March 2, 2026

Enforcement of China’s Cross-Border Data Transfer Regime: Emerging Trends from Recent Cases

Jet Deng Dacheng + Follow Contact LinkedIn Facebook X Send Embed [co-author Ken Dai]

Since the enactment of the Cybersecurity Law in 2017 (“ CSL ”), which for the first time introduced regulatory requirements for cross-border data transfers, China has progressively developed a comprehensive legal framework governing outbound data flows. With the issuance of the Provisions on Promoting and Standardizing Cross-Border Data Flow in 2023 and the implementation of the Measures for the Certification of the Outbound Transfer of Personal Information in 2025, China has now established a fully-fledged three-track compliance regime for cross-border data transfers - namely, (i) security assessment review, (ii) standard contract filing, and (iii) personal information protection certification. Corresponding legal liabilities have also been prescribed for non-compliant outbound data transfers.

Despite the increasingly perfected regulatory framework, there are currently only four publicly disclosed enforcement cases regarding violations of cross-border data transfer requirements. All four cases occurred in 2025, with a complete absence of enforcement cases prior to that year. For instance, in January 2026, the Shanghai Cyberspace Administration released typical law enforcement cases regarding network data security for 2025. 1 Among the eight cases, two involve failures to comply with cross-border data transfer requirements, leading to unlawful outbound transfers. The two cases involved sectors such as hotel management and property management, highlighting the enforcement focus of regulators in this area.

This article reviews publicly disclosed cases involving unlawful cross-border data transfers, analyzes the key compliance issues and regulatory signals reflected therein, and provides practical compliance guidance for enterprises seeking to mitigate regulatory risks and properly manage cross-border data flows

1. China’s CBDT Regulatory Framework Overview Under the current legal system, the laws involving statutory obligations for cross-border data transfer primarily consist of the CSL, the Data Security Law (" DSL "), and the Personal Information Protection Law (“ PIPL ”). At the level of administrative regulations and departmental rules, this includes the Regulations on Network Data Security Managemen t, the Measures for the Security Assessment of Cross-Border Data Transfer, and the Measures for the Standard Contract for Cross-Border Transfer of Personal Information.

The CSL, enacted in 2017, first introduced restrictions on the provision of personal information and important data by critical information infrastructure operators (“ CIIOs ”) to overseas recipients. Subsequently, the DSL (2021) extended security assessment requirements to outbound transfers of important data by non-CIIO data processors, while the PIPL brought cross-border transfers of personal information under regulatory oversight. In 2022 and 2023, the Measures for Security Assessment of Data Exports and the Measures for Standard Contracts for the Export of Personal Information institutionalized the security assessment review and standard contract filing mechanisms, respectively.

With the launch of the Provisions on Promoting and Standardizing Cross-Border Data Flow in 2023, the regulatory framework was further clarified: where a data processor must provide important data or personal information exceeding specified thresholds overseas, it must comply with one of the three prescribed compliance pathways - security assessment review, standard contract filing, or personal information protection certification.

Regarding administrative penalties for violating cross-border data compliance obligations, the CSL does not explicitly define the form of administrative penalties for this specific issue. The DSL and PIPL distinguish between general circumstances and serious circumstances, including both entity liability and individual liability. For the unlawful export of important data, general circumstances may result in an order to correct, a warning, or a fine; serious circumstances may lead to suspension of business for rectification or even revocation of business licenses. For the unlawful export of personal information, penalties include orders to correct, warnings, confiscation of illegal gains, and termination of services; fines are imposed on the enterprise and directly responsible personnel only for refusal to correct or in serious circumstances.

Although a relatively complete institutional system has been built at the legislative level, administrative enforcement is still at an early and exploratory stage. In practice, dedicated enforcement campaigns targeting cross-border data transfers have yet to become routine. Compared with general cybersecurity or personal information protection cases, publicly reported enforcement actions specifically addressing cross-border data transfers remain limited. Moreover, full administrative penalty decisions are typically not disclosed, making it difficult for enterprises to identify consistent enforcement standards or precedent-based compliance benchmarks. Regulatory approaches and enforcement thresholds in this area remain dynamic and are still evolving.

