Tianjin Free Trade Zone Releases China’s First Negative List for Cross-Border Data Transfer

Posted by Written by Arendse Huld Reading Time: 4 minutes

The Tianjin Free Trade Zone has released China’s first data Negative List outlining the types of data that must undergo a security review by China’s cybersecurity bureau to be transferred out of China. While the Negative List maintains previously set thresholds for the volume of data that companies can handle before triggering data export compliance procedures, it also clarifies compliance requirements for companies in the free trade zone operating in certain industries.

The Tianjin Pilot Free Trade Zone (Tianjin FTZ) has released a new Negative List of data that will be subject to certain compliance requirements to be exported.

The China (Tianjin) Pilot Free Trade Zone Data Export Management List (Negative List) (2024 Edition), released by the Tianjin FTZ Management Committee and the Tianjin Municipal Commerce Bureau on May 8, 2024, is the first CBDT Negative List released in China. Ostensibly, data that is not included in the Negative List can be freely transferred out of China, which would significantly ease compliance requirements for companies based in the Tianjin FTZ.

However, many companies, particularly those handling large volumes of data, will continue to be subject to certain compliance requirements to export data overseas. The Negative List nonetheless provides helpful clarity for companies by specifying the types of data subject to stricter requirements, regardless of the amount, and will allow for easier data assessment and administrative planning.

What are China’s CBDT compliance requirements?

Under China’s Personal Information Protection Law (PIPL) and subsequent regulations, companies that wish to export a certain amount or types of personal information and data outside of China are required to undergo one of three compliance requirements. These are 1) a security assessment carried out by the Cybersecurity Administration of China (CAC), 2) signing a Standard Contract with the overseas recipient of the data, or 3) receiving data export security certification by a third-party agency.

Due to the relatively low threshold for the volume and type of data that can trigger these compliance measures, these regulations significantly increase compliance burdens and hinder normal operations for companies, in particular foreign companies and multinational corporations (MNCs).

In an effort to improve the business environment for foreign companies in China, the CAC has released the Regulations to Promote and Standardize Cross-Border Data Flows (the CBDT Regulations). Among many other measures to facilitate data export, such as the increased data volume thresholds for triggering compliance procedures, these new regulations allow China’s FTZs to implement their own data governance rules, including formulating their own data Negative Lists.

Note that “data export” or CBDT under China’s rules includes the following activities:

  1. The transfer of data collected and generated by companies in domestic operations to overseas locations;
  2. Data collected and generated by companies that are stored domestically, which is then looked up, retrieved, downloaded, or exported by overseas institutions, organizations, or individuals; and
  3. Activities such as processing personal information of natural persons located in China overseas, including in the following situations:
    1. For the purpose of providing products or services to domestic natural persons;
    2. For the purpose of analyzing and evaluating the behavior of natural persons within the territory; and
    3. Other situations stipulated by laws and administrative regulations.

The Tianjin FTZ is the first FTZ in China to release such a Negative List, and it is likely to be followed by more in the near future.

What data is included in the 2024 Edition of the Tianjin FTZ Negative List ?

The 2024 Edition of the Tianjin FTZ Negative List separates data into two lists: (1) data for which a company will need to pass a security assessment by the CAC to export; and (2) data for which a company will need to enter into a standard contract or undergo third-party certification to export.

The first list includes 45 types of data separated into the following 13 categories:

  1. Strategic materials and commodities, including data on petroleum, petrochemicals, and natural gas
  2. Natural resources and environment, including basic geographical information
  3. Industry, including the national defense industry, rare earths, smart vehicles, and civil nuclear facility data
  4. Finance, including banking and insurance data
  5. Statistics, including economic and social statistics
  6. Telecoms and broadcasting, including radio, television, and online audio-visual data
  7. Housing and construction, specifically housing fund data
  8. Transportation, including postal and transport data
  9. Public health data, including food, biosecurity, and epidemic control data
  10. Public security data, including physical and cybersecurity data
  11. Internet services and e-commerce, including service outsourcing and internet platform service data
  12. Scientific and technological data, including items subject to export controls and technology subject to export bans and restrictions
  13. Certain volumes and types of personal information

The last category – certain volumes and types of personal information – refers to personal data falling under the following circumstances:

  1. Any personal information provided overseas by critical information infrastructure operators (CIIOs); and
  2. Companies other than CIIOs that have provided the personal information of more than 1 million people (excluding sensitive personal information) or the sensitive personal information of more than 10,000 people overseas since January 1 of the current year.

Meanwhile, under the second list, companies will be required to sign a standard contract with the overseas recipient or undergo third-party security certification if they meet the following conditions:

  • Since January 1 of that year, the company (non-CIIO) has provided the personal information (excluding sensitive personal information) of between 100,000 and 1 million people overseas; or
  • Since January 1 of that year, the company (non-CIIO) has provided the sensitive personal information of less than 10,000 people overseas.

Note that data involving state secrets, “core data”, and data on government affairs data is not included in the Negative List but will still be subject to export restrictions and compliance requirements set out in relevant laws and regulations.

The Negative List will be adjusted at regular intervals.

The impact of the Negative List

The requirements on the volume of personal information a company can handle stipulated in the Negative List are unchanged from the eased thresholds set out in the CBDT Regulations released in March 2024. This means companies based in the Tianjin FTZ will still need to fall under these thresholds to export data without undergoing compliance requirements, as they would if they were based elsewhere in China.

Nonetheless, the listing of the types of data that will require a security review – regardless of the volumes involved – does provide some important clarity for companies. Previously, companies had little guidance on the types of data that were considered particularly sensitive and would be subject to the strictest compliance procedures. The Negative List will therefore enable companies to better assess which compliance procedures they must undergo and better prepare for the administrative procedures.

Explore vital economic, geographic, and regulatory insights for business investors, managers, or expats to navigate China’s business landscape. Our Online Business Guides offer explainer articles, news, useful tools, and videos from on-the-ground advisors who contribute to the Doing Business in China knowledge. Start exploring

About Us

China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.

Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.