Case Background
In May of this year, Dior experienced a global customer data breach. On 12 May 2025, consumers worldwide, including those in China, received a text message from Dior informing them that on 7 May 2025, it was discovered that some consumer information had been accessed by unauthorized personnel. According to the text message that was exposed online, the affected information included names, genders, phone numbers, email addresses, and consumption levels and preferences, but did not include financial data such as bank account information.
The Cybersecurity Department of the Public Security Bureau took this matter very seriously and swiftly launched an administrative investigation into Dior’s subsidiary in Shanghai in accordance with the law. The investigation uncovered three violations:
1. The unauthorized transfer of user personal information to Dior's headquarters in France, as there is no compliance with one of the three legal approaches: pass the security assessment by the Cyberspace Administration of China (“CAC”); or obtain certification from an approved institution; or enter into a data transfer agreement based on the standard contract formulated by the CAC;
2. Failure to obtain "separate consent" from users and fully inform them of the transfer of their personal information overseas; and
3. Lack of implementation of security measures such as personal information encryption and de-identification.
Possible Penalty
According to current reports, the local public security authorities have imposed administrative penalties on Dior’s subsidiary in Shanghai in accordance with the Personal Information Protection Law(“PIPL”), but the specific amount of the fine and measures have not been disclosed.
Under Article 66 of the PIPL, if a company violates the provisions in processing personal information, or fails to perform the personal information protection obligations, the competent authority shall order the company to make corrections, issue a warning, confiscate any illegal gains, and order the suspension or termination of services for applications that process personal information in violation of the law.
If the company refuses to make corrections, a fine of up to RMB 1 million shall be imposed. And for the persons directly in charge and other persons directly responsible, a fine of between RMB 10,000 and RMB 100,000 shall be imposed.
In case of serious violations, the competent authority shall order the company to make corrections, confiscate any illegal gains, and impose a fine of up to RMB 50 million or up to 5% of the annual turnover of the previous year, and may also order the suspension of relevant business operations or business suspension for rectification, and notify the relevant competent authorities to revoke the relevant business licenses or business licenses. For the persons directly in charge and other persons directly responsible, a fine of between RMB 100,000 and RMB 1 million shall be imposed, and they may also be prohibited from serving as directors, supervisors, senior management personnel, and personal information protection officers of relevant enterprises for a certain period of time.
Learned Lessons
This case is not merely a penalty for a "data breach". Instead, it was through the data breach that further investigation uncovered Dior's compliance shortcomings in cross-border data transfer, user consent, and data security. These deficiencies became the direct grounds for the penalty. Thus, the necessity for proactive compliance is clear.
Moreover, in reality, data breaches cannot be absolutely prevented. However, data breaches are not an inevitable trigger for penalties. In addition to pre-emptive security measures, timely remedial actions can typically mitigate or even exempt companies from administrative penalties. Therefore, targeted emergency responses by companies are also crucial. This involves having a well-prepared and effective emergency response plan in place beforehand, as well as effectively implementing remedial measures afterward.
In any case, this case marks the beginning of a significant trend in China towards administrative law enforcement against MNCs for non-compliant cross-border transfers of personal information. As regulatory scrutiny intensifies, it is imperative for companies to prioritize compliance and robust data protection practices.
