[co-author: Ken Dai]
On September 9, 2025, Dior (Shanghai) Co., Ltd. (“Dior Shanghai”) was publicly sanctioned in China for unlawfully transferring personal information (“PI”) overseas. This marks the first administrative penalty in China for unlawful cross-border transfers of PI, and notably involves a multinational company (“MNC”), attracting widespread international attention. The case signals that China’s cross-border data regime has shifted from rulemaking to active enforcement. It also underscores that some MNCs have long overlooked localization and compliance obligations in their China operations. For MNCs, this decision is a clear warning: they must reassess and localize their data compliance frameworks in China to keep pace with increasingly stringent regulatory requirements.
The Dior Case: Enforcement Background and Findings
In May 2025, multiple media outlets reported a data breach incident involving the French luxury brand Dior, with users in China receiving official warning messages from the company. In response, China’s public security authority initiated an administrative investigation into Dior (Shanghai). The investigation concluded that Dior (Shanghai) committed three unlawful acts relating to cross-border transfers of PI and data security:
- Transmitting user PI to Dior’s headquarters in France without completing a cross-border data transfer security assessment, entering into a standard contract, or obtaining a PI protection certification as required.
- Failing to adequately inform users of the processing methods of overseas recipients and to obtain their “separate consent” before providing their PI to Dior’s headquarters in France.
- Failing to adopt necessary technical safeguards, such as encryption or de-identification, when handling collected PI.
On this basis, the local public security authority imposed an administrative penalty on Dior (Shanghai) under the Personal Information Protection Law (“PIPL”) , without disclosing the penalty details.
Key Takeway 1: From Rulemaking to Enforcement - Cross-Border Data Transfer Compliance Now an Urgent Priority for MNCs
Since the enactment of the PIPL in 2021, China has gradually established three regulatory mechanisms for cross-border data transfer (explained below), supported by a series of implementing measures and technical guidelines. However, before the Dior case, no company had been publicly penalized for failing to comply with these obligations.
The Dior case marks a turning point: China’s cross-border data regulation has shifted from rulemaking to enforcement, making non-compliance with the three regulatory mechanisms a concrete and immediate risk. MNCs should treat this as a wake-up call—urgently mapping their data, assessing whether cross-border PI transfers trigger regulatory requirements, and fulfilling the corresponding obligations without delay.
- Overview of the Three Regulatory Mechanisms for Cross-Border Data Transfer
According to the PIPL and its supporting regulations, the outbound transfer of PI and important data may trigger one of the following three regulatory mechanisms, unless exemption conditions are met:
The diagram below outlines the steps for determining whether a company’s data export activities are subject to regulation and, if so, which mechanism applies.
- Comparison between Security Assessment Notification and SCC Filing
As previously noted, the PI protection certification mechanism remains underdeveloped, with limited practical application. Therefore, the comparison below focuses only on the two mainstream mechanisms currently in widespread use: the Security Assessment Notification and the SCC Filing.
It should be noted that, regardless of which mechanism is adopted, a PI Protection Impact Assessment (“PIPIA”) must be conducted in advance in accordance with the PIPL. The PIPIA should evaluate the following aspects, and the report must be retained for at least three years:
1) Whether the purpose and means of PI handling are lawful, legitimate, and necessary;
2) The potential impact on personal rights and interests, as well as security risks;
3) Whether the protective measures adopted are lawful, effective, and proportionate to the level of risk.
- Frequently Asked Questions in Practice
Below are some frequently asked questions regarding the Security Assessment Notification and SCC filing, along with our suggestions based on experience. We hope this provide practical guidance for companies doing business in China.
Q1: If data is stored in China but can be accessed from abroad, does it count as a cross-border transfer?
A:Yes, it does and falls under China’s cross-border data transfer regulations.
Q2: If the headquarters collects PI of employees and candidates in China through a Workday system hosted abroad, does it need to comply with China's cross-border data regulations?
A: Yes. Foreign entities collecting PI directly from individuals in China (including foreigners) must comply with China’s cross-border data regulations. However, the outbound transfer of employees’ PI for cross-border HR management may be exempted if based on employment rules or collective labor agreements. Conversely, the outbound transfer of candidates’ PI is subject to stricter regulations and is generally only permitted by Chinese authorities for foreign job applications.
Q3: Should thresholds for Security Assessment Notification or SCC Filing be determined at the group level or for each individual company within the group?
A: Thresholds should be determined for each individual company within the group. In practice, if several companies within the group meet the thresholds, one of them can be designated to submit a combined notification / filing for all.
Q4: What if there is no operating entities in China?
A:According to the PIPL, foreign entities collecting PI directly from individuals in China must establish a local office or appoint a representative (e.g., a local lawyer) in China.
Q5: What materials are required for Security Assessment Notification and SCC Filing?
A: Security Assessment Notification: Notification form & data cross-border transfer self-assessment report & contract & others. SCC Filing: Personal information protection impact assessment (PIPIA) report & standard contract & others. The aforementioned two reports must follow CAC-made templates, which require a lot of information.
Q7: Should the CAC-made PIPIA template be followed in scenarios other than SCC filing?
A: No. The PIPIA report in other scenarios can be much simpler, only needing to assess: a) whether the purpose and method of handling PI are lawful, legitimate, and necessary; b) the impact on personal rights and interests and security risks; and c) whether the protection measures taken are lawful, effective, and commensurate with the degree of risks.
Q8: If no outbound data transfer is involved, are there any other compliance requirements for companies subject to the PIPL?
A: Yes, such as drafting privacy policies, obtaining data subjects’ consent (including separate consent when applicable), and establishing a data security system.
Key Takeaway 2: PIPL vs. GDPR - Superficial Alignment Masks Substantive Differences, Making Localization Essential
In practice, many MNCs rely on the GDPR as the blueprint for their global privacy policies and, when offering products or services in China, make only superficial adjustments, or in some cases, merely translate the policy into Chinese. Although the GDPR and the PIPL share many structural similarities, their substantive requirements diverge in critical ways.
For example, one of the violations leading to Dior (Shanghai)’s penalty—failing to adequately inform users about how overseas recipients would process their PI and failing to obtain users’ “separate consent”—is a unique requirement under the PIPL.
Some key differences between the GDPR and the PIPL are summarized in the table below:
The first court judgment in China concerning cross-border PI transfers, issued by the Guangzhou Internet Court in September 2023 in a case brought by a consumer against the multinational hotel group Accor, also highlighted this issue. In that case, Accor relied on a globally unified privacy policy and merely appended a brief China-specific addendum when operating in China. This policy failed to meet the detailed requirements of the PIPL, such as specifying the identity and geographic scope of overseas recipients and obtaining separate consent for cross-border transfers beyond what was strictly necessary for contract performance. The court found Accor in violation of the PIPL and ordered it to compensate the consumer for damages and reasonable expenses.
These cases demonstrate that simply replicating global privacy policies or making superficial adjustments is insufficient to meet compliance obligations under the PIPL. To mitigate growing enforcement and litigation risks, MNCs must conduct a clause-by-clause assessment against the PIPL’s specific requirements and implement systematic, localized revisions to their GDPR-based global privacy policies.
Key Takeaway 3: Frequent Data Breaches Underscore the Need for Stronger Security in the Luxury Sector
The Dior investigation was triggered by a data breach, and other luxury brands such as Louis Vuitton (LV) and Cartier have likewise experienced user data breaches in recent years. Such incidents are particularly common in the luxury sector, as the PI of high-net-worth clients is highly valuable and attracts hackers. At the same time, they underscore the industry’s insufficient attention to data protection and its relatively weak security capabilities.
Such breaches not only expose consumers to harassment calls, spam emails, and even fraud, but also seriously damage brand reputation, erode consumer trust, cause customer attrition, and may lead to regulatory penalties and civil claims. Against this backdrop, luxury brands must elevate their focus on data security, increase investment, and strictly implement management and technical compliance measures required under the PIPL, including but not limited to: formulating internal rules and procedures, classifying PI for tiered management, adopting security technologies such as encryption and de-identification, setting proper access controls, providing regular employee training, and preparing and executing contingency plans for PI security incidents.
Looking Ahead: Time for MNCs to Build Tailored Data Compliance Frameworks in China
As the first administrative penalty in China for unlawful cross-border PI transfers, the Dior case marks the shift of China’s cross-border data transfer regime from rulemaking to enforcement. To avoid penalties of up to RMB 50 million or 5% of annual turnover under the PIPL, MNCs must carefully assess whether their cross-border PI transfers trigger any of the three regulatory mechanisms and fulfill the corresponding obligations.
In addition, many MNCs should address long-neglected localization issues by systematically adjusting their GDPR-based global privacy policies to align with the PIPL and establishing tailored compliance frameworks for China. Finally, luxury brands in particular should strictly implement the data security management and technical requirements under the PIPL, strengthen awareness and capabilities, and proactively guard against and respond to data breach incidents.
Notes List:
1. Data that, if tampered with, destroyed, leaked, or illegally accessed or used, could potentially endanger national security, economic operations, social stability, public health, and safety (e.g., Data reflecting economic operation conditions like vehicle traffic and logistics). In practice, important data is identified by competent authorities in China.
2. On July 7, 2022, the Measures for Security Assessment of Outbound Data Transfers were issued by CAC and took effect on September 1, 2022.
3. On February 22, 2023, the Measures on Standard Contracts for Cross-Border Transfers of PI (including the model contract template) were issued by CAC and took effect on June 1, 2023.
4. On March 22, 2024, the Provisions on Promoting and Regulating Cross-Border Data Flows were released by CAC and became effective the same day. These rules introduced five exemption scenarios and raised the thresholds for triggering regulatory obligations.
5. As of now, the China Cybersecurity Review Technology and Certification Center (a bureau-level public institution under the State Administration for Market Regulation) is the only officially designated certification body.
