- Introduction
On 9 September 2025, the National Cybersecurity Notification Centre (Guojia wangluo anquan tongbao zhongxin 国家网络安全通报中心) announced that public security cyber departments had sanctioned Dior (Shanghai) for three distinct violations of the Personal Information Protection Law (PIPL) in connection with the cross-border transfer of Chinese consumers’ personal data. The penalty followed a data breach disclosed by the brand on 12 May 2025, when unauthorised third parties accessed customer records – including names, gender, phone numbers, email addresses, postal addresses, spending amounts, and purchasing preferences – held by the company without any de-identification safeguards in place.
The Dior case is not an isolated episode. In June and July 2025, Cartier and Louis Vuitton also experienced customer data leaks in China and Hong Kong S.A.R.. Yet it is the Dior sanction that carries the most instructive legal significance, because it crystallises three separate regulatory failures in a single enforcement action. From a comparative law standpoint, the case exposes a structural asymmetry that multinational corporations operating across the EU and China routinely underestimate: GDPR compliance does not, and cannot, serve as a proxy for PIPL compliance. The two regimes share a superficial resemblance (Kam, 2025) – both regulate cross-border data flows, both require a lawful basis for processing, both impose security obligations – but they diverge on the institutional (Lee, 2022) and procedural architecture that governs each of these pillars. This case marks the boundary.
- Cross-Border Transfer Under Scrutiny
The first violation concerned Dior’s transfer of Chinese consumer data to its headquarters in France without completing any of the lawful transfer mechanisms prescribed by Article 38 of the PIPL. Under this provision, a personal information processor that needs to export data outside the PRC must satisfy at least one of three conditions: (i) pass a security assessment organised by the Cyberspace Administration of China (CAC); (ii) obtain personal information protection certification from a qualified professional body; or (iii) enter into a Standard Contract for Personal Information Outbound Transfers (SCCs) with the overseas recipient (Guo and Li, 2025). According to China’s Internet watchdog, Dior did none of the above (Weixin, 2025).
For European-headquartered groups, this finding has far-reaching implications. Intra-group transfers of customer data – the routine flow from a local subsidiary to the parent company – are a standard operational feature in the luxury retail sector and are generally facilitated under GDPR Chapter V through adequacy decisions, binding corporate rules, or standard contractual clauses. The assumption that a similar mechanism can be replicated in China on the strength of an existing global privacy policy is demonstrably wrong. The PIPL’s transfer pathways are procedurally autonomous and do not recognise foreign-law equivalencies, however robust. The Guangzhou Internet Court underscored this principle in a landmark 2023 ruling – the first Chinese judicial decision on cross-border personal information transfers – where a French-headquartered international hotel group was held liable for exporting customer data to multiple jurisdictions on the basis of a GDPR-aligned privacy charter, which the court found to be incompatible with the PIPL’s requirements.
The regulatory threshold matters. Under the 2024 Provisions on Promoting and Regulating Cross-Border Data Flow, which significantly relaxed the earlier regime, non-critical information infrastructure operators transferring between 100,000 and one million individuals’ non-sensitive personal information in a given calendar year may use Personal Information Export Standard Contracts (PIESCs) or certification, while those exceeding the one-million threshold must still undergo a CAC security assessment. Although the public sanction does not disclose the volume of Dior’s data transfers, the fact that the company had undertaken no transfer mechanism whatsoever indicates not a borderline failure but a complete absence of compliance infrastructure.
It is also worth noting that the April 2025 Q&A on Cross-Border Data Transfer Policies by the CAC clarified that «general data not involving personal information or important data may flow freely across borders». The corollary is unambiguous: personal information cannot.
- Separate Consent as a PIPL’s Pillar
The second violation strikes at the heart of the PIPL’s consent architecture. Article 39 requires that, prior to any cross-border provision of personal information, the data processor must inform the data subject of specific matters – including the identity of the overseas recipient, the purpose and method of processing, and the types of personal information involved – and must obtain the individual’s separate consent (dandu tongyi 单独同意). Dior failed on both counts.
The concept of separate consent under the PIPL occupies a fundamentally different position from the notion of consent under the GDPR (Zhang, 2025). In the EU framework, consent is one of several co-equal legal bases for processing, and the controller may rely on contractual necessity or legitimate interest as alternative grounds without seeking consent at all. Under the PIPL, however, separate consent for cross-border transfers is not merely a legal basis, but an additional, cumulative procedural requirement that must be satisfied regardless of the primary basis for processing. Article 13 of the PIPL lists the general legal bases, but Article 39 imposes a distinct obligation for data export scenarios.
