China: Shanghai Cyberspace Administration published typical data protection enforcement cases including cross-border data transfer enforcement

On 16 January 2026, the Shanghai Municipal Cyberspace Administration published a batch of typical data protection enforcement cases, including two cases on cross-border data transfers involving a hotel management company and a property management company. The hotel firm exported domestic user data despite a prior notification from the Administration stating the transfer was not sufficiently necessary to justify transfer. The property management company provided personal information to overseas entities without submitting a security assessment, obtaining personal information protection certification, or signing standard contracts. The authority ordered both the hotel and property company to rectify the situation within a specified period. The hotel also received a fine.