The “Negative Lists” Easing Data Export in China’s FTZs – A Complete Guide for Foreign Companies

Posted by Written by Arendse Huld Reading Time: 13 minutes

China data export policy is undergoing a major shift, with FTZs piloting flexible regimes for cross-border data and personal information transfers. Recent measures propose a unified national negative list to facilitate service export. These developments signal a move toward a more coherent and business-friendly data governance framework.

Since 2024, China’s Free Trade Zones (FTZs) have been at the forefront of piloting more flexible rules for cross-border transfers of data and personal information. Under national law, companies moving “important data” or large volumes of personal information overseas are generally required to complete strict compliance steps, such as a CAC security assessment, signing a standard contract, or obtaining certification. These requirements have proven cumbersome for multinational companies that need regular cross-border data flows.

To ease this burden, in March 2024, the Cyberspace Administration of China (CAC) issued the Regulations to Promote and Standardize Cross-Border Data Flows, which authorize FTZs to establish localized regimes based on data export “negative lists.” These lists define categories of data that remain subject to compliance, while allowing all other data (within the specified industries) to be transferred overseas with greater ease.

Find Business Support
Ensure your ERP is compliant with China's data and cybersecurity regulations.

The Tianjin FTZ led the way in May 2024, issuing the country’s first negative list covering 45 categories of sensitive data across 13 sectors. On August 30, 2024, the Beijing FTZ followed with a list targeting five industries, accompanied by the Trial Implementation Measures for the Data Export Negative List of the China (Beijing) Pilot Free Trade Zone. The Beijing measures also included a reference guide for classifying important data and personal information, providing companies with additional clarity.

The Beijing FTZ’s framework has since become a template, with most FTZs combining a negative list and separate trial management measures, and, in some cases, supporting implementation guidelines. To date, eight FTZs – Tianjin, Shanghai (Lingang), Beijing, Hainan, Zhejiang, Jiangsu, Chongqing, and Guangxi – have introduced negative lists. These carve out which outbound data requires compliance, and which may be exported more freely, raising thresholds for personal information exports and easing compliance costs for businesses.

A new layer was added on September 24, when the Ministry of Commerce (MOFCOM), CAC, and seven other agencies jointly issued measures to promote service exports. Notably, the provisions concerning data and personal information exports signal a broader policy shift. The measures call for exploring a national negative list for data exports from FTZs, a move that would unify the fragmented pilot regimes and bring greater clarity to companies operating across multiple zones. In April, the CAC had already encouraged FTZs to cross-adopt each other’s lists, and the September measures now push toward a centralized framework.

China’s compliance requirements for cross-border data transfer

Legal background

Under China’s Personal Information Protection Law (PIPL) and related regulations, companies that export certain volumes or types of data outside of China must undergo compliance procedures. These requirements add significant administrative burdens, especially for companies with overseas operations or those handling large volumes of data, such as foreign companies.

Compliance procedures

There are three compliance procedures for cross-border data transfer:

  1. Undergoing an export security assessment by the Cybersecurity Administration of China (CAC);
  2. Receiving a personal information export security certification by a third-party agency; and
  3. Signing a standard contract with the overseas recipient of the data.

The first procedure, the CAC security assessment, is the most stringent. It applies to critical information infrastructure operators (CIIOs) and companies exporting “important” data. The latter two options involve a lighter compliance burden and apply to companies that export certain volumes of personal information or “sensitive personal information.”

FTZ data export negative lists

General framework

The FTZ negative lists define which types and volumes of data are subject to the different compliance procedures under the Data Security Law and the PIPL. The type of procedure required depends on both the category of data (for example, whether it is considered “important”) and the quantity of personal information handled (measured by the number of individuals whose data is involved).

Thus far, the FTZs have created negative lists for a few industries only. In some cases, such as Chongqing and Jiangsu, the lists cover just one industry. Within each industry, data is divided into two categories:

  • Category I requires companies to pass a data export security assessment. This applies to all CIIOs that export personal information or important data, as well as to other companies that provide important data overseas or provide large volumes of personal information overseas, specified by the negative list.
  • Category II requires companies to either undergo a third-party personal information export security certification or sign a standard contract with the overseas recipient. This mainly applies to non-CIIOs that export smaller volumes of personal information, stipulated in the negative list.

