FTZs Pilot New Cross-Border Data Rules: Lingang Whitelists and Tianjin’s Negative List

What Happened

Two Chinese free trade zones have rolled out contrasting frameworks for cross-border data transfer, giving foreign companies in China their first real regulatory alternatives to the one-size-fits-all national security review. Shanghai’s Lingang New Area published whitelists of data categories that can be exported freely, while Tianjin FTZ released China’s first-ever Negative List for data — specifying exactly which data types still require a government security review.

The developments come as China’s FTZs exercise a regulatory carve-out granted in the March 2024 Regulations to Promote and Standardize Cross-Border Data Flows. That regulation allowed each FTZ to write its own data governance rules. Lingang and Tianjin are the first to deliver.

Why It Matters for Your China Business

Cross-border data transfer has been one of the most persistent operational headaches for foreign companies in China since the Personal Information Protection Law (PIPL, 个人信息保护法, gèrén xìnxī bǎohù fǎ) took effect in 2021. The default compliance path — a CAC security assessment — can take 3 to 6 months and requires submitting detailed data maps, impact assessments, and contracts with overseas recipients.

Smaller companies often found the process disproportionate to their actual data volumes. A European manufacturer with 12 employees in Shanghai faced the same assessment requirement as a multinational with 5,000. These pilot programs are the first concrete effort to right-size the compliance burden.

The two approaches also signal to regulators in other FTZs — Beijing’s Zhongguancun, the Guangdong-Hong Kong-Macao Greater Bay Area, and Hainan — what implementation models look like in practice.

The Details: Two Models Compared

Tianjin’s Negative List (May 2024)

Tianjin FTZ published its Data Export Management Negative List (2024 Edition) on May 8, 2024 — the first such list in China. It splits controlled data into two categories: 45 data types requiring a CAC security assessment to export, and 27 types requiring a standard contract or third-party certification. Any data not on the list can be transferred freely.

For example, detailed financial transaction records and precise geolocation data from logistics operations fall under the mandatory security assessment category. Aggregated sales statistics by product category — where individual customers cannot be identified — are not on the list and can flow freely.

The list applies to all companies within the Tianjin FTZ, regardless of industry. However, companies handling personal information of more than 1 million individuals annually remain subject to the national-level security assessment regardless.

Shanghai Lingang’s Whitelist (June 2026)

Shanghai’s Lingang New Area took the opposite approach. Rather than specifying what cannot be exported, Lingang published General Data Lists (GDLs) — whitelists of specific data fields that can be exported without further approval. Companies in Lingang that export data within these whitelisted categories need only file a record with the zone administration.

Lingang’s whitelists cover 11 data categories relevant to its priority industries: integrated circuits, AI, biomedicine, smart manufacturing, cross-border finance, and international shipping. For each industry, the GDL specifies exactly which data fields are free to transfer.

In the integrated circuits category, for instance, chip design specifications, process node parameters, and test yield data below certain thresholds can be exported freely. Financial institutions in Lingang can share cross-border transaction records, credit risk indicators, and anti-money laundering data with overseas affiliates under the whitelist.

Key Difference

The negative list approach (Tianjin) gives you certainty that everything not listed is free — but you must verify your data types against the list. The whitelist approach (Lingang) gives you clear permission for specific data fields — but anything outside the whitelist still requires the standard compliance path. For most foreign companies, Tianjin’s model is simpler to implement.

What You Should Do

  • Check your FTZ location. If your China entity is registered in Tianjin FTZ or Shanghai Lingang, you may already qualify for simplified data export. If you’re in another FTZ, monitor for local rules — Shenzhen Qianhai and Beijing’s Zhongguancun are expected to publish their own frameworks by Q4 2026.
  • Map your data flows against the applicable list. Cross-reference every category of personal information and important data your business transmits out of China against the Tianjin Negative List or Lingang Whitelist. This is a one-time exercise that will pay for itself in reduced compliance overhead.
  • Consider restructuring your China entity. If data transfer compliance costs are material for your operations, moving your China subsidiary into Tianjin FTZ or Lingang could eliminate mandatory CAC security assessments for routine data exports. Our guide to registering a trading WFOE in China’s FTZs covers the process.
  • Document your classification decisions. If you rely on either FTZ framework, maintain a written record of which data categories fall outside the negative list or inside the whitelist. In a regulatory audit, your rationale matters as much as your conclusion.

One Data Point

A foreign-invested trading company in Tianjin FTZ that handles 500,000 customer records annually previously faced a 4-month CAC security assessment process costing approximately $35,000 in consulting and legal fees. Under the Negative List framework, if none of its data categories appear on the controlled list, that company can now export the same data with zero additional compliance cost. For a mid-sized manufacturer, that’s a permanent $8,000–$12,000 annual savings in compliance overhead.

The number to remember: 72 — the combined total of controlled data types across both the Tianjin Negative List (45 security-assessment-required + 27 contract-eligible) that foreign companies now have clear regulatory guidance on, versus the hundreds of ambiguous categories under the previous national framework. Clarity itself is a compliance asset.

— China Gateway 360 —
Remote China market entry support, built around execution.

Similar Articles

Comments

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Advertismentspot_img

Instagram

Most Popular