Shanghai Streamlines Data Export with New Data Negative List 

Posted by Written by Arendse Huld Reading Time: 8 minutes

Shanghai has introduced a new data export negative list for companies operating in the city’s pilot free trade zone and Lingang New Area. The list specifies the types and volumes of data in certain industries that must undergo a compliance procedure before being exported, allowing companies to freely transfer any data not covered by these restrictions. This initiative is expected to streamline cross-border data transfers for businesses in these sectors and pave the way for further regulatory easing in the future.

Shanghai’s cybersecurity authorities have released a new Data Export Negative List and accompanying management measures to facilitate the export of data and personal information for companies located in the city’s development zones.

The new Negative List applies to companies registered in the Shanghai Free Trade Zone (FTZ) Pilot Area and the Lingang New Area operating in certain industries.

Companies based in one of these two areas export data not included in the Shanghai Negative List will be exempted from undergoing the data export compliance procedures, thus greatly reducing the compliance burden and facilitating data export flows.

DOING BUSINESS IN CHINA EXPLORE IN-DEPTH INVESTMENT AND BUSINESS GUIDES.
Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

Experimental rules for data export in FTZs

The new Shanghai Negative List is the latest move in ongoing efforts to ease cross-border data transfer (CBDT) for companies. In March 2024, the CAC released a set of measures easing requirements for CBDT. Among the changes, the measures allowed China’s FTZs to implement their own regulations for exporting data, including the use of data negative lists.

Since then, FTZs across the country have begun to implement their own systems for managing data export. In May 2024, the Tianjin FTZ released the first data export negative list in China, outlining 45 types of data across 13 industries and fields.

Find Business Support
Optimize your business's IT operations with help from our range of IT and IS advisory services.

That same month, the Shanghai Lingang New Area released trial general data lists for three sectors, outlining the types of data that companies in the zone can freely export in a type of data whitelist.

In September 2024, the Beijing FTZ released its own data export negative list for data in five industries: automotive, pharmaceuticals, civil aviation, retail and modern services, and artificial intelligence training data. The new Negative List for the Shanghai FTZ Pilot Area and Lingang New Area is closely modelled on the Beijing FTZ Negative List.

The Lingang New Area has previously released general data lists for the management of data exports. In contrast to the Negative List, companies that must export data under scenarios outlined in these general data lists, which cover the fields of intelligent connected vehicles, biopharmaceuticals, and mutual funds, are able to do so without having to undergo the requisite compliance procedures.

However, the release of the Shanghai Negative List suggests that this will be the preferred method for handling data export going forward, with more lists for specific industries and fields expected in the future.

How does the Shanghai Negative List work?

The Shanghai Negative List outlines the types and volumes of data that are subject to certain export compliance procedures.

These compliance procedures are, depending on the type and volume of data:

The Negative List Management Measures explicitly state that companies registered in the Shanghai FTZ Pilot Area and the Lingang New Area can freely export data that is not included in the Shanghai Negative List without going through the above compliance procedures. However, this only applies to companies operating within the industries and fields included in the Shanghai Negative List.

Currently, the Shanghai Negative List covers three industries:

  • Reinsurance
  • International shipping
  • Commerce (retail, F&B, and accommodation)

The Negative List treatment does not apply to critical information infrastructure operators (CIIOs), as they are subject to stricter data export regulations.

Note that the above procedures still apply to all data exports from areas outside the Shanghai FTZ Pilot Area and Lingang Pilot Area, and to data exports by companies located within these areas who operate in fields and industries not included in the Shanghai Negative List.

However, if a certain industry has already published data export guidelines for companies in the Shanghai FTZ Pilot Area or Lingang New Area, companies can export data according to these guidelines. If there is any discrepancy between such guidelines and the Shanghai Negative List, however, the Shanghai Negative List regulations shall prevail.

