[co-author: Ken Dai]
On September 9, 2025, China announced the landmark administrative penalty against Dior (Shanghai) over unlawful cross-border transfers of personal information, with the primary violation being the failure to satisfy the regulatory mechanism before cross border data transfer (“CBDT”). The action followed a May 2025 data leak affecting users in Mainland China and a subsequent investigation by the local Public Security Bureau. According to official reports, Dior (Shanghai) was penalized on three grounds:
- Unlawful Cross-border Personal Information (“PI”) Transfers: Users’ PI was transferred to Dior’s French headquarters without completing any of the legally required transfer mechanisms (i.e., security assessment notification, standard contract (“SCC”) filing, or PI protection certification).
- Insufficient Transparency & Consent: Prior to transferring PI overseas, Dior (Shanghai) did not adequately inform users of the overseas recipient’s processing practices and did not obtain separate consent.
- Inadequate Security Controls: The company failed to implement technical safeguards such as encryption or de-identification for the PI it collected.
According to China’s Personal Information Protection Law (“PIPL”), which came into effect from November 1, 2021, and Data Security Law (“DSL”), which came into effect from September 1, 2021, for outbound transfer of PI and important data, three regulatory approaches may be triggered unless exemption conditions are met:
- Security Assessment Notification: Submit an assessment application to the Cybersecurity Administrative of China (“CAC”) and get the clearance.
- SCC Filing: File the Standard Contract along with the PI Protection Impact Assessment (“PIPIA”) report with the provincial-level Cyberspace Administration within 10 working days after signing the contract.
- PI Protection Certification: Apply for and Obtain PI Protection Certification from the China Cybersecurity Review Certification and Market Regulation Big Data Center, under the State Administration for Market Regulation.
Since then, China have enacted numerous regulations and supporting rules to specify the requirement under the three mechanisms. Among them, the Measures on Security Assessment of Cross-Border Data Transfers which took effect on September 1, 2022, provides a six-month grace period for rectification and compliance. Also, the Measures on Standard Contract for Outbound Transfer of Personal Information which took effect on June 1, 2023, requires undertakings to achieve compliance by November 30, 2023. However, before Dior case, no other unlawful CBDT cases were announced by CAC or any Chinese authorities in the past 2 to 3 years.
Since China’s authorities are now actively enforcing CBDT rules, multinational companies should re-validate CBDT compliance posture now, align their transfer mechanisms with Chinese regulatory approaches before an incident puts them under the same spotlight as Dior. Here are the steps to determine whether an CBDT activity is regulated by the CAC Framework:
(Notes: “CIIO” refers to Critical Information Infrastructure Operator, “SPI” refers to Sensitive Personal Information)
Additionally, while the CAC is central to China’s CBDT governance, the public security authorities and other authorities such as industry regulatory departments can and do enforce CBDT rules—especially where incident response or industrial influence are implicated.