1. Review of Typical Enforcement Cases To date, only four cases explicitly involving unlawful cross-border data transfer behaviors have been publicly disclosed:

| | Date | Case | Enforcing Department | Sector |
| 1 | July 2025 | Dior (Shanghai) Company failing to fulfill its obligation of personal information protection | Shanghai Jing’an Public Security Bureau | Luxury goods |
| 2 | September 2025 | Abnormal cross-border data transmission of a certain enterprise in Yunyan District, Guiyang City, Guizhou Province | Cyberspace Administration of Yunyan District, Guiyang City | Not disclosed |
| 3 | 2025 | A certain hotel management enterprise in Shanghai unlawfully transferring user data abroad | Cyberspace Administration of Shanghai | Hotel Management |
| 4 | 2025 | A certain property management enterprise in Shanghai unlawfully transferring user data abroad | Cyberspace Administration of Shanghai | Property & hotel management |

1. Dior (Shanghai): Failure to Fulfil Personal Information Protection Obligations This case was a post-event regulation triggered by a data breach incident. In May 2025, Dior discovered malicious access to its system, indicating a potential risk of personal information leakage, and reported it to the regulatory authorities. On July 28, 2025, the Jing’an Branch of the Shanghai Public Security Bureau issued an administrative penalty decision, determining that the company “failed to take necessary protection measures during the data transmission process” and imposed a warning and an order to correct according to the PIPL. 2

In September 2025, the public security bureau further disclosed three violations: (1) transferring users’ personal information to its French headquarters without passing a data export security assessment, executing a standard contract, or obtaining personal information protection certification; (2) failing to fully inform users of the overseas recipient’s processing methods and failing to obtain their separate consent prior to transfer; and (3) failing to implement encryption, de-identification, or other technical safeguards. 3

This case is the first publicly disclosed enforcement action explicitly identifying unlawful cross-border data transfers as an administrative violation. Notably, the enforcing authority was not a cyberspace administration responsible for the “three pathways” review, but a public security authority - reflecting China’s multi-agency (“fragmented”) enforcement landscape in data security matters. From a substantive perspective, although the data transfer occurred within a multinational corporate group, Dior failed to meet PRC compliance standards in terms of privacy policy design, regulatory reporting, and security safeguards. From a penalty standpoint, enforcement focused on rectification, without confiscation of illegal gains or fines, suggesting the violation did not rise to the “serious circumstances” threshold under the PIPL.

1. Abnormal Cross-Border Data Transmission in Yunyan District, Guiyang In September 2025, the Cyberspace Administration of Yunyan District, Guiyang City, announced a case of abnormal cross-border data transmission. 4 In this case, enterprise staff turned on the “cloud data” synchronization storage function while using equipment connected to a public network IP, leading to data transmission overseas. The authority found that the enterprise failed to strictly comply with cross-border data security management requirements and had inadequately performed security assessment and compliance review obligations. The enterprise was interviewed, issued an administrative warning, and ordered to rectify.

As enforcement was based on the CSL and DSL, the case likely involved outbound transfers of important data rather than personal information. Storing important data on overseas cloud servers through “cloud data” synchronization would constitute an export of important data, triggering the security assessment review.

1. Shanghai Hotel Management Company: Continued Transfers Despite Negative Assessment This case is one of the typical network data security law enforcement cases for 2025 released by the Shanghai Cyberspace Administration. The enterprise transmits users’ personal information overseas when engaging in online hotel booking. Unlike the previous two cases where the “three pathways” obligations were not executed, this enterprise did carry out the notification procedure for the data export security assessment. However, after receiving the Assessment Result Notification from the national cyberspace department explicitly stating that the relevant personal information data items had “insufficient necessity for export”, the enterprise failed to take effective measures and continued to provide domestic natural persons’ personal information overseas illegally. Thereafter, the enterprise was ordered to correct within a time limit and fined.

This case is the only one among the four disclosed cases where a fine was imposed. The case demonstrates that regulators impose more severe penalties where enterprises proceed with outbound transfers despite explicit regulatory findings. It also confirms that cyberspace authorities conduct both ex ante reviews and ex post supervision. Enterprises must promptly localize storage of data deemed unnecessary for export, failing which they may face aggravated penalties.