The Tianjin FTZ approach

Unlike other FTZs, the Tianjin FTZ does not organize its list by industry. Instead, it distinguishes between data that requires a CAC security assessment and data that requires either a standard contract or third-party certification across a range of data fields.

The first list includes 13 categories of data that must undergo a security assessment to be exported. These categories are:

  1. Strategic materials and commodities (petroleum, petrochemicals, natural gas)
  2. Natural resources and environment (including basic geographical information)
  3. Industry (national defense industry, rare earths, smart vehicles, civil nuclear facility data)
  4. Finance (banking and insurance data)
  5. Statistics (economic and social statistics)
  6. Telecoms and broadcasting (radio, television, online audiovisual data)
  7. Housing and construction (housing fund data)
  8. Transportation (postal and transport data)
  9. Public health (food, biosecurity, epidemic control data)
  10. Public security (physical and cybersecurity data)
  11. Internet services and e-commerce (service outsourcing, internet platform services)
  12. Scientific and technological data (items under export controls, technologies subject to export bans or restrictions)
  13. Certain volumes and types of personal information

The last category covers:

  1. Any personal information provided overseas by CIIOs, and
  2. Personal information provided overseas by non-CIIOs involving more than 1 million individuals (excluding sensitive personal information) or more than 10,000 individuals when the data is sensitive.

The second list applies when companies export personal information, but in smaller quantities. Non-CIIOs that have, since January 1 of that year, provided personal information of between 100,000 and 1 million people overseas (excluding sensitive personal information), or sensitive personal information of fewer than 10,000 people, must either sign a standard contract or undergo third-party certification.

Industries and Fields Included in FTZ Data Negative Lists
FTZ Effective date Industries/fields covered
Beijing August 30, 2024
  • Automotive
  • Pharmaceuticals
  • Civil aviation
  • Retail and modern services
  • Artificial intelligence training data
Shanghai (Lingang) February 8, 2025
  • Reinsurance
  • International shipping
  • Commerce (retail, F&B, and accommodation)
Zhejiang March 31, 2025
  • B2B e-commerce
  • Clearing and settlement
Hainan 2025 onwards
  • Deep sea
  • Aviation
  • Agriculture
  • Tourism
  • Duty-free retail
Jiangsu August 13, 2025 (effective 2 years)
  • Medicine and pharmaceuticals
Chongqing September 1, 2025 (effective 2 years)
  • Automotive
Guangxi September 1, 2025 (effective 2 years)
  • Geographic information and meteorological data services
  • Enterprise credit information services
  • Livestream cross-border e-commerce
  • Overseas audio and video production and dissemination
Tianjin May 8, 2024
  • Requires a security assessment by the CAC:
  • Strategic materials and commodities
  • Natural resources and environment
  • Industry ( including the national defense industry, rare earths, smart vehicles, and civil nuclear facility data)
  • Finance
  • Statistics (including economic and social statistics)
  • Telecoms and broadcasting
  • Housing and construction
  • Transportation
  • Public health (including food, biosecurity, and epidemic control data)
  • Public security
  • Internet services and e-commerce
  • Science and technology
  • Certain volumes and types of personal information (above the below thresholds)
  • Requires a standard contract or third-party certification:
  • If, since January 1 of the current year, a company (non-CIIO) has provided the personal information (excluding sensitive personal information) of between 100,000 and 1 million people overseas; or
  • If, since January 1 of the current year, a company (non-CIIO) has provided the sensitive personal information of fewer than 10,000 people overseas.

Data classification guidelines under the trial implementation measures

Find Business Support
Optimize your business's IT operations with help from our range of IT and IS advisory services.

Five of the eight FTZs—Beijing, Zhejiang, Jiangsu, Chongqing, and Guangxi—have released reference guides to supplement their negative lists. These guides help companies identify what constitutes important data and personal information, thereby clarifying which data export compliance procedures will apply. Companies that are not included in one of the industries listed in the negative lists can also rely on these reference guides to assess whether they are required to undergo a compliance procedure.

