How Did Dior Violate China’s Personal Information Protection Law? Lessons from the PIPL Probe

A recent investigation into Dior revealed that the company mishandled personal information by transferring customer data overseas without proper consent or safeguards, resulting in penalties. The case underscores critical lessons for businesses on cross-border data compliance, informed consent, and the importance of strong security measures to protect customer data. We examine how Dior fell afoul of China’s Personal Information Protection Law (PIPL) and discuss the broader implications of Dior’s PIPL violations.

On September 9, 2025, the National Cybersecurity Notification Center published the results of an investigation into violations of China’s Personal Information Protection Law (PIPL) by French fashion giant Dior.

Find Business Support

Ensure your ERP system is compliant with China's data protection laws with help from our IS team.

The investigation was launched after a data breach in May 2025, in which an unauthorized individual accessed Dior’s Chinese customers’ names, gender, phone numbers, email addresses, postal addresses, purchase values, shopping preferences, and other personal information. 

Regulators concluded that Dior had illegally transferred personal information to its headquarters in France without complying with the procedures required for cross-border data transfers under the PIPL. In addition, the company failed to obtain informed, separate consent from users and neglected to implement appropriate data security safeguards such as encryption and de-identification. 

As a result of the violations, local public security authorities imposed undisclosed administrative penalties on Dior’s Shanghai subsidiary. 

In this article, we analyze which provisions of the PIPL Dior violated to glean key compliance lessons for companies in China.

What happened? 

On May 7, 2025, Chinese media reported that Dior had experienced a significant data breach. The leaked dataset contained customer identities, contact information, addresses, and purchase histories, including detailed preferences and spending values. 

In response, Dior sent text messages to affected customers, urging them to be vigilant about suspicious phone calls, text messages, or emails and warning them not to click on links from unknown senders. The company stated that it had contained the breach with the assistance of cybersecurity experts, notified relevant supervisory authorities, and launched an internal investigation. 

Customer service representatives confirmed to reporters that Dior had acted quickly to secure its systems once the breach was detected. However, the incident prompted the cybersecurity department of the public security bureau to initiate an administrative investigation into Dior’s Shanghai subsidiary, which ultimately uncovered multiple violations of the PIPL. 

What did Dior do wrong? 

The investigation identified three major violations of China’s personal information protection rules.

1. Violation of data export rules

The first violation concerned Dior’s cross-border transfer of personal information. The investigation found that Dior had illegally transferred personal information of customers to its headquarters in France without undergoing the requisite compliance procedures.

Find Business Support

Get expert assistance in conducting compliance audits, penetration tests, and computer security and impact assessments for your business in China.

Under Article 38 of the PIPL, companies that wish to export a certain volume of personal information outside of China are required to undergo one of three compliance procedures: a data export security assessment conducted by the CAC, signing a standard contract with the overseas recipient of the personal information, or obtaining personal information protection certification from a third-party institution. 

Which compliance procedure applies depends on the volume of personal information handled by the company, as well as the volume it intends to export. 

Under the current rules, a company must undergo a security assessment by the CAC – the highest bar of compliance – if it meets any of the following criteria: 

• The company exports “important data” overseas;
• The company is a critical information infrastructure operator (CIIO) or is a company that handles the personal information of more than one million people, and exports personal information overseas;
• The company has exported the personal information of more than one million people or the “sensitive” personal information of more than 10,000 people since January 1 of the current year and provides personal information overseas; and
• Other situations that require a security assessment stipulated by the CAC.

Companies that are not CIIOs, but that have exported the personal information (excluding sensitive personal information) of over 100,000 individuals but less than one million individuals, or the sensitive personal information of less than 10,000 individuals, since January 1 of the current year, can either enter into a standard contract or obtain personal information protection certification from a third-party institution. 

Given Dior’s significant footprint in China, with more than 60 stores, it is highly likely that the company surpassed the thresholds requiring a CAC security assessment. Dior’s transfer of Chinese customer data to France without any of these procedures therefore constituted a direct violation of Article 38.

2. Failure to obtain informed and separate consent

Another one of Dior’s PIPL violations related to informed consent. Dior did not notify users of the details of its overseas transfers or obtain their separate consent.

Article 39 of the PIPL requires personal information processor exporting personal information outside of China to inform the owners of the personal information of the name or personal name of the overseas recipient, their contact information, the purposes and methods of processing, the categories of personal information involved, and the ways and procedures for individuals to exercise the rights provided under this the PIPL with the overseas recipient. The processor must also obtain the individuals’ separate consent to export their personal information. 

