A case study in China privacy operations: The Dior wake-up call

One of the most challenging aspects of being a privacy professional in China is managing operations when enforcement actions reveal new compliance expectations. The criteria for implementing China-specific compliance mechanisms diverge significantly from those governing global data processing practices; the Dior case provides an excellent example.

In September 2025, Chinese authorities penalized Dior's Shanghai subsidiary for three critical Personal Information Protection Law violations discovered through a data breach investigation: unauthorized cross-border data transfers, inadequate user consent practices, and insufficient technical security measures.

While data breaches are common, this case demonstrates how regulatory investigations can uncover broader compliance failures requiring changes across privacy programs. These violations also provide a clear operational road map for immediately updating privacy programs to meet Chinese regulatory expectations.

The investigation

Under Article 38 of PIPL, organizations must implement one of three legally mandated mechanisms for cross-border personal information transfers: pass a Cyberspace Administration of China security assessment, obtain approved certification, or enter into standard contractual agreements. The CAC found Dior allegedly transferred customer data to France without completing any of these required processes.

Additionally, the PIPL requires separate consent for overseas data transfers — meaning organizations cannot rely on broad privacy policies but must implement granular consent mechanisms that specifically address cross-border transfers.

Regulatory landscape evolution and international impact

Since May 2025, only companies that process more than 10 million individuals' data face mandatory audits every two years, with smaller organizations audited every three to five years. Considering Dior’s alleged PIPL violations, it is possible that Chinese regulators may launch industry-wide enforcement campaigns using data breach investigations as compliance review triggers.