Data export restrictions

Certain technical information and data related to controlled items may be subject to export restrictions under China’s Export Control Law and Foreign Trade Law. Any such data will remain subject to the export restrictions as stipulated in the relevant laws, even if it is included in the Shanghai Negative List.

How can companies use the Shanghai Negative List to export data?

Companies that apply the Shanghai Negative List to freely export data must first report their export activities to either the Shanghai Pilot FTZ Management Committee or the Lingang New Area Management Committee, depending on which area it is registered. They must inform them of matters such as the business need for the data export, directories of the outbound data, the scale of the outbound data, the overseas recipients of the data, and so on.

Related Reading
We can help deploy or localize ERP systems for your China business to ensure compliance with local data regulations.

Companies that export important data or personal information overseas must still implement the various security and protection measures required by relevant laws and regulations, as well as technical measures to ensure the security of the outbound data.

Meanwhile, if a data outbound security incident occurs or it is found that the security risk to the outbound data increases, remedial measures must be taken and promptly reported to the Shanghai Internet Information Office, Shanghai Municipal Data Bureau, Shanghai Municipal Public Security Bureau, Shanghai Municipal State Security Bureau, Shanghai Pilot FTZ Management Committee, and Lingang New Area Management Committee.

These authorities are tasked with supervising and inspecting the implementation of the Shanghai Negative List and the data export activities of companies within the two areas and will conduct regular inspections to do so.

Filing materials to utilize the Shanghai Negative List

Companies that employ the Shanghai Negative List to export data are required to submit certain materials and information on their data export activities to the local cross-border data service center within 15 working days from the date of the activity. This timeframe can be postponed under certain circumstances.

Companies must file the following materials:

  1. A photocopy of the unified social credit code certificate;
  2. A photocopy of the identity document of the legal representative;
  3. A photocopy of the identity document of the person handling the matter;
  4. A letter of authorization from the person handling the matter;
  5. An explanation of the use of the negative list for data outbound activities; and
  6. A letter of commitment.

After receiving these materials, the relevant authorities will review them and provide feedback to the company within 15 working days. If the verification fails, the company will be required to make the necessary changes within 15 working days from the date that the relevant authorities received the materials.

If a company still needs to export data, it must do so through the usual compliance procedures that apply to the rest of the country.

Termination of the use of the Shanghai Negative List

Companies will be required to cease using the Shanghai Negative List under certain circumstances. These include punishments by relevant authorities, a change of business registration to an address outside the Shanghai FTZ Pilot Area or Lingang New Area, or major changes to its data export flows.

Companies that need to continue exporting data after being told to cease using the Shanghai Negative List must do so following the standard data export compliance procedures.

Companies that do not strictly fulfill relevant commitments or are found to violate requirements in their cross-border data flow processes must cease all cross-border data activities immediately. Any illegal or irregular matters will be investigated in accordance with the law.

Sample of the Shanghai Negative List

The Shanghai Negative List organizes data into two different categories within the three fields. These are:

  1. Data for which a company must undergo a security assessment from the CAC to export; and
  2. Data for which a company must sign a Standard Contract with the overseas recipient or undergo third-party data protection certification in order to export.

Within the first category, the data is further categorized as either important data or personal information. The latter category only deals with personal information or sensitive personal information.

Below we have provided a simplified sample of the data that is subject to the above restrictions within the three fields.

Sample of the Shanghai Data Export Negative List
Field Data type Data type Data description
Reinsurance Security assessment Important data Insurance and claims data that may affect national security, including insurance and claims data of important facilities, equipment, and personnel involved in national security, as well as the insurance and claims data of enterprises and institutions undertaking major national and construction projects in important areas of national economic and social development.
Personal information For companies that have exported the personal information of more than 10 million people (excluding sensitive personal information) since January 1 of the current year: 

Personal information involved in the underwriting and claims process, such as de-identified name, gender, age, nationality, occupation type, and other personal information.
Standard Contract or data protection certification Personal information For companies that have exported the personal information of more than 1 million people but less than 10 million people (excluding sensitive personal information) since January 1 of the current year:

