Other BriefingsShanghai Expands Data Export Negative List Regime: What Foreign Businesses Need to Know
The Shanghai data export negative list has undergone a major upgrade, offering foreign businesses faster and simpler pathways for cross-border data transfers. Discover how the new rules cut compliance hurdles and unlock efficiencies for multinational operations.
On April 24, 2026, the Shanghai Cyberspace Administration and the Shanghai Data Administration jointly released a new set of rules governing cross-border data transfers (CBDT) in Shanghai.
The package includes the updated Shanghai Data Export Negative List Management Measures (Trial), the 2025 Shanghai Data Export Negative List, and an accompanying implementation guide.
The new framework significantly expands the scope and usability of Shanghai’s data export negative list regime, creating new compliance opportunities for foreign-invested enterprises (FIEs) operating in China.
Companies that previously needed to undergo burdensome data export security assessments or execute standard contractual clauses may now qualify for simplified procedures or exemptions, provided their outbound data activities fall outside the designated negative list.
For multinational companies managing regional data flows, cloud systems, HR platforms, supply chain analytics, or customer databases, the updated rules could materially reduce compliance friction in China.
See also: How China’s Foreign Investment Negative List Works – A Guide for Investors
The New Shanghai Data Export Negative List
What are the changes?
Change 1: Expanded geographic applicability
One of the most important changes is the expansion of the policy’s geographic applicability.
Previously, Shanghai’s negative list framework primarily applied within the China (Shanghai) Pilot Free Trade Zone and the Lingang Special Area. Under the new rules, the regime now applies citywide, setting a precedent in China.
Any data processor registered in Shanghai and conducting cross-border data transfer activities from Shanghai may now apply the updated negative list mechanism.
Who must pay attention to this update? This change is particularly relevant for foreign businesses with regional headquarters, shared service centers, R&D facilities, logistics operations, or digital commerce platforms located outside the FTZ but still within the Shanghai municipality.
Change 2: New data classification and “important data” thresholds
The updated rules also introduce a more detailed reference framework for data classification and grading.
Shanghai’s authorities now provide guidance on identifying “important data” across 13 major sectors and 40 sub-categories.
The framework also clarifies quantitative thresholds for determining when personal information may constitute important data. According to the new rules, important data may include datasets involving:
- More than 10 million individuals’ personal information (excluding sensitive personal information);
- More than one million individuals’ sensitive personal information; or
- More than 100,000 individuals’ sensitive personal information involving bank accounts, insurance accounts, medical treatment records, or similar highly sensitive categories.
How will this update impact businesses? For foreign companies operating centralized HR, CRM, fintech, healthcare, or e-commerce systems, these thresholds provide a clearer basis for assessing whether outbound data transfers trigger heightened regulatory obligations.
Change 3: Updated industry sectors
The 2025 Shanghai negative list currently covers four major industry sectors:
- Reinsurance;
- International shipping;
- Commercial trade (including retail, catering, and accommodation); and
- Meteorology.
The updated version contains:
- Nine specific business scenarios;
- 29 data sub-categories; and
- 109 individual data items.
Compared with the 2024 version, Shanghai has added the meteorology sector and further refined the international shipping category with more granular data classifications.
Why is it important? This sector-based approach is important because companies transferring data outside the listed categories may be able to benefit from simplified compliance procedures or freer cross-border data flows.
How the filing process works
Companies seeking to use the negative list mechanism must submit a filing application to their local district authority in Shanghai.
The filing typically includes information regarding:
- The nature of the outbound data;
- Transfer scenarios;
- Recipient details; and
- The applicable industry category.
The application is then jointly reviewed by the Shanghai Cyberspace Administration and the Shanghai Data Administration.
Following review, regulators will determine whether:
- The data transfer falls outside the negative list and may proceed under ordinary rules
- The transfer falls within the negative list and therefore still requires security assessment, standard filing, or personal information protection certification; or
- The transfer falls outside the negative list and may proceed with streamlined or exempted procedures.
