Today, China’s National Cyber and Information Security Information Notification Center, under the Ministry of Public Security, announced a penalty against French fashion brand Dior over a data breach incident. Notably, this marks the first time China has imposed an actual penalty on a foreign company for violations related to cross-border data transfers.

The Public Security Cybersecurity Department Lawfully Investigates and Penalizes Dior (Shanghai) for Failing to Fulfill Its Obligations on Personal Information Protection

In May of this year, multiple media outlets reported a data breach involving the French fashion and consumer brand Dior, with users in mainland China also receiving official warning text messages from Dior. In response, the public security cyber authorities organized an administrative investigation into Dior (Shanghai) Company in accordance with the law.

The investigation found three violations committed by Dior (Shanghai):

1. The company transmitted users’ personal information to Dior’s headquarters in France without conducting a security assessment for data export, signing a standard contract for cross-border transfer of personal information, or obtaining personal information protection certification.

2. Before providing users’ personal information to Dior’s headquarters in France, the company failed to fully inform users about how their personal information would be handled by the overseas recipient, and did not obtain users’ “separate consent.”

3. The company failed to adopt security technical measures such as encryption or de-identification for the personal information it collected.

In accordance with the Personal Information Protection Law, the local public security authority imposed administrative penalties on Dior (Shanghai).

Security Reminder: Citizens’ personal information is protected by law. Personal information processors should take this case as a warning, strictly follow the principles of lawfulness, legitimacy, necessity, and good faith, and implement the requirements of the Personal Information Protection Law regarding the processing and cross-border provision of personal information. They must regulate all activities across the full lifecycle of personal information—including collection, storage, use, processing, transmission, provision, disclosure, and deletion—to effectively safeguard the security of users’ personal information.

Subsequently, the Ministry of Public Security’s Cybersecurity Bureau reposted the notice on its official WeChat account.

This news has already circulated on Chinese social media, sparking discussions about whether it signals that the Chinese government is retaliating against European companies over GDPR compliance issues in the EU.

On May 12, 2025, Dior, a brand under the French luxury group LVMH SE, sent a text message to its Chinese customers, notifying them of a customer data breach. According to user feedback, the leaked information included customer names, gender, contact details, addresses, purchase amounts, and shopping preferences.

In my view, such concerns may be an overinterpretation of the Chinese government’s enforcement notice. If this were truly an act of retaliation, the penalty would not have been so light—you don’t even see mention of any fines or specific amounts in the notice. Most likely, this was just a warning, falling into the least severe category.

In fact, just a few days earlier, a Chinese company in Shanxi Province had been penalized for data cross-border transfer issues, drawing significant attention as it marked the first time Chinese regulators had taken actual enforcement action in this area.

Yunyan District Issues Warning and Penalty to Company Over Data Security Failures

On September 4, under the guidance of the Guiyang Municipal Cyberspace Administration, the Yunyan District Cyberspace Administration carried out a law enforcement action addressing a company in the district found to have engaged in irregular cross-border data transfers.

An investigation revealed that the company failed to strictly comply with national regulations on cross-border data transfers. Specifically, it had not fulfilled required security assessment and compliance review obligations, its internal cybersecurity training was insufficient, staff awareness of security responsibilities was weak, and devices with public IP connections had enabled cloud data synchronization features, creating risks during data transmission. The company has since disabled the relevant functions, and the incident did not result in serious consequences. Investigators also found that the company’s network equipment logs were stored for less than the required six months, another shortfall in cybersecurity responsibility.

Based on the Cybersecurity Law and the Data Security Law of the People’s Republic of China, the Yunyan District Cyberspace Administration imposed an administrative warning penalty and ordered rectification.

Officials emphasized that this enforcement action reflects the city- and district-level cyberspace authorities’ effort to strengthen a coordinated, tiered enforcement system, enhancing both the precision and authority of grassroots regulation. Going forward, the district office will continue focusing on data security, cybersecurity, and personal information protection, deepening cooperation with public security, market regulators, and other departments. Authorities pledged to intensify routine inspections and special investigations, maintain a “zero tolerance” stance toward violations, and ensure a safe, compliant, and orderly data environment to support Guiyang’s high-quality digital economy development.

By comparison, what is more worth watching is whether, as China’s data export regulations become increasingly mature, we will see more enforcement and penalties going forward.