The May 1 Provisions
`
`offer additional guidance on the principles of necessity and user consent. With respect to the
`
`principle of necessity, the May 1 Provisions define “necessary personal information” as “personal
`
`information necessary for ensuring the normal operation of an App’s basic functional services,
`
`without which the App cannot achieve its basic functional services.” (Id. at Art. 3.) For online
`
`lending apps like 360 Jietiao, “necessary personal information” is strictly limited to a user’s name,
`
`phone number, bank card number, and the number, type, and expiration date of the user’s
`
`identification document. (Id. at Art. 5, cl. 12.) With respect to user consent, the May 1 Provisions
`
`provide that apps “shall not refuse users to use its basic functional services on the ground that users
`
`disagree to provide unnecessary personal information.” (Id. at Art. 4.)
`
`As 360 DigiTech disclosed, this regulatory development required adjustments to the 360
`
`Jietiao app. Although the Company “always obtain[s] users’ consent for [its] use of data and
`
`
`
`
`8
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 14 of 31
`
`
`
`enquir[ies] from other sources of their information” (AC ¶ 76), the May 1 Provisions limit the
`
`scope of “necessary personal information” that could be collected from customers to an even more
`
`limited set of information (Ex. H at Art. 5, cl. 12). Hence, the Company “work[ed] proactively
`
`with third party credit agenc[ies] . . . and external data sources” to “replace[]” credit-related and
`
`other information that, while relevant to its services, could no longer be required from customers
`
`to access the app’s “basic functional services.” (Ex. I, Q2 2021 Earnings Call at 11; Ex. H at Art.
`
`4.) These changes, in turn, necessitated changes to the way 360 Jietiao obtains consent from users,
`
`both for data collected directly from users, and for “enquir[ies] from other sources [for use] of
`
`their information,” to bring the app into compliance with new regulations. (AC ¶ 76.)
`
`B.
`
`In April 2021, the Company Was One of 13 Major FinTech Platforms That
`Met with Regulators to Discuss Regulatory Issues
`
`On April 29, 2021, Chinese financial and banking regulators (but not the CAC) met with
`
`13 fintech companies with considerable influence in the industry, including 360 DigiTech (“April
`
`29 Meeting”). (AC ¶ 32.) The April 29 Meeting, which was widely reported in U.S. media, was
`
`convened to discuss a range of regulatory issues, including financial regulation, fair competition,
`
`and consumer protection. (Ex. J, Chinese Regulators Tell Fintech Groups to Fix “Problems,”
`
`Financial Times (Apr. 30, 2021); Ex. K, Beijing Warns Fintech Firms Against Anti-Monopoly
`
`Behavior, Associated Press (Apr. 30, 2021).) Although regulators praised the “overall positive”
`
`developments in the industry (Ex. J at 2), regulators issued seven rectification requirements,
`
`including “stricter compliance” requirements for antitrust, banking, and financial regulation (Ex.
`
`L, China Reins In Tech Giants’ Finance Arms After Hobbling Ant, Bloomberg (Apr. 29, 2021)).
`
`Among these seven requirements, only one related, in part, to data privacy. Specifically, regulators
`
`stated that Chinese fintech companies should “standardize the collection and use of personal
`
`information, marketing and publicity activities and format contracts.” (AC ¶ 28.) The regulators
`
`
`
`
`9
`
`
`
`Case 1:21-cv-06013-AKH Document 46 Filed 03/15/22 Page 15 of 31
`
`did not accuse any company of violating any preexisting data privacy laws or specify how
`
`companies were to “standardize” their practices. (See id.)
`
`The Company discussed the April 29 Meeting several times during the Class Period.
`
`During its Q1 2021 earnings call on May 27, 2021, 360 DigiTech’s CEO Haisheng Wu stated:
`
`
`
`[W]e were among the 13 major FinTech Internet platforms that the regulator invited to
`meet recently. At the meeting, the regulator acknowledged the importance of our role in
`improving the efficiency of financial service[s,] providing service[s] to [meet customer]
`demand and reducing transaction costs. We believe the meeting was a necessary step to . .
`. promote the healthy development of the platform economy. Strengthening supervision of
`the leading players will increase clarity to the regulatory direction of the industry, reduce
`regulatory overhead and promote a healthy and more consolidated market space.
`Compared to the other FinTech compan[ies] at the meeting, our business models are
`relatively simple and straightforward. We have consistently held our operations to the
`highest of compliance standards. Therefore, we are very confident we can meet any
`regulatory requirements applied to this industry. (Ex. M, Q1 2021 Earnings Call at 5–6.)
`
`Similarly, during its Q2 2021 earnings call on August 20, 2021, the Company stated that
`
`“[a]s one of the 13 leading