China’s Cross-Border Data Rules: Tianjin FTZ Negative List Sets New Precedent for Foreign Firms

Date:

Share post:

Why This Matters for Your China Business

Cross-border data transfer (CBDT) rules have been one of the single largest compliance headaches for foreign companies in China since the Personal Information Protection Law (PIPL, 个人信息保护法, gèrén xìnxī bǎohù fǎ) took effect in 2021. If your China operation exports any employee data, customer records, or operational metrics to a headquarters overseas, you are subject to these rules — regardless of your industry or company size.

The Tianjin Pilot Free Trade Zone (天津自贸区, Tiānjīn Zìmào Qū) has now released China’s first data export Negative List (负面清单, fùmiàn qīngdān), cataloguing 45 specific data types across 13 categories that require a mandatory security assessment from the Cybersecurity Administration of China (CAC) before they can leave the country. Data not on the list can, in principle, flow freely — a significant easing from the blanket caution most companies have operated under since 2021.

For foreign businesses, the practical question has shifted from “Can we transfer this data?” to “Is our data on the list, and if not, what’s our new compliance obligation?” The answer depends on volume, data type, and whether your Chinese entity qualifies as a Critical Information Infrastructure Operator (CIIO).

The Details: How the Negative List Changes Your Compliance Calculus

The Tianjin FTZ Negative List, released by the FTZ Management Committee and Tianjin Municipal Commerce Bureau, splits regulated data into two tracks. Track 1 — the “security assessment” track — covers 45 data types in 13 sectors: strategic materials (oil, gas, petrochemicals), national defense industry data, rare earths, smart vehicles, civil nuclear facilities, banking and insurance records, economic statistics, telecom and broadcasting content, housing fund data, transportation and postal records, public health and biosecurity data, internet platform service data, and scientific/technological data subject to export controls.

If your business touches any of these categories, you will need a full CAC security assessment — a process that can take 60 to 120 working days and requires detailed documentation of data flows, overseas recipient security measures, and the legal environment in the destination country. This is not a box-ticking exercise: companies that exported data without an assessment when one was required have faced fines of up to 50 million yuan ($6.9 million) or 5% of annual revenue under the PIPL.

Track 2 — the “Standard Contract or certification” track — applies to companies that are NOT CIIOs but have exported personal information of between 100,000 and 1 million individuals, or sensitive personal information of fewer than 10,000 individuals, since January 1 of the current year. These companies can use a CAC-approved Standard Contract with the overseas data recipient or obtain third-party security certification — both faster and cheaper than a full assessment.

Critically, the volume thresholds are unchanged from the March 2024 CBDT Regulations. This means companies in the Tianjin FTZ don’t get a lower bar for volume triggers — the Negative List’s value is in clarity, not deregulation. You now know exactly which data types need an assessment, regardless of volume, rather than having to guess whether your data falls into a “sensitive” gray zone.

The Shanghai Lingang New Area (上海临港新片区) has gone further, launching China’s first Cross-Border Data Service Center in parallel with its own data export whitelists — signalling that other FTZs will release their own lists, each with slightly different sector priorities reflecting their industrial base.

What You Should Do

If your China entity is in — or considering — a Free Trade Zone location, here are the immediate action items:

  • Map your data flows now. Catalogue every category of personal information and operational data your China entity exports. Does it fall into any of the 13 Negative List categories? If yes, budget 60-120 working days for a CAC security assessment before your next transfer.
  • Count your data subjects. How many individuals’ personal information have you exported since January 1? If you’re between 100,000 and 1 million, you need a Standard Contract or certification — even if no data type triggers Track 1. This is the most common surprise for mid-size foreign manufacturers and service firms.
  • Watch for your FTZ’s list. Tianjin and Shanghai Lingang are first movers. If you’re in Hainan, Guangdong, or another FTZ, expect a zone-specific Negative List within 6-12 months. The sector coverage will vary — Guangdong will emphasize manufacturing and trade data; Hainan will focus on tourism and healthcare.
  • Don’t assume “not on the list = no rules.” Data involving state secrets, “core data” (核心数据, héxīn shùjù), and government affairs data is excluded from the Negative List but still subject to separate, stricter export controls.

One Data Point

The number to remember: 13 categories, 45 data types. That’s the scope of the first FTZ Negative List. If your China entity’s data exports touch none of them and fall under the volume thresholds, you are in the clearest regulatory position any foreign company has had since PIPL took effect. For everyone else, the compliance clock is now ticking.

For a deeper look at how PIPL applies to specific data types, see our guide on how China’s PIPL affects biometric data for foreign companies and our overview of privacy impact assessment requirements for foreign firms.

— China Gateway 360 —
Remote China market entry support, built around execution.

Related articles

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreign Firms

China’s 2025 Carbon Emissions Trading Regulations Reviewed: How 9% Fines, Stricter MRV, and Expanded Sector Coverage Reshape ESG Compliance for Foreig

China’s 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance

China's 2025 Environmental Protection Law Amendments: What They Mean for Environmental Compliance China's 2025 amendments to the Environmental Protect

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study

How Unilever Met China’s Solid Waste Management Regulations: A Compliance Case Study By 2023, Unilever had reduced its total waste generation across i

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study

How Apple Helped Its China Suppliers Switch to Renewable Energy: Carbon Reduction Case Study body{font-family:'Segoe UI',Tahoma,Geneva,Verdana,sans-se