The Guangzhou Internet Court’s 2023 ruling – affirmed in 2024 by the Guangzhou Intermediate People’s Court – clarified the operational boundary of this requirement with force. The court held that a blanket «tick-the-box» acceptance of a bundled privacy charter, which described overseas recipients vaguely as «group personnel and departments in several countries, business partners, and marketing personnel», could not constitute valid separate consent. The privacy policy failed the transparency standard because it did not disclose the specific recipients or the jurisdictions to which data would be transferred in a clear, accurate, and complete manner. The court further specified that separate consent requires a specific and clear authorization for a particular processing activity and cannot be effectively subsumed within a single, all-encompassing privacy agreement.
For luxury brands accustomed to deploying a unified global Terms and Conditions document at the point of sale – whether in-store or through mobile applications – the message is stark. The practice of bulk consent, whereby a customer accepts a comprehensive data processing notice in a single action, is not merely suboptimal in China: it is unlawful. Compliance demands a discrete, informed, and separately recorded act of authorisation for the specific purpose of cross-border transfer.
- Security Standards and Cybersecurity Architecture
The third violation concerns Dior’s failure to implement adequate technical security measures, specifically the absence of de-identification (qiubiaozhihua 去标识化) and encryption (jiami 加密) protocols. Article 51 of the PIPL imposes on personal information processors a duty to adopt security measures including, among others, de-identification techniques that render data incapable of identifying a specific natural person without the use of additional information.
De-identification functions as a risk-mitigation layer: in the event of a breach, de-identified data is significantly less likely to cause identifiable harm to individuals, thereby reducing both the ethical and financial consequences of exposure. Dior’s breach occurred with no such safeguards in place. Customer names, phone numbers, email addresses, and consumption preferences were exposed in their raw, fully identifiable form.
The gravity of this failure is compounded by the nature of the data subjects involved. As high-net-worth consumers of luxury goods, Dior’s clientele represents a population at elevated risk of targeted fraud, social engineering, and identity theft. Although the disclosed data categories do not, individually, fall within the PIPL’s definition of «sensitive personal information», the Technical Requirements for the Security of Sensitive Personal Information Processing, effective from 1 November 2025, adopts a Chinese characteristics’ risk-based approach: where the aggregation of ostensibly non-sensitive data points creates a risk profile capable of endangering individual dignity, safety, or financial security, the composite dataset may still be reclassified as sensitive. The aggregation of spending habits, personal contact information, and purchasing preferences, once cross-referenced with other available datasets, would very likely meet that threshold.
- Two Implications for the Global Luxury Market
The Dior sanction should be read not as a punitive anomaly but as the predictable consequence of a maturing regulatory regime. China’s data governance framework has entered what Chinese commentators have described as its «fit-out phase», following a period of rapid legislative production. The tripartite structure of the Cyber Security Law, Data Security Law, and PIPL – supplemented by the 2024 CBDF Provisions, the April and November 2025 Q&A, and the October 2025 Personal Information Protection Certification Measures – now constitutes a fully operational compliance system.
Two observations emerge for multinational fashion and luxury groups.
First, data localisation in the Chinese context is no longer merely a matter of server location. It requires the localisation of entire compliance strategies – from privacy impact assessments conducted under Chinese law, to the execution of PIESCs or certification processes with each overseas recipient, to the implementation of de-identification protocols that meet the standards of Chinese national technical specifications. A global privacy policy drafted under the GDPR, however comprehensive, cannot discharge these obligations. The Guangzhou Internet Court explicitly rejected the argument that compliance with international hotel business practices and GDPR standards could substitute for PIPL compliance. Thus, there is no reason to expect a different outcome for the luxury sector.
Second, the consequences of non-compliance are not confined to administrative penalties. The Guangzhou Internet Court’s 2024 ruling confirmed that individual consumers may bring tort claims under the Civil Code for violations of their right to be informed and their right to make autonomous decisions about their personal information, «without any precondition of having first exercised and been refused their rights under Chapter IV of the PIPL». The financial exposure is substantial: Article 66 of the PIPL authorises administrative fines of up to RMB 50 million or five per cent of the preceding year’s turnover, while private litigation may generate additional reputational and compensatory liabilities.
The luxury sector has long regarded its Chinese customer base as a strategic asset. It is time to extend the same regard to those customers’ personal data.