Personal information involved in the underwriting and claims process, such as de-identified name, gender, age, nationality, occupation type, and other personal information.
International shipping Security assessment Important data Data of port facilities and equipment generated in the daily production and operation of the port, including basic data of port facilities and equipment, and data generated during the operation and management process.
Sensitive personal information For companies that have exported the sensitive personal information of more than 150,000 seafarers since January 1 of the current year:

Seafarers’ certificate numbers, certificate of competency numbers, bank card numbers, physical examination reports, and other data.
Standard Contract or data protection certification Personal information For companies that have exported the personal information of more than  150,000 seafarers but less than 1 million seafarers (excluding sensitive personal information) since January 1 of the current year:

Name, gender, date of birth, place of birth, nationality, certificate validity period, date of issuance, issuing authority, issuing country code, and signature, flight area, grade, position, function, issuing official, date of issuance, and other data.
Commerce (retail, F&B, and accommodation) Security assessment Personal information For companies that have exported the personal information of more than 10 million people (excluding sensitive personal information) since January 1 of the current year:

Customer names, nicknames, contact information, gender/title, anniversaries, region, email addresses, addresses (including zip code), user IDs, member accounts or number, nationality, age, marital status, birthday, order numbers, product identification code/serial numbers, member hobbies and preferences, etc.
Standard Contract or data protection certification Personal information For companies that have exported the personal information of more than 1 million but less than 10 million individuals (excluding sensitive personal information) since January 1 of the current year:

Customer names, nicknames, contact information, gender/title, anniversaries, region, email addresses, addresses (including zip code), user IDs, member accounts or number, nationality, age, marital status, birthday, order numbers, product identification code/serial numbers, member hobbies and preferences, etc.

Important data lists

In addition to the Shanghai Negative List, the municipal authorities are also tasked with assisting companies in carrying out data classification and grading, as well as compiling important data catalogs. This will be used to form an important data catalog for the Shanghai FTZ Pilot Area and Lingang New Area, which will be filed with the National Data Security Coordination Mechanism Office.

Companies will be required to identify and declare important data in accordance with relevant regulations. However, companies will not be required to declare data as “important” for the purposes of data exports if they have not been notified to do so, or if the data has not been publicly labeled as important data.

The reference rules for data classification and grading in industries and fields not covered by the Shanghai Negative List and operational guidelines shall be implemented in accordance with relevant regulations and standards.

Impact on foreign companies: Difference between the Shanghai, Beijing, and Tianjin negative lists

The introduction of the Negative List in the Shanghai FTZ Pilot Area and Lingang New Area marks a significant step forward in streamlining CBDT for companies operating within these zones. By providing clear guidance on which types of data are subject to compliance procedures, the Shanghai Negative List will help businesses navigate regulatory requirements with greater ease and confidence.

Related Reading
Personal Information Protection Audits in China: Final Measures Effective May 1

One of the most notable advantages of this new framework is the substantial increase in the volumes of personal information that companies can export before triggering compliance procedures. Compared to the broader national regulations, companies in the designated areas now have more flexibility in managing their data exports, reducing administrative burdens and fostering a more business-friendly environment. However, restrictions remain for companies in industries not covered by the Shanghai Negative List, and even those that qualify must still adhere to specified ceilings for freely exportable data.

At the same time, the adoption of the Shanghai Negative List approach aligns Shanghai’s regulatory framework with those already in place in the Beijing and Tianjin FTZs, contributing to greater consistency across different regions. As more industries and FTZs introduce similar lists, it is likely that China’s data export regulations will continue to evolve toward a more standardized and transparent system.

Companies should remain attentive and stay updated on regulatory developments. Future refinements to data export policies, potential expansions of the Shanghai Negative List, and the introduction of new industry-specific guidelines may offer further opportunities for businesses.

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.