Shanghai and Tianjin FTZs Reshape Cross-Border Data Rules for Foreign Companies

Date:

Share post:

Why It Matters

Since China’s Personal Information Protection Law (PIPL) took effect in 2021, cross-border data transfer has been one of the top compliance headaches for foreign companies operating in the country. The rules were ambiguous, thresholds were low, and penalties were severe. Two Free Trade Zones just changed the game.

The Shanghai Lingang New Area released trial “general data lists” for three sectors on May 16, 2026, while the Tianjin FTZ had previously published China’s first-ever data export Negative List in May 2024. Together, they represent a new, FTZ-by-FTZ approach to data governance that could radically simplify compliance — if your business is in the right zone and sector.

The Details

Shanghai Lingang’s approach: a positive list. The Lingang New Area identified specific, pre-approved scenarios where companies can export data without additional compliance procedures. Three sectors are covered in the first batch: intelligent connected vehicles, biopharmaceuticals, and mutual funds. For each, the list defines exactly which data types can be exported and under what operational context — multinational production coordination, global clinical trial data sharing, and cross-border fund market research, among others.

The lists are “scenario-based,” meaning they map real business workflows rather than abstract data categories. A company exporting vehicle telemetry data for a joint R&D project between its Shanghai and Stuttgart engineering teams, for instance, can do so without triggering a full Cybersecurity Administration of China (CAC) security assessment — provided the data falls within the listed categories. Personal information export remains subject to volume-based restrictions, but the scope is notably narrower.

The general data lists run for a one-year trial from May 16, 2026. They build on the Lingang Data Classification and Grading Management Measures released in March 2024, which established the framework of “important data” catalogs (requiring approval) and “general data” catalogs (freely transferable).

Tianjin FTZ’s approach: a negative list. The Tianjin FTZ took the opposite approach — specify what cannot be freely exported, and everything else is permitted. Its Negative List (2024 Edition), released May 8, 2024, was China’s first. Data types not on the list can be transferred out of China without additional security review. However, companies handling large volumes of personal information still face the standard three compliance pathways: CAC security assessment, standard contract with the overseas recipient, or third-party certification.

The bigger picture. Both approaches signal a strategic shift. Instead of a one-size-fits-all national data regime, China is testing zone-specific frameworks that balance regulatory control with business practicality. The Lingang model (positive list) is more generous for qualifying firms — it pre-approves entire data categories. The Tianjin model (negative list) is simpler structurally but still requires firms to self-assess against the list. Expect other FTZs — Qianhai, Hengqin, Hainan — to follow with their own variants.

What You Should Do

If your company operates in an FTZ, immediately verify whether your sector is covered by a local data list. For companies in Shanghai Lingang’s automotive, biopharma, or mutual fund sectors, the general data lists may eliminate months of compliance paperwork. For companies in Tianjin FTZ, map your data flows against the Negative List to identify which categories need a security assessment versus those that can flow freely.

If your company is based outside these two FTZs, monitor your local zone’s data authority. The FTZ-specific approach is likely to expand. Start preparing now by classifying your data into “general” and “important” categories — the same exercise the zones require — so you’re ready when your zone releases its own lists.

One Data Point

3,000+ companies in Shanghai Lingang alone are covered by the new general data lists across the three pilot sectors. For those firms, the months-long CAC security assessment process is replaced by a scenario-based self-verification. That is the scale of simplification China’s FTZs are now testing — and the direction of travel for the entire country’s cross-border data regime.

— China Gateway 360 —
Remote China market entry support, built around execution.

Contents

Related articles

Contents

How Does China's IP Protection Work for Semiconductor? body { font-family: 'Segoe UI', Arial, sans-serif; line-height: 1.7; color: #333; max-width: 90

How does China’s IP protection work for semiconductor?

How does China's IP protection work for semiconductors? Yes — China's IP protection framework covers semiconductor innovations through patents, IC lay

Direct Answer: Can Foreign Companies Hire Semiconductor Talent in China?

Can I Hire Local Talent for Semiconductor in China? | China Gateway 360 Yes, foreign semiconductor companies can absolutely hire local talent in China

Can I hire local talent for semiconductor in China?

Can I Hire Local Talent for Semiconductor in China? | China Gateway 360 Yes — foreign semiconductor companies in China can hire local talent directly,