1. Shanghai Property Management Company: Export of Sensitive Personal Information This case is another typical network data security law enforcement case for 2025 released by the Shanghai Cyberspace Administration. This case involved an APP for hotel booking and membership account management involving personal information export. The enterprise, through its operated APP, exported users’ accommodation data and sensitive personal information relating to financial accounts without applying for a security assessment, executing a standard contract, or obtaining certification. The company was ordered to rectify and issued a warning. The enterprise was ordered to correct within a time limit and given a warning penalty.

In this case, it was specifically pointed out that the personal information involved included sensitive personal information, which to a certain extent clarifies the current focus of cross-border data regulation.

1. Enforcement Trend and Observations Although full penalty decisions have not been published and available details remain limited, several enforcement trends can be discerned.

First, sectoral concentration is evident. Most cases involve hotel management and cross-border B2C service providers. These industries inherently process large volumes of personal data and frequently engage in cross-border data transfers. Enterprises handling large-scale data exports - particularly exports involving sensitive personal information - should prioritize compliance with the “three pathways”.

Second, from a liability perspective, enforcement has largely emphasized rectification orders, with relatively few cases involving fines or business suspension. However, “knowing violations,” particularly where regulators have already issued clear instructions, are subject to significantly harsher penalties. Where regulators have determined that certain data lacks necessity for export, enterprises should promptly implement localization measures.

Third, regarding enforcement trends, regulators are not limited to ex ante approval mechanisms but are increasingly engaging in ex post supervision. The fact that all publicly disclosed cases occurred in 2025 suggests that cross-border data transfer enforcement has entered an implementation phase, with both preventive and corrective oversight likely to intensify.

In summary, since 2025, enforcement actions relating to cross-border data transfers have begun to increase, signaling a shift from latent compliance risk to concrete legal obligation. Enterprises engaging in cross-border data transfers should abandon any reliance on regulatory uncertainty and strictly comply with applicable requirements by application for security assessments, standard contract filings, or certification as appropriate. At the same time, enterprises should strengthen necessity assessments for outbound data transfers and implement data localization mechanisms for non-essential exports, in order to adapt to an increasingly rigorous and refined enforcement environment.

Notes List

1. https://mp.weixin.qq.com/s/WEDyn0NIltRWO72L7dVyA?scene=25&sessionid=&clickid=6#wechat_redirect
2. https://gaj.sh.gov.cn/jaga/xzcf/toDetail?pa=a23e7d1d9cab592f7cb65c52f4cb5f1aba763022165fc1856dbfcf6073b6454093b3644cc24fc46a
3. https://mp.weixin.qq.com/s/0NZ852z1Jo7w4HkYiGJgVg;
4. https://mp.weixin.qq.com/s/au6MGkSSzJhNKXtpZEWRGA Send Print Report ### Related Posts

• China Monthly Data Protection Update - February 2026
• China Introduces Filing Threshold for Minors’ Personal Information Protection Audit: Regulatory Interpretation and Practical Guidance
• China Monthly Data Protection Update - January 2026

Latest Posts

• Enforcement of China’s Cross-Border Data Transfer Regime: Emerging Trends from Recent Cases
• China Monthly Data Protection Update - February 2026 See more »

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
Attorney Advertising.

©
Dacheng

Written by:

Dacheng Contact + Follow Jet Deng + Follow more less

What do you want from legal thought leadership?

Please take our short survey – your perspective helps to shape how firms create relevant, useful content that addresses your needs:

Take the survey now »

Published In:

China + Follow Compliance Monitoring + Follow Cross-Border Transactions + Follow Cybersecurity + Follow Data Privacy + Follow Data Protection + Follow Data Security + Follow Enforcement Actions + Follow International Data Transfers + Follow New Legislation + Follow New Regulations + Follow Personal Information + Follow Regulatory Requirements + Follow International Trade + Follow Privacy + Follow Science, Computers & Technology + Follow more less

Dacheng on:

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra: Sign Up Log in ** By using the service, you signify your acceptance of JD Supra's Privacy Policy.* - hide - hide