For many foreign businesses, the third scenario could significantly reduce compliance costs and approval timelines.
Compliance obligations still remain
Although the negative list mechanism may simplify or exempt certain regulatory procedures, companies are not fully relieved from broader compliance obligations under China’s data governance framework.
Businesses must still comply with requirements under regulations such as the Network Data Security Management Regulations and the Provisions on Promoting and Regulating Cross-Border Data Flows.
Key obligations continue to include:
- Obtaining informed consent where required;
- Conducting personal information protection impact assessments (PIPIAs);
- Implementing contractual data protection measures
- Adopting appropriate technical security safeguards; and
- Maintaining outbound data transfer logs.
The updated rules also strengthen ongoing supervision requirements. Companies must:
- Promptly update filings if transfer circumstances change;
- Report and remediate security incidents or risks;
- Cooperate with inspections and random audits; and
- Submit an annual report detailing outbound data activities before year-end.
The annual report must include information such as:
- Categories of exported data;
- Applicable negative list sectors and scenarios;
- Annual transfer volumes;
- Overseas recipients and destinations;
- Changes to transfer arrangements; and
- Security incidents, if any.
Why the new Shanghai rules matter for foreign investors
Shanghai’s updated negative list framework represents another major step in China’s broader effort to balance data security with economic openness.
For foreign-invested enterprises, the new rules may offer practical compliance relief, particularly for companies that routinely transfer operational, employee, logistics, customer, or commercial data overseas.
Businesses that previously needed to pursue time-consuming CAC security assessments or standard contract filings may now benefit from more efficient regulatory pathways if their data activities fall outside the negative list scope.
At the same time, the framework underscores that China’s cross-border data compliance regime remains highly procedural and increasingly sophisticated. Companies should therefore continue to carry out careful data mapping, transfer assessments, and sector-specific compliance reviews.
As China continues to refine localized data governance mechanisms through FTZ experimentation, Shanghai’s latest reforms may also serve as a model for future nationwide liberalization of CBDT rules.
How can Dezan Shira & Associates help? Foreign-invested enterprises operating in the Chinese Mainland should proactively reassess their cross-border data practices in light of Shanghai’s updated negative list framework. Dezan Shira & Associates can support companies in navigating these changes by helping identify opportunities for simplified compliance while strengthening overall data governance to align with China’s evolving regulatory landscape. Our IT and compliance specialists can assist with data mapping, cross-border transfer assessments, and structuring efficient compliance strategies to align with Shanghai’s negative list regime. To arrange a consultation, please contact China@dezshira.com.
Asia’s data protection environment is rapidly evolving, with businesses facing rising pressure to maintain secure IT systems while complying with national regulations like China’s CSL, DSL, and PIPL, alongside global frameworks such as GDPR. Dezan Shira & Associates provides cybersecurity and compliance advisory tailored for Asia’s regulatory landscape. Our services include IT infrastructure audits, Zero Trust implementation, security training, and multi-jurisdictional data privacy compliance. About Us China Briefing is one of five regional Asia Briefing publications. It is supported by Dezan Shira & Associates, a pan-Asia, multi-disciplinary professional services firm that assists foreign investors throughout Asia, including through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Haikou, Zhongshan, Shenzhen, and Hong Kong in China. Dezan Shira & Associates also maintains offices or has alliance partners assisting foreign investors in Vietnam, Indonesia, Singapore, India, Malaysia, Mongolia, Dubai (UAE), Japan, South Korea, Nepal, The Philippines, Sri Lanka, Thailand, Italy, Germany, Bangladesh, Australia, United States, and United Kingdom and Ireland. For a complimentary subscription to China Briefing’s content products, please click here. For support with establishing a business in China or for assistance in analyzing and entering markets, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.
- Previous Article China’s Supreme Court Tightens Anti-Bribery Provisions, Raising Stakes for Companies
- Next Article