Dior did not disclose to users that their information would be transferred to France, did not identify the recipient, and did not provide information about processing methods or user rights. Crucially, it failed to seek “separate consent”, a higher threshold than ordinary consent, which must be given independently and explicitly for sensitive operations such as cross-border transfers. 

3. Failure to implement adequate security measures

The last of Dior’s PIPL violations concerned its data security practices. The investigation concluded that Dior had not implemented appropriate technical and organizational measures to protect customer data, leading to the breach.

Find Business Support

Learn how our virtual CIO service can accelerate connectivity between your Asia-based employees and your global organization.

Under Article 51 of the PIPL, personal information processors are obligated to implement appropriate technical measures to prevent unauthorized access to personal information, as well as the leakage, alteration, or loss of personal information. This includes “appropriate security technical measures such as encryption and de-identification”. 

The investigation found that Dior failed to adopt safeguards such as encryption and de-identification, leaving customer records vulnerable to unauthorized access. The breach itself demonstrated the inadequacy of Dior’s internal controls and security measures, constituting a violation of Article 51. 

What did Dior do right? 

While Dior’s PIPL violations were serious, it did comply with its obligations once the breach occurred. Article 57 of the PIPL requires companies to take immediate remedial measures and notify both the competent authorities and, where harm is possible, the individuals affected.

This includes notifying affected individuals of the types of personal information leaked, altered, or lost, the causes, and possible harm caused, the remedial measures taken by the personal information processor, and the measures individuals may adopt to mitigate harm, and the contact information of the personal information processor.” 

Dior fulfilled this duty by promptly reporting the incident to regulators and sending text messages to customers notifying them of the types of personal information that were implicated in the breach and advising them on preventive measures. It also engaged external cybersecurity experts to contain the breach and initiated an internal investigation. 

Penalties under the PIPL 

Although Dior’s penalty was not disclosed, and no financial penalty appears to have been given in this case, companies found to be in violation of the PIPL could face fines of up to RMB 50 million (US$7 million) for serious cases. 

For ordinary violations, regulators may order rectification, issue warnings, confiscate illegal gains, and impose fines of up to RMB 1 million (US$140,772). Responsible personnel may also be fined between RMB 10,000 (US$1,407) and RMB 100,000 (US$14,077). 

For serious violations, fines may reach up to RMB 50 million or 5 percent of annual turnover, and regulators may suspend business, revoke licenses, or impose bans on responsible individuals, including fines of up to RMB 1 million and disqualification from management roles. 

Key takeaways

Dior’s PIPL violations reveal how a single security incident can trigger a broader compliance investigation that reveals multiple regulatory breaches. Even though Dior fulfilled its duty to report the leak, it was not enough to offset its underlying issues. Under the PIPL, failing to implement adequate protections that result in a leak or unauthorized disclosure is in itself illegal, even if the company later takes appropriate steps to mitigate the impact.

Find Business Support

New Guidelines on Handling Sensitive Personal Data in China in Effect November 1

The case also underscores the importance of reporting obligations. Companies are required by law to notify both regulators and, in some cases, users when a data breach occurs. Even if they are uncertain about whether their systems are fully compliant, it is still important that they do so, as it not only fulfills a legal obligation but also allows regulators to uncover and clarify compliance gaps. Conversely, attempts to cover up a breach or reluctance to cooperate or rectify issues promptly can result in heavier penalties. 

The investigation into Dior also illustrates how noncompliance in one area can expose weaknesses elsewhere. What began as a review of the company’s inadequate data security practices quickly uncovered violations in cross-border transfer procedures and consent requirements. In this way, security vulnerabilities make companies vulnerable not only to hackers but also to government probes. 

Finally, while swift action in the wake of a breach is important, prevention remains the most critical defense. Once a breach occurs, reputational harm and regulatory scrutiny are almost inevitable. The only way to avoid these risks is to design compliance and security measures into every stage of the personal information lifecycle, from collection and storage to processing and transfer. 

For companies operating in China, every aspect of personal information handling must align with legal requirements. Businesses are advised to ensure that all relevant staff are aware of the company’s personal information protection obligations, which will require training on data protection rules and compliance. Smaller companies in particular may find it easier to outsource aspects of compliance work to specialized providers in order to ease the additional administrative burden.

• Previous Article New Tax Filing Rules Reshape Export Compliance in China Starting October 1
• Next Article