Trip.com Group has been fined RMB 10 million for illegally transferring personal information overseas, the latest regulatory action against the online travel giant this year.
Since the beginning of the year, China’s enforcement investigations have found that some internet companies in sectors closely tied to people's lives have continued to illegally transfer personal information overseas. Cybersecurity regulators have further intensified enforcement efforts, cracking down on violations that endanger cybersecurity and data security, infringe on personal information rights, and disrupt economic and social order.
In January 2026, China's State Administration for Market Regulation (SAMR) officially launched an antitrust investigation into Trip.com Group under the Anti-Monopoly Law over suspected abuse of market dominance. The news triggered a sharp market reaction, wiping more than HK$60 billion (about USD 7.65 billion) off the company's market value within two trading days.
In March, three Beijing government agencies jointly summoned 12 online platforms, publicly criticizing Trip.com's "automatic price-matching" mechanism for undermining hotels' pricing autonomy.
In May, the Cyberspace Administration of China (CAC) advanced its nationwide algorithm governance campaign, requiring major online travel platforms, including Trip.com, to conduct self-inspections.
Then, on June 11, three government ministries jointly summoned seven train-ticket booking platforms, targeting practices such as "ticket-snatching fees," speculative ticket purchasing, and the improper collection of personal information.
Two days later, on June 13, a major data compliance penalty was announced.
Under the guidance of the CAC, the Shanghai Cyberspace Administration handled a series of enforcement cases involving local companies that had failed to fulfill their data security responsibilities, lacked adequate security protection measures, had insufficient compliance capabilities in back-end data processing, or conducted inadequate compliance reviews for cross-border data transfers.
Among the cases, Shanghai Trip.com Commerce Co., Ltd. was fined RMB 10 million (about USD 1.48 million) under China's Personal Information Protection Law for failing to comply with cross-border data transfer security assessment requirements and illegally transferring personal information overseas. The company was also ordered to rectify the violations within a specified time limit.
Following the penalty, the company actively cooperated with regulators and fully implemented the required corrective measures.
