China Penalizes Dior Shanghai for Unlawful Cross-Border Transfer of Personal Information

by Richard Ma, Joanna Jiang, and Dimitri Phillips

1. Background

According to a 9 September 2025 publication of the Cybersecurity Administration under the Shanghai local Public Security Bureau (“PSB”), Dior (Shanghai) (“Dior Shanghai”) received an administrative penalty for unlawful cross-border transfer of personal information (“PI”) under the PRC Personal Information Protection Law (“PIPL”).

In May 2025, multiple media outlets reported a data breach involving the French fashion and consumer brand Dior, with Dior sending users in mainland China notifications about the breach. In response, the Cybersecurity Administration of the local PSB initiated an administrative investigation into Dior Shanghai. The investigation identified the following three violations:

(a) Unlawful Cross-Border Data Transfer: Dior Shanghai transmitted user PI to Dior headquarters in France without completing a security assessment for data export, signing a standard contract for PI export, or obtaining PI protection certification, whereas fulfilling at least one of those obligations is required by law.

(b) Failure to Obtain Informed and Separate Consent: Before providing user PI to the headquarters, Dior Shanghai did not adequately inform users of how their PI would be handled by the overseas recipient, nor did it obtain users’ “separate consent” for the cross-border transfer.

(c) Insufficient Security Measures: Dior Shanghai failed to implement necessary technical security measures, such as encryption and de-identification, for the PI it collected.

2. Implications and Regulatory Reminders

The case highlights the increased scrutiny and robust enforcement of PI protection in China, particularly with respect to cross-border transfers. It serves as a clear warning to all data handlers in China to comply with PIPL requirements and proactively manage legal risks associated with cross-border data transfers. Data handlers are advised to regularly review and update their policies and procedures to ensure full compliance and to safeguard PI.

3. Requirements for Cross-Border Transfer of PI

Unless certain exemptions under the Provisions on Facilitating and Regulating Cross-Border Data Transfer (“CBDT Provisions”) apply, exporting PI offshore or allowing persons outside mainland China to access PI stored within mainland China are subject to the following procedural requirements:

(a) Security Assessment: If certain conditions or thresholds are met, a security assessment process must be carried out in coordination with the Cyberspace Administration of China (“CAC”).

(b) Standard Contract: Executing standard (a.k.a. “model”) contracts with all overseas recipients of PI and filing such contracts with the CAC is generally required.

(c) PI Protection Certification: An alternative to standard contracts, in certain circumstances, is to pass a PI protection certification process.

These obligations, collectively referred to as the “CBDT Procedural Requirements”, are subject to specific triggering conditions and thresholds as detailed below.

4. Exemptions from CBDT Procedural Requirements

On 22 March 2024, the CAC issued the CBDT Provisions, which have significantly altered the regulatory landscape for cross-border data transfers in China. Under the CBDT Provisions, certain cross-border data transfers are now exempt from the CBDT Procedural Requirements (“Exemptions”), including:

(a) Contractual Necessity: Exporting PI necessary for the conclusion or performance of a contract to which the PI subject is a party (e.g., cross-border shopping, deliveries, payments, bank account opening, ticket and hotel bookings, visa applications, examination services).

(b) HR Management: Exporting PI of employees for purposes of implementing HR management functions, in accordance with employment policies and collective labor contracts.

(c) Emergency Protection: Exporting PI for protecting individuals’ life, health, or property security in emergency situations.

(d) Small-Scale Non-Sensitive PI: Exporting non-sensitive PI of no more than 100,000 individuals (on a cumulative basis), by a data handler who is not an operator of critical information infrastructure (“CIIO”), over the period since January 1 of the year in which the data export is done.

(e) PI Collected Outside Mainland China: Exporting PI that is collected or generated outside mainland China, provided no “important data” or PI collected/generated in mainland China is included.

(f) Non-PI in International Activities: Exporting non-PI collected or generated in international trade, cross-border shipping, academic cooperation, cross-border manufacturing and marketing, or other specified activities, unless the data is classified as “important data” or other specially protected data (e.g., state secrets).

Additionally, the CBDT Provisions empower free trade zones (“FTZs”) in China to develop their own negative lists specifying data types subject to the CBDT Procedural Requirements. For data handlers domiciled in an FTZ, only the export of data types listed in that FTZ’s negative list will trigger the CBDT Procedural Requirements.

5. Security Assessments

Under the current cross-border data transfer regime, if none of the Exemptions apply, data handlers may be obligated to undergo a formal “security assessment” with the CAC if any of the following thresholds are met:

(a) CIIOs: A CIIO data handler transfers any PI or “important data” offshore.

(b) Important Data: A non-CIIO data handler exports “important data” offshore.

(c) Large-Scale Non-Sensitive PI: A non-CIIO data handler exports, on a cumulative basis, the PI (excluding sensitive PI) of over 1 million individuals since January 1 of the year in which the data export is done.

(d) Large-Scale Sensitive PI: A non-CIIO data handler exports, on a cumulative basis, the sensitive PI of over 10,000 individuals since January 1 of the year in which the data export is done.

It is important to note that even if the above conditions or thresholds are triggered, transfers that qualify for an Exemption under the CBDT Provisions are not required to undergo a security assessment.

6. Standard Contracts or PI Protection Certification

Data handlers are required to execute and file standard contracts with the CAC, or obtain PI protection certification, under the following circumstances, unless any of them fall within an Exemption:

(a) A non-CIIO data handler seeks to transfer offshore, on a cumulative basis, the PI (excluding sensitive PI) of more than 100,000 individuals but less than 1 million individuals in the period since January 1 of the year of the transfer.

(b) A non-CIIO data handler seeks to transfer offshore, on a cumulative basis, the sensitive PI of no more than 10,000 individuals in the period since January 1 of the year of the transfer.

7. Other General Regulatory Requirements for Cross-Border PI Transfers

Even when a data handler is not subject to the above CBDT Procedural Requirements, it must still adhere to general regulatory obligations for cross-border PI transfers. The key requirements include:

(a) Informed Separate Consent: Prior to any cross-border transfer of PI, data subjects must be informed of the foreign data recipient’s name and contact information, the purpose and manner of the transfer, the type of PI being processed, and the procedures for exercising rights under the PIPL with respect to the foreign recipient. Separate consent for the overseas transfer is also required – not just the standard original consent for collection, (onshore) processing, etc.

(b) Necessity of Transfer: Any PI transferred offshore must be directly related to the fulfillment of legitimate business functions associated with a particular product or service, and the volume of PI transferred should be proportionate for the relevant business or service purposes.

(c) Protection Measures: PI handlers are generally required to implement appropriate measures and policies to ensure that cross-border processing activities meet the PI protection standards mandated under PRC law, such as encryption and de-identification measures.