China
China’s First Negative List for Cross-Border Data Transfer Released by Tianjin Free Trade Zone
The Tianjin Free Trade Zone in China has released a Negative List outlining data that requires a security review by China’s cybersecurity bureau before being transferred out of the country. This list clarifies compliance requirements for companies operating in certain industries within the free trade zone.
The Tianjin Free Trade Zone has released China’s first data Negative List outlining the types of data that must undergo a security review by China’s cybersecurity bureau to be transferred out of China. While the Negative List maintains previously set thresholds for the volume of data that companies can handle before triggering data export compliance procedures, it also clarifies compliance requirements for companies in the free trade zone operating in certain industries.
The Tianjin Pilot Free Trade Zone (Tianjin FTZ) has released a new Negative List of data that will be subject to certain compliance requirements to be exported.
The China (Tianjin) Pilot Free Trade Zone Data Export Management List (Negative List) (2024 Edition), released by the Tianjin FTZ Management Committee and the Tianjin Municipal Commerce Bureau on May 8, 2024, is the first CBDT Negative List released in China. Ostensibly, data that is not included in the Negative List can be freely transferred out of China, which would significantly ease compliance requirements for companies based in the Tianjin FTZ.
Under China’s Personal Information Protection Law (PIPL) and subsequent regulations, companies that wish to export a certain amount or types of personal information and data outside of China are required to undergo one of three compliance requirements. These are 1) a security assessment carried out by the Cybersecurity Administration of China (CAC), 2) signing a Standard Contract with the overseas recipient of the data, or 3) receiving data export security certification by a third-party agency.
Due to the relatively low threshold for the volume and type of data that can trigger these compliance measures, these regulations significantly increase compliance burdens and hinder normal operations for companies, in particular foreign companies and multinational corporations (MNCs).
In an effort to improve the business environment for foreign companies in China, the CAC has released the Regulations to Promote and Standardize Cross-Border Data Flows (the CBDT Regulations). Among many other measures to facilitate data export, such as the increased data volume thresholds for triggering compliance procedures, these new regulations allow China’s FTZs to implement their own data governance rules, including formulating their own data Negative Lists.
The Tianjin FTZ is the first FTZ in China to release such a Negative List, and it is likely to be followed by more in the near future.
This article is republished from China Briefing. Read the rest of the original article.
China Briefing is written and produced by Dezan Shira & Associates. The practice assists foreign investors into China and has done since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Zhongshan, Shenzhen, and Hong Kong. Please contact the firm for assistance in China at china@dezshira.com.



