China: An Examination of Corporate Data Protection Obligations through the Dior (Shanghai) Personal Information Cross-Border Transfer Case
Published 30 October 2025
Sarah Xuan
In May 2025, an incident involving the cross-border transfer of personal information by an internationally renowned brand drew broad attention from the public and regulatory authorities. Multiple media outlets reported a data breach at French fashion brand Dior, and users in Mainland China successively received official warning messages. On September 18, 2025, the Cybersecurity Department of the Shanghai Public Security Bureau initiated an administrative investigation into Dior (Shanghai) Co., Ltd., and during the “Cyber Shield — 2025” special campaign, announced its decision to impose administrative penalties on the company and order rectification within a prescribed period in accordance with the Personal Information Protection Law (PIPL) and other relevant provisions.
I. Case Overview
According to the investigation by the public security authorities, Dior (Shanghai) committed three major violations:
1. Failure to select a lawful path for cross-border data transfer: the company transmitted users’ personal information to its headquarters in France without completing a security assessment, signing and filing the Standard Contract for Cross-Border Personal Information Transfer, or obtaining personal information protection certification.2. Failure to provide sufficient notice and obtain “separate consent”: before providing personal information to an overseas recipient, the company did not fully inform users of the recipient’s processing purpose, methods, categories of personal information, retention period, or available remedies, nor did it obtain separate consent for the cross-border transfer.3. Failure to adopt necessary security and technical measures: the company did not implement encryption, de-identification, or similar measures for the collected personal information, thus exposing it to significant risks of leakage and misuse.
Based on these facts, the Shanghai public security authority imposed administrative penalties (undisclosed amount) under the Personal Information Protection Law of the People’s Republic of China and ordered the company to make corrections within a set period.
II. Legal Analysis
From a legal standpoint, Dior (Shanghai)’s conduct violated several core provisions of the PIPL:
1. Violation of Article 38 — lawful paths for cross-border data transfer: this article stipulates that personal information leaving China must undergo a security assessment, be transferred under a filed standard contract, or rely on certification. Dior did none of these and directly transmitted user data abroad, constituting an unauthorized cross-border transfer.2. Violation of Article 39 — obligation of separate consent and full notification: personal information processors must clearly inform individuals of the overseas recipient’s processing purpose, method, types of information, retention period, and means of redress, and must obtain the individual’s separate consent. Dior failed to do so, thereby depriving users of their right to be informed and to make autonomous choices.3. Violation of Article 51 — security protection measures: the law requires adopting technical means such as encryption and de-identification to ensure data security during collection, storage, and transmission. Dior’s omission exposed users’ personal data to high risks of leakage and misuse.
It is worth noting that this case is among the first public penalties imposed on an international brand for violating cross-border transfer regulations since the PIPL came into force. It thus serves as a typical warning case. The public security authority’s decision demonstrates both the application of the proportionality principle in administrative law and the refinement of enforcement standards for data compliance by foreign-invested enterprises.
III. Regulatory Implications
The case conveys three key regulatory signals:
1. “Compliance first” has become the precondition for cross-border data flows. Any multinational company operating in China—regardless of where its headquarters are located—must determine a lawful cross-border transfer mechanism under Chinese law when processing data of Chinese citizens.2. Regulatory enforcement is becoming more technical and coordinated. The joint efforts of the public security, cyberspace, and industry supervisory authorities indicate that cross-border data compliance is now a comprehensive governance process involving legal, technical, and industry standards.3. Data compliance is shifting from a “cost center” to “trust capital.” Compliance is no longer merely a defensive response to regulation but a strategic advantage that enhances brand reputation and user trust. Multinational enterprises must regard compliance with China’s personal information protection regime as essential to sustainable growth.
IV. Practical Guidance for Enterprises
Enterprises can enhance compliance through three dimensions — governance framework, procedural management, and technical safeguards:
1. Establish a comprehensive data governance system. Conduct a systematic inventory of personal information processing activities, map data flows, identify data types, sensitivity levels, purposes, and storage locations, and ensure all outbound transfers adhere to the principle of data minimization.2. Select and document lawful outbound transfer mechanisms. Depending on business scale and data type, enterprises should choose from the security assessment, standard contract filing, or certification options. Each transfer must be preceded by a Data Protection Impact Assessment (DPIA) and produce a full audit trail.3. Improve notification and consent mechanisms. The privacy policy should include a dedicated section on cross-border transfers, clearly listing the overseas recipient’s name, processing methods, and security measures. “Separate consent” should be obtained through explicit checkboxes or secondary confirmation mechanisms.4. Strengthen technical safeguards. During transmission and storage, apply strong encryption, implement de-identification and access control, and establish anomaly detection and log retention systems to prevent interception or leakage during cross-border transmission.5. Build an internal cross-department compliance mechanism. Appoint a Data Protection Officer (DPO), and ensure collaboration among legal, cybersecurity, and internal audit teams. Establish regular training and emergency drills to achieve a closed-loop system of prevention, monitoring, and remediation.
Comment
The Dior (Shanghai) case serves as a wake-up call to multinational enterprises: Cross-border data compliance is no longer a mere formality but a substantive, continuous regulatory focus; with the progressive implementation of supporting measures such as the Measures for Security Assessment of Data Exports and the Standard Contract Measures for Cross-Border Personal Information Transfers, regulators now exercise end-to-end oversight of outbound data activities.
Enterprises must integrate personal information protection into their core corporate governance, comply with the law, respect users, and safeguard data security to achieve stable and sustainable development in the Chinese market.