top of page

XL INSIGHTS+
Legal Alerts and News Updates

Search

China Penalizes Dior for PIPL Violation

  • China’s Ministry of Public Security (“MPS”) penalized Dior Shanghai for breaching

    personal information protection obligations, following an investigation into a data breach

    incident.


  • MPS identified the following violations during the investigation: failure to implement a

    cross-border transfer mechanism; failure to fully inform data subjects about how their

    personal information would be handled by an overseas recipient; failure to obtain

    separate consent for cross-border transfer; and failure to implement technical measures

    such as encryption and de-identification.


On September 9, 2025, China’s Ministry of Public Security (“MPS”) announced that the local

MPS had imposed penalties on Dior Shanghai for breaching personal information protection

obligations, following an investigation into a data breach incident in May 2025

(“Announcement”).


Data Breach Incident Background


On May 12, 2025, Dior sent text messages to its Chinese customers to inform them of a data

breach. According to the messages, Dior discovered on May 7, 2025 that unauthorized external

parties had accessed portions of its customer data and subsequently reported the incident to the

regulatory authority. The data breach was global, affecting customers across Europe, North

America, and Asia.


Based on Dior’s internal investigation, the personal information potentially affected may include

names, genders, mobile phone numbers, email addresses, mailing addresses, spending levels,

preferences, and other details that customers may have provided to Dior.

Dior emphasized that the accessed database did not contain financial information such as bank

account details, international bank account numbers (IBANs), or credit card information, and

that customers' financial security was not directly compromised.


Violations Identified By the MPS


Subsequently, the MPS conducted an investigation into the incident. The MPS identified the

following violations during the investigation:


  • Failure to implement a cross-border transfer mechanism, i.e., passing the security

    assessment conducted by the Cyberspace Administration of China (“CAC”), obtaining

    the personal information protection certification issued by CAC-approved agencies, or

    filing the standard contractual clauses (“SCCs”), before transferring the personal

    information to an overseas recipient (e.g., Dior France);


  • Failure to fully inform data subjects about how their personal information would be

    handled by overseas recipients, and failure to obtain separate consent for cross-border

    transfer; and


  • Failure to take technical measures such as encryption and de-identification.


Penalties Imposed By the MPS


According to the Announcement, local MPS imposed penalties on Dior Shanghai in accordance

with the PIPL; however, the Announcement does not disclose the type of the penalties imposed.

According to the PIPL, the MPS may issue a warning and an order requiring corrective action. If

the violator does not comply with the corrective order, the MPS may impose organizational fines

of up to RMB 1,000,000 and/or personal fines of up to RMB 100,000 on individuals directly

responsible for the violation.


Since the Announcement did not mention any serious violations or failure to comply with the

corrective order, it is likely that the MPS only issued a warning and a corrective action order.

Even if fines were imposed, the amount would likely be relatively small.


Implications for U.S. Higher Education Institutions


For U.S. institutions operating in China or handling the personal information of individuals in

China, this case highlights the following:


a. Data Breach Notification and Reporting Obligations


The PIPL stipulates that if personal information has been, or is likely to be, leaked, tampered

with or lost, the personal information handler must take remedial measures and notify the

relevant regulatory authority. If the measures taken by the handler effectively prevent harm

caused by leakage, tampering or loss, they are not required to notify individuals. However, if the

regulatory authority deems that harm may have been caused, it may require the handler to notify

individuals.


In this case, Dior notified the affected individuals and reported to the regulatory authority. It is

unclear whether Dior proactively notified individuals or if it was required to do so by the

regulatory authority after reporting to them. However, as can be seen from the Announcement,


Dior was not penalized for the data breach itself. Therefore, fulfilling notification and reporting

obligations is crucial for handlers when a data breach occurs.


b. Cross-Border Transfer Requirements


Before transferring personal information outside China, handlers are required to:

i) fully inform individuals of the overseas recipient’s name and contact information, the

purposes and means of handling personal information, the categories of personal

information to be handled, and the methods and procedures for exercising their rights

under the PIPL;


ii) obtain individuals’ separate consent for cross-border transfer;


iii) conduct a personal information impact assessment, and retain the personal information

impact assessment report and records of personal information handling for at least three

years; and


iv) comply with the cross-border transfer mechanism for the transfer of sensitive personal

information or the transfer of non-sensitive personal information of 1-99,999 individuals

per calendar year. (For example, transfer of non-sensitive personal information of at least

1,000,000 individuals or transfer of sensitive personal information of at least 10,000

individuals per calendar year requires a CAC security assessment; transfer of non-

sensitive personal information of 100,000–999,999 individuals or transfer of sensitive

personal information of 1-9,999 individuals per calendar year requires the filing of SCCs

or personal information protection certification.)


c. Data Security Technical Measures


Article 51 of the PIPL stipulates that personal information handlers must implement technical

security measures, such as encryption and de-identification. While fulfilling this requirement

should not be particularly challenging, the Dior case shows that many organizations still

overlook this requirement, failing to promptly encrypt and anonymize the data they collect. The

case is an important reminder that handlers need to implement suitable security measures at

every stage of data collection, storage, transmission and deletion.


d. Civil Claims Risk


In this case, Dior was penalized by the MPS. In addition to administrative penalties, individuals

whose PIPL rights have been infringed may file a civil lawsuit against the handler in question.

According to Article 69 of the PIPL, if the handling of personal information infringes upon the

rights and interests of the data subject and causes damage, then the handler must assume liability

for the damage caused if they cannot prove that they are not at fault.


As always, we recommend that U.S. higher education institutions with education activities

subject to PIPL preserve records of compliance decisions, risk assessment reports, informed

consents and other relevant documentation systematically. By establishing standardized

documentation practices, handlers can ensure the traceability of daily operations and demonstrate

fulfillment of PIPL obligations during regulatory investigations or civil claims proceedings.



© 2024 XL Law & Consulting P.A. - A U.S. Corporation - Privacy Policy - Cookies Policy - Contact Us

 - 

The information provided on the XL Law & Consulting website is for educational purposes only. Nothing on this website should be construed as or relied upon as legal or other professional advice, nor does use of this website create an attorney-client relationship.

bottom of page