In May of this year, French luxury fashion brand Dior (迪奥) suffered a data breach that caught the eye of investigators. The fallout is that Dior’s Shanghai subsidiary had become the first foreign brand to be prosecuted under China’s Personal Information Protection Law (PIPL).
For years, the PIPL laws were seen as a vague threat, not a real one – as much of an administrative hurdle as anything. Dior’s prosecution demonstrates that China is prepared to enforce these laws to protect its citizens’ data. The message for foreign brands operating in China is clear: take notice.
The brand has attracted negative press over recent years for accusations of racism and offensive portrayal of a Chinese model. But what got Dior prosecuted? May’s leaks exposed guilt on three violations:
- Illegal transfer of user data to a foreign country without security assessments, certification of data protection, or signing contracts for personal data export.
- Not obtaining consent from users to handle their data overseas, or informing them that it might actually end up overseas.
- Not taking satisfactory security measures like encryption or de-identification of users’ personal data.
China’s PIPL came into effect in November 2021, and even now, there’s still a fair amount of ambiguity around the details. In certain free-trade zones such as Shanghai, some of the rules don’t apply the same way they would in the rest of China. However, that didn’t stop Dior’s China subsidiary, based in Shanghai, from falling afoul of the law.
Reuters reported that the auto sector is particularly keen for clarity. This is because much of the race to develop the next generation of Inter Connected Vehicles, or ICVs, involves collecting large sums of real-world data and using that information to tweak designs.
Dior being prosecuted highlights that compliance with China’s PIPL is no longer just a box-ticking legal exercise but a fundamental operational challenge. Multinational firms may be forced to make costly and complex changes to remain legit.
For luxury retailers in particular, the stakes are high: data breaches like Dior’s damage the aura of exclusivity and trust that their brand value depends upon. With no small number of foreign firms handling sensitive personal data in China, Dior’s prosecution could well be a warning shot.