General principles for important data

The reference guides set out general principles for identifying “important” data, which is subject to the highest compliance standard – a CAC security assessment. The rules are as follows:

  • Personal information of more than 10 million individuals (excluding sensitive personal information) held by enterprises in the FTZ.
  • Personal information of more than 100,000 individuals held by CIIOs as designated by the state.
  • High-value sensitive data related to industry competitiveness and production safety collected and generated during the R&D, design, manufacturing, and business management processes of enterprises in the FTZ, as well as data on enterprise supply chains that may impact national security.
  • Automatic control system parameters, along with control, operation, maintenance, and testing data, held by enterprises in the FTZ that are relevant to the national economy and people’s livelihoods.

These principles apply only to non-confidential data. Data classified as confidential is regulated under separate standards and laws.

Sector classifications

In addition to the general rules, the reference guides classify data across 13 fields, with specific examples for each. These fields are:

  1. Strategic materials and commodities
  2. Natural resources and environment
  3. Industry
  4. National defense science and technology
  5. Telecommunications
  6. Radio, television, and online audiovisual
  7. Finance
  8. Transportation
  9. Public health, food, and drugs
  10. Public security
  11. Internet services and e-commerce
  12. Science and technology
  13. Other

Below is a sample of the data categorization provided in the reference guide.

Data Classification Reference Guide for FTZs*
Category Sub-category Description of basic data information Reference rules for identifying important data (example)
Strategic materials and commodities Oil, petrochemicals, and natural gas Includes storage and transaction data, international trade data, etc. Product output data, international trade data, and other data in the fields of petroleum, petrochemicals, and natural gas that could be used to deduce the operational status, development trends, growth rates, and other aspects of important areas involving national strategic interests.

 

Strategic reserve data of major agricultural products such as grain, cotton, edible vegetable oil, sugar, meat, and dairy products, as well as unpublished international cooperation data and international trade data; data that may affect biosafety on the categories and quantities of rare and endangered germplasm resources (including genes) of crops, livestock, poultry, and aquatic products; unpublished agricultural and rural statistical data, inspection and monitoring data, epidemic prevention and quarantine data; and geographic information data of a certain level accuracy or that is unpublished.
Agricultural products Includes germplasm resource data, international cooperation data, international trade data, strategic reserve data, etc.
Natural resources and environment Geographic information Includes basic geographic information, subdivided into basic positioning data, place name and address data, topography and landform data, basic geographic entity data, and other basic geographic information data; remote sensing image data, subdivided into original image data, image product data and other remote sensing image data; thematic geographic information data, subdivided into thematic geographic information in the fields of natural resources, national land space planning, ecological environment, etc. Basic geographic information data and remote sensing imagery that meet nationally specified coverage, accuracy, and scale, or represent sensitive areas and targets. Various meteorological monitoring data serving the military, national defense research, and high-tech sectors.

 

Marine environmental monitoring data and disaster prevention data with military value that are not suitable for public release. Flood and drought disaster prevention operational data that can reflect flood and drought conditions, project hazards, and comprehensive analysis and evaluation; basic water conservancy data such as hazardous projects and sections; national water resources and water environment basic data, water regime information, and hydrological observation data that are not suitable for public release; remote sensing imagery and digital twin water conservancy geospatial data that meet certain accuracy requirements; and the physical safety and protection status of key water conservancy projects.

 
Meteorology Includes meteorological monitoring data, space-based atmospheric monitoring data, meteorological support data, regional meteorological data, radar-based data, and meteorological station metadata.
Marine Includes marine environmental data and marine resource data.
Industry Steel, non-ferrous metals Includes data on reserves, output, smelting equipment, procurement volume, international cooperation data, international trade data, etc. Data on reserves, production, and procurement volumes of non-ferrous metals of significant military and civilian value; national strategic steel and non-ferrous metal reserves; key geological data on strategic non-ferrous metal deposits; and data on mining areas rich in important associated mineral resources. Data on production technologies unique to my country, such as rare earth mining and smelting; information on bulk raw materials; and data that can influence pricing for raw material purchases.
Rare earths Includes reserves and mining data, industry usage data, export data, etc.
Other minerals Includes reserve data, international cooperation data, international trade negotiation data, and the development layout of mineral-related industries.
* Beijing, Zhejiang, Jiangsu, Chongqing, and Guangxi FTZs only.

