Update on China Data Privacy Enforcement: Recent Cross-Border Data Transfer Cases

In September, Chinese regulators published two case studies discussing their enforcement of cross-border data transfer regulations. These cases provide insight into how China’s regulatory scheme is implemented and may signal an increasing level of enforcement.

Shanghai Case Study

On September 9, 2025, China’s National Network and Information Security Report Center (the Center, 国家网络与信息安全信息通报中心) announced that it had closed an administrative investigation and taken legal action against the Shanghai subsidiary of a European luxury brand (Company A) for violating China’s Personal Information Protection Law (PIPL, 个人信息保护法) by illegally transferring personal information overseas.

The Center stated that the investigation of Company A followed a data breach discovered on May 7, 2025. Starting on May 12, 2025, Company A began voluntarily notifying customers in Mainland China that Company A had discovered unauthorized access to customer data by external parties. The data accessed included customers’ names, genders, phone numbers, email addresses, mailing addresses, purchase histories, preferences, and other information, but did not contain financial information such as bank account or credit card information. In the notification, Company A also stated that it had reported this data breach to the relevant government authorities.

In response to the breach, China’s Public Security (公安) and Cybersecurity (网安) departments conducted an investigation and found:

1. Illegal data transfer: Company A transferred personal information to its headquarters in France without conducting a Security Assessment (数据出境安全评估), signing Standard Contractual Clauses (SCC, 个人信息出境标准合同), or undergoing Personal Information Protection Certification (PIP Certification, 个人信息保护认证) as required for cross-border data transfer.

2. Failure to obtain separate consent for cross-border transfer: Before transferring users’ personal information abroad, Company A failed to adequately inform users how their personal information would be processed by the data recipient in France and did not obtain separate consent for the cross-border transfer.

3. Inadequate data protection measures: Company A failed to implement essential security measures, such as encryption or pseudonymization, to protect the personal information it collected.

Some aspects of this enforcement action remain unclear. For example, the case study does not indicate whether Company A failed to submit a security assessment, SCC filing, or PIP certification, or whether Company A submitted a security assessment, SCC filing, or PIP certification, but did not include the customer data in its assessment, filing, or certification. The Center noted that the Shanghai police imposed administrative penalties on Company A in accordance with the PIPL, but did not disclose the specific penalties imposed.¹

Guiyang Case Study

On September 4, 2025, the Cyberspace Administration of Yunyan District (云岩区互联网信息办公室) (Yunyan CA), Guiyang City, Guizhou Province, published information on an administrative enforcement action focusing on cross-border data transfer. The Yunyan CA disclosed that after investigation, a company in its jurisdiction (Company B) was found to have activated “cloud data” synchronization on its devices connected to public IP addresses, leading to potential security risks in data transfer. The Yunyan CA also found that Company B failed to (1) follow legal requirements regarding the security management of cross-border data transfers, (2) fulfill necessary security assessment and compliance review obligations, and (3) provide sufficient training to its employees on data security. Company B took timely remedial action by turning off the “cloud data” synchronization. As a result, the Yunyan CA issued an administrative warning and required Company B to make necessary corrections, in accordance with the Cybersecurity Law (网络安全法) and the Data Security Law (数据安全法).

As with the prior case study, many aspects of this enforcement action remain unclear. For example, the size of Company B, the industry in which it operates, and the type of data that were synchronized were not disclosed by the Yunyan CA.

Takeaways

To ensure that cross-border data transfers comply with regulatory requirements and protect personal information security, companies should pay particular attention to the following key risk areas, which are frequently targeted:

• Companies must comply with relevant laws and regulations regarding cross-border data transfers, especially the guidance of the Cyberspace Administration of China (CAC, 国家互联网信息办公室) on the three main mechanisms for cross-border data transfer: Security Assessment, PIP Certification, and filing of SCCs. Our analysis of CAC’s recent guidance on cross-border data transfers, can be found in our June 2025 Advisory.
• Under the PIPL, “consent” must be voluntary, informed, and unambiguous. Separate consent is required for cross-border transfer of personal information and generally must be specific, explicit, and obtained independently. Examples of proper and improper practices for obtaining separate consent under official guidelines² include:

• A robust security framework must protect data not just from external hackers, but also from misuse by authorized or unauthorized external parties. Examples of industry best practices, aligned with the PIPL’s “necessary measures” principle,³ include:
  • Zero-trust architecture that assumes no user or system is trusted by default, whether inside or outside the corporate network
  • The principle of least privilege (PoLP), meaning that the users should only have access to the data absolutely necessary for their work duties
  • Multi-factor authentication mandatory for all external access or privileged access to systems containing personal information
  • Secure configuration and monitoring of cloud storage and synchronization services to prevent unauthorized access or data breach
  • Thorough due diligence on all third-party processors and strong data processing agreements that bind such processors by mirroring the corporate’s obligations under the PIPL
• Delay or failure to report the data breach can itself be a separate violation under Article 57 of the PIPL and incur penalties. Regulators may view proactive disclosures (e.g., Company A’s outreach to customers in this matter) and remedial actions (e.g., Company B’s turning off the synchronization function) favorably when determining the severity of penalties. Suggested remedial actions include:
  • A comprehensive data compliance audit
  • Enhanced technical and organizational security measures, focusing on access controls and encryption
  • Mandatory training for all staff handling data, with specific modules for IT and security teams
  • Develop, test, and update a robust incident response plan that includes clear procedures for fulfilling the Article 57 notification duty

For questions on this or any other subject, please reach out to the authors or any of their colleagues in Arnold & Porter’s Privacy, Cybersecurity & Data Strategy practice group.

Jialing Xiong and Zoey Dong contributed to this Advisory. 

© Arnold & Porter Kaye Scholer LLP 2025 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.