Filed under shanghai
Every brief tagged "shanghai".
- § 01 · CROSS-BORDER
First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing
On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case.
- § 02 · ENFORCEMENT
From Naming to Takedown: Shanghai Pulls 46 Apps That Missed the Rectification Window
On June 24, 2026 the Shanghai Communications Administration (上海市通信管理局, the MIIT's directly-administered local communications authority) issued a notification ordering the takedown of 46 apps and SDKs that, after public naming and a rectification window, still had not fixed user-rights and personal-information violations. DCC reads it as the next rung on the enforcement ladder above the CAC's 30-app naming notification: same 2026 CAC + MIIT + MPS special campaign, but the local communications-administration tier converting an unrectified naming into an operative sanction — removal from distribution, with further measures flagged (suspension of access, administrative penalty, inclusion in the telecom-business bad-record list). The legal basis is PIPL, the Cybersecurity Law, the Telecom Regulations, and the Telecom and Internet User PI Protection Provisions. The 46-app list — transcribed here from the notice's attached image — is almost entirely Shanghai-registered long-tail O2O lifestyle apps (moving, housekeeping and cleaning, pet services, local travel agencies, community group-buy food, fitness and restaurants), and several operators appear with multiple apps taken down at once. DCC's read for overseas counsel: the provincial communications administrations are where a missed rectification window becomes a removed app, and the takedown tier sweeps the small-operator long tail, not just big nationals.
- § 03 · ENFORCEMENT
Ctrip's ¥10 Million Fine: China's First Publicly Disclosed Cross-Border Data Penalty — and the 'Necessity' Doctrine Behind Four Cases
In June 2026 Shanghai's cyberspace authority fined Shanghai Ctrip Commerce ¥10 million for unlawfully exporting personal information without implementing data-export security-assessment requirements — the first time a Chinese cross-border data penalty amount has been made public. DCC reads the fine against the three earlier Shanghai / MPS cross-border cases compiled by HexCode in 数据何规 (a hotel company that exported fields the CAC assessment had rejected, a property company that exported accommodation and financial-account data with no approval at all, and the Dior breach case) to surface the doctrine all four share: building a CRM or central-reservation system offshore does not make the bulk transfer of customer PI to headquarters 'necessary,' so it cannot escape the security-assessment / standard-contract / certification gate or PIPL's separate-consent and individual-notification requirements. The enforcement gradient — the assessment-rejected exporter was fined while the no-approval exporter was only warned — signals that subjective culpability is weighing on penalty severity.