FTZs without separate classification guides

Not all FTZs have issued separate reference guides. The Shanghai (Lingang), Hainan, and Tianjin FTZs have taken different approaches:

  • Shanghai (Lingang) FTZ: The implementation measures released by the Lingang New Area stipulate that data is to be managed in accordance with relevant laws, regulations, and rules, which including the Regulations on Network Data Security Management, the Measures for Data Export Security Assessment, the Measures for Standard Contracts for Personal Information Export, and the Regulations on Promoting and Regulating Cross-Border Data Flows.
  • Hainan FTP: Hainan has only released its negative list and has not published any trial implementation measures or separate classification guidelines.
  • Tianjin FTZ: The Tianjin negative list already closely aligns with the reference guides issued by other FTZs. Because Tianjin’s list applies to all industries and already contains detailed classifications, no separate reference guide has been released.

Application of the negative lists across FTZs

Find Business Support
Get help conducting compliance audits, penetration tests, and impact assessments.

Although all the FTZs adopt the principle that data within the negative list requires one of the nationally prescribed compliance procedures, while data outside the list may circulate more freely, the way the lists are implemented varies. In some FTZs, such as Beijing, the procedures are detailed directly in the trial management measures, while in others, such as Shanghai and Chongqing, separate implementation guides provide the rules. Not all FTZs have published these supporting rules yet, and where they are missing (such as in Hainan), companies must rely on official explainers and general provisions of national law.

The current implementation frameworks in each FTZ are as follows.

Beijing

Beijing applies the negative list according to the trial management measures themselves. Companies intending to transfer data overseas that falls within the negative list must follow a multi-step process:

  1. Application submission: Companies submit an application to their local FTZ group, including information such as registration, industry, business operations, and records of administrative penalties or investigations over the past two years.
  2. Filing: If approved, the company then files detailed information on the planned export, including scenarios, catalogues, volumes, overseas recipients, and the rationale for applying the negative list.
  3. Cross-border transfer: Once filing is completed, the company may begin exporting in line with the FTZ’s review opinion, while remaining subject to supervision, verification, and ongoing reporting.

FTZ groups are tasked with auditing submissions within five working days, issuing preliminary opinions on whether the export falls within or outside the negative list, and guiding companies through the compliance process. Authorities maintain oversight before, during, and after the export, and violations can result in suspension or termination of export activities.

Shanghai Lingang

Shanghai Lingang implements the negative list through a dedicated guide. Companies that use the negative list must, within 15 working days of starting cross-border transfers, submit materials to the local Data Cross-Border Service Center. Required documents include business and legal identification, an authorization letter, a description of how the negative list applies, and a compliance commitment.

The FTZ committees in Shanghai and the Lingang New Area review the materials, verify them, and then report to the municipal Cyberspace Administration and Data Bureau. Feedback is provided within 15 working days. If materials fail verification, companies are notified and must correct them or revert to the national compliance procedures.

Use of the negative list may be terminated if a company is penalized, relocates outside the FTZ, or undergoes major changes in its data export activities. Non-compliance also leads to immediate suspension and possible legal liability.

Tianjin

Tianjin integrates the use of the negative list directly into the negative list document itself. Companies must first identify whether the data they plan to export is listed. Data within the negative list triggers the relevant compliance procedure (security assessment, standard contract, or certification), while data outside the list is exempt.

The rules emphasize practicality and flexibility: authorities undertake dynamic adjustments to the list based on evolving circumstances, and enterprises are instructed to apply the list according to their actual data transfer needs. Regulators from the municipal Cyberspace Administration, Commerce Bureau, and Data Bureau jointly handle new issues as they arise.

