Cross-Border Data Negative Lists: FTZ Compliance Roadmap

Date:

Share post:

Tianjin Pilot Free Trade Zone released China’s first data export Negative List (负面清单, fùmiàn qīngdān) in May 2024 — a groundbreaking move that specified exactly which types of data require a security review before leaving China. Now, the 2026 Foreign Investment Action Plan requires all FTZs and pilot cities to develop similar “scenario-based, field-level” negative lists. If your business operates in an FTZ, your compliance burden is about to get more predictable.

Why It Matters

China’s cross-border data transfer (CBDT) regime has been a persistent headache for foreign-invested enterprises. Under the Personal Information Protection Law (PIPL) and related regulations, companies face three potential compliance pathways: a security assessment by the Cybersecurity Administration of China (CAC), signing a Standard Contract with the overseas recipient, or obtaining third-party data export security certification. The thresholds that trigger these obligations have been broad and hard to interpret.

The problem: when “important data” is not clearly defined, every data transfer carries compliance risk. Foreign companies in particular — with global supply chains, multinational HR systems, and cross-border R&D data flows — have borne the highest uncertainty costs. Previous data localization rules only added to the complexity.

Negative lists change the equation. Data not on the list can be freely transferred out of China. That turns a regime of blanket restriction into one of targeted control.

The Details

Tianjin FTZ’s Negative List, officially the China (Tianjin) Pilot Free Trade Zone Data Export Management List (Negative List) (2024 Edition), separates data requiring compliance review into two tiers:

  1. Security assessment required (Tier 1): 45 types across 13 categories — including strategic materials (petroleum, petrochemicals, natural gas), natural resources (geographic information), industry data (defense, rare earths, smart vehicles, civil nuclear), banking and insurance data, telecoms and broadcasting, public health (food, biosecurity, epidemic control), and personal information above volume thresholds.
  2. Standard contract or certification required (Tier 2): For non-CIIO companies providing personal information of 100,000 to 1 million people, or sensitive personal information of fewer than 10,000 people, since January 1 of the current year.

Key thresholds: any company providing personal information of more than 1 million people (excluding sensitive PI) or sensitive PI of more than 10,000 people overseas must undergo a CAC security assessment, regardless of their FTZ location. The thresholds match those in the CBDT Regulations released March 2024 — the Negative List adds clarity on types of data subject to review, not lower volume triggers.

The second major development: the 2026 Action Plan, released June 22, 2026, directs all FTZs and pilot cities for services-sector opening to develop their own scenario-based negative lists. Simultaneously, national standards are being drafted to define “important data” catalogs by industry sector — manufacturing, telecoms, geographic information, automotive, pharmaceuticals, seed technology, aerospace, and civil aviation.

Shanghai’s Lingang New Area has already launched a cross-border data service center, with whitelists for data export in specific scenarios. More FTZs are expected to follow. For a comparison of how different FTZs and SEZs operate on data policy, see our dedicated guide.

What You Should Do

  • Map your data flows now. Classify every data category your China entity sends overseas — HR records, customer data, R&D outputs, financial reports, supply chain information. The negative lists won’t help if you do not know what data you are moving.
  • If you are in an FTZ, prepare to use the local list. Once your FTZ publishes its negative list, data not on the list can be transferred without further compliance procedures. That is a significant operational advantage.
  • Watch the national “important data” catalogs. These will define by sector what counts as important. If your industry is among the first eight (manufacturing, telecoms, automotive, pharma, etc.), you will have the earliest clarity.
  • Consider relocating data-intensive operations to an FTZ. If your business moves significant cross-border data, operating from an FