On 9 September 2025, the PRC National Cybersecurity Notification Centre released an official announcement stating that the Public Security Bureau (PSB) had conducted an administrative investigation and imposed penalties on Dior Shanghai for unlawful cross-border transfers of personal information.
According to the PSB, Dior Shanghai transferred personal data of its Chinese customers to Dior's headquarters in France without implementing any of the lawful outbound transfer mechanisms required by the Personal Information Protection Law (PIPL). The PSB identified three key violations:
- Transferring personal data abroad without completing a Cyberspace Administration of China (CAC) security assessment, filing Standard Contractual Clauses (SCCs), or obtaining a personal information protection certification (Article 38 of the PIPL);
- Failing to sufficiently inform individuals about the overseas recipient and processing activities, and not obtaining the required "separate consent" prior to the transfer (Articles 13–14, 17 of the PIPL); and
- Failing to implement appropriate technical security measures, such as encryption or anonymization, before exporting the data (Article 51 of the PIPL).
The Personal Information Protection Law
This enforcement action is significant as it stands out among the more prominent cases under China's PIPL since its enactment in November 2021.
The PIPL is China's first comprehensive data protection law, as the EU has the GDPR. It clarifies the rules for processing personal information, the obligations of personal information handlers (and processors), and the rights of personal information subjects. The PIPL stipulates that companies processing or exporting personal information must comply with a range of strict obligations, including obtaining specific and separate consent for processing sensitive personal information, conducting formal security assessments and meeting stringent requirements for transparency to ensure that exported data is properly safeguarded. Non-compliance can result in substantial penalties, business restrictions, and significant reputational damage.
PIPL Compliance Program
China's data protection framework is complex and evolving rapidly. For companies operating in China and handling Chinese personal information, establishing a robust compliance program is essential, including:
- Privacy Impact Assessments (PIAs);
- Standard Contractual Clauses (SCCs) with the CAC;
- Employee privacy notices and consent letters to meet "sufficient notice" and "separate consent" requirements;
- Data Processing Agreements (DPAs) for B2B data-sharing arrangements;
- Outward-facing privacy policies for B2C scenarios.
Conclusion
The Dior case is a timely reminder that regulators are taking a strict stance on cross-border transfers of personal information. Companies should therefore act proactively to mitigate compliance risks and avoid enforcement action. If your company processes personal information in or from China, our team can assist you in navigating the regulatory landscape and implementing the necessary safeguards.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