Zhejiang

Zhejiang has released draft implementation rules that are open for public comment until October 22, 2025. These rules outline a detailed system for applying the negative list, which is broadly as follows:

  • Companies must apply through the Data Cross-Border Service Center, which reviews eligibility within three working days.
  • Approved applicants proceed to a filing stage, with the provincial FTZ office and other provincial authorities issuing the final determination within five working days.
  • Successful companies receive a filing result notice valid for three years.
  • If the circumstances of the export change, the filing must be updated, reviewed again, and reconfirmed at the provincial level.

The process includes requirements for resubmission of incomplete or incorrect materials within ten working days, and the possibility of termination if the company no longer meets the negative list criteria.

Jiangsu

The Jiangsu FTZ implements the negative list through the trial management measures. According to the trial measures, companies using the negative list must report their export activities to the local FTZ committee, including scenarios, catalogues, volumes, and overseas recipients. They are also required to comply with national security and personal information protection obligations, report incidents promptly, and notify authorities within 24 hours if national security or public interest is at risk.

Provincial authorities carry out monitoring through consistency checks, random inspections, and regular evaluations, with powers to suspend or terminate exports in cases of non-compliance.

Jiangsu’s trial management measures state explicitly that data outside the negative list is exempt from the three compliance requirements (security assessment, standard contract, certification). Where supporting operating guides exist, companies may follow them, though the negative list takes precedence in cases of inconsistency.

Chongqing

The Chongqing FTZ has released a supporting implementation guide detailing the requirements for companies to utilize the negative list. According to the guide, companies first need to identify whether their data falls within the negative list, and then apply the appropriate compliance procedure if it does. Data outside the list is exempt (for the industries included on the list).

Enterprises must report their use of the negative list to the FTZ committee within 15 working days of initiating exports, submitting business credentials, legal representative documents, authorization letters, a usage report, and a compliance commitment.

Authorities conduct inspections and random checks, with participation from the municipal cyberspace administration, commerce committee, and big data bureau. If companies are penalized, relocate outside the FTZ, or commit violations, their use of the negative list is terminated, and illegal activities may be subject to further enforcement.

Guangxi

The Guangxi FTZ has not yet released supporting implementation guidelines, and its management measures do not detail procedures for companies to implement the negative list. The trial management measures emphasize self-identification, requiring companies to assess whether their data falls under the negative list before exporting. If data is included, the relevant compliance procedures apply; if not, companies may export freely.

The measures follow national data classification and grading requirements, distinguishing between core, important, and general data.

Hainan

Hainan has not yet released separate implementation rules. However, an official explainer outlines the approach: the negative list is designed with a dynamic adjustment mechanism, updated based on changes in national security, industry structure, and trade needs. The province has established international and cross-border data service centers to provide one-stop support, including a “green channel” for security assessments, an information service platform, and compliance guidance.

In the absence of detailed measures, companies must rely on these support platforms and national-level rules when applying the negative list.

Data negative lists as an additional benefit to China’s FTZs

The rollout of data negative lists across China’s FTZs represents more than just a technical adjustment to compliance procedures. For foreign companies and multinationals, they provide a clearer and more predictable framework for managing cross-border data transfers, which has become one of the most difficult compliance issues under China’s evolving data protection regime. By specifying exactly which categories of data remain subject to national-level controls, the lists reduce uncertainty and allow businesses to design internal data governance systems with greater confidence.

As more FTZs expand their negative lists to cover additional industries, the value of establishing operations within these zones will grow. Companies that rely heavily on international data sharing, particularly in sectors such as finance, healthcare, technology, and advanced manufacturing, may find FTZs increasingly attractive as hubs for coordinating their China-based and global operations. In this way, data negative lists function not only as compliance tools but also as strategic incentives that enhance the role of FTZs in China’s broader effort to balance data security with economic openness.

With support from our in-house legal, HR, finance, and IT specialists, Dezan Shira & Associates helps clients strengthen defenses, prepare for audits, and build privacy programs that transform data compliance from a risk into a competitive advantage. Get in touch with our local experts to schedule a consultation: China@dezshira.com.

Read also:

 

About Us

China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland.

For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.