On June 13, 2026, Shanghai Trip.com Business Co., Ltd., a subsidiary of the Chinese online travel giant Trip.com Group, was fined 10 million yuan (approximately 1.45 million U.S. dollars) for failing to comply with cross-border data security assessment requirements and illegally transferring personal information overseas.

Regulatory Action

The penalty was imposed by the Shanghai Cyberspace Administration under the guidance of the Cyberspace Administration of China (CAC). The enforcement action was part of a broader crackdown on local companies with inadequate network data security responsibilities, insufficient security management measures, and poor data compliance capabilities in backend processing.

According to the official announcement, the fine was issued in accordance with China's Personal Information Protection Law (PIPL). The company was also ordered to rectify its violations within a specified period and has since actively cooperated and fully implemented the required corrective measures.

Nature of the Violation

The investigation confirmed that Trip.com had engaged in the unauthorized cross-border transfer of a large volume of user personal information without completing the legally required cross-border data security assessments. The data involved included highly sensitive information such as names, national ID numbers, passport information, bank card numbers, and travel itineraries.

According to the Cross-Border Data Transfer Security Assessment Measures, data processors must apply for a security assessment when transferring the personal information of over 1 million individuals overseas. As China's largest online travel platform, Trip.com held far more sensitive personal data than this threshold but continued transmitting data to its unified overseas business systems and data analysis platforms for years without regulatory approval.

Regulatory Context

Industry analysis noted that the 10 million yuan fine, while substantial, is not the maximum penalty available under Chinese law. The PIPL allows for fines of up to 50 million yuan or 5 percent of annual revenue for severe violations. Trip.com Group reported net revenue of approximately 65 billion yuan in 2025, suggesting a potential maximum penalty of up to 65 billion yuan if more severe violations had been found.

The penalty comes at a challenging time for Trip.com, which has been under antitrust investigation by the State Administration for Market Regulation since early 2026 over allegations of market dominance abuse.

Regulatory Warning

The Shanghai Cyberspace Administration stated that authorities will further strengthen enforcement efforts against illegal online activities that threaten network and data security, infringe upon personal information rights, and disrupt economic and social order. The case serves as a warning that even major internet platforms in public service-related sectors are subject to strict compliance requirements for cross-border data transfers.