Editor's note: The IAPP is policy neutral. We publish contributed opinion and analysis pieces to enable our members to hear a broad spectrum of views in our domains.
One of the most challenging aspects of being a privacy professional in China is managing operations when enforcement actions reveal new compliance expectations. The criteria for implementing China-specific compliance mechanisms diverge significantly from those governing global data processing practices; the Dior case provides an excellent example.
In September 2025, Chinese authorities penalized Dior's Shanghai subsidiary for three critical Personal Information Protection Law violations discovered through a data breach investigation: unauthorized cross-border data transfers, inadequate user consent practices, and insufficient technical security measures.
While data breaches are common, this case demonstrates how regulatory investigations can uncover broader compliance failures requiring changes across privacy programs. These violations also provide a clear operational road map for immediately updating privacy programs to meet Chinese regulatory expectations.
The investigation
Under Article 38 of PIPL, organizations must implement one of three legally mandated mechanisms for cross-border personal information transfers: pass a Cyberspace Administration of China security assessment, obtain approved certification, or enter into standard contractual agreements. The CAC found Dior allegedly transferred customer data to France without completing any of these required processes.
Additionally, the PIPL requires separate consent for overseas data transfers — meaning organizations cannot rely on broad privacy policies but must implement granular consent mechanisms that specifically address cross-border transfers.
Regulatory landscape evolution and international impact
Since May 2025, only companies that process more than 1 million individuals' data face mandatory audits every two years, with smaller organizations audited every three to five years. Considering Dior’s alleged PIPL violations, it is possible that Chinese regulators may launch industry-wide enforcement campaigns using data breach investigations as compliance review triggers.
Organizations should brace for randomized spot-check audits targeting the three areas of cross-border transfer mechanisms, consent practices and technical security measures.
What really stands out is that the Dior case proves Chinese operations demand substantial investment in local infrastructure, dedicated privacy officers, and a separate governance framework.
Comprehensive PIPL compliance strategy and implementation
China's enforcement provides a compliance road map for other organizations. By implementing proactive frameworks, companies can significantly reduce regulatory risks while building resilient data governance that supports sustainable business growth and respects users’ rights.
Organizations must start with comprehensive data classification identifying all personal information processing activities, distinguishing between general and sensitive data, and assessing the necessity of cross-border transfers. Companies should then select appropriate transfer mechanisms: CAC security assessment for large-scale transfers, standard contractual clauses for medium-scale operations, or the certification pathway for third-party verified practices. Simultaneously, they must implement the technical safeguards Dior failed to deploy — security measures including encryption, access controls, data minimization, and audit trails alongside granular consent mechanisms that specifically address cross-border transfers with clear recipient identification and withdrawal options.
It is also important to stress that organizations must maintain all the relevant documentation, staff training, and established regulatory response procedures while C-suite executives appoint qualified data protection officers and establish cross-functional privacy committees with board-level oversight.
This integrated approach transforms compliance from a reactive necessity into a strategic competitive advantage that anticipates regulatory expectations and supports long-term, operational resilience in China's evolving privacy landscape.
Conclusion
The Dior enforcement action offers privacy professionals a rare glimpse into Chinese regulatory priorities in practice. Rather than treating this infraction as an isolated incident, organizations should view it as a preview of coming scrutiny across all China-facing operations.
The enforcement landscape in China is entering a new phase where breach notifications can trigger comprehensive compliance audits. Chinese regulators have demonstrated they will use individual cases to establish broader enforcement patterns. The Dior violations likely represent the compliance areas that will receive heightened scrutiny across sectors. Privacy professionals who recognize these patterns and adjust their programs accordingly will navigate China's regulatory environment more successfully than those who wait for direct regulatory guidance.
Marco Gervasi, AIGP, CIPP/E, CIPM, FIP, is a partner at The Red Synergy.
