What Dior’s Shanghai Data Breach Reveals About China’s Personal Information Protection Law

According to the National Cybersecurity Reporting Center, multiple media outlets reported in May that the French fashion brand Dior suffered a data breach, and users in mainland China began receiving official warning messages from Dior. In response, public security and cybersecurity authorities launched an administrative investigation of Dior (Shanghai) Co., Ltd.

The investigation found three violations:

Failure to conduct a data‑outbound security assessment, establish a personal information outbound standard contract, or obtain personal information protection certification, resulting in illegal transmission of user personal information to Dior’s headquarters in France.

Before providing user personal information to Dior’s headquarters, the company did not fully inform users of the overseas recipient’s processing methods nor obtain separate user consent.

Failure to apply security technical measures such as encryption or de‑identification to the collected personal information.

Based on the Personal Information Protection Law, the local public security authority imposed administrative penalties on Dior (Shanghai) Co., Ltd.

Security tip: Citizens’ personal information is protected by law. Data processors should learn from this case, adhere to the principles of legality, legitimacy, necessity, and integrity, and implement the provisions of the Personal Information Protection Law regarding cross‑border data provision, ensuring proper handling throughout the data lifecycle.

*Source: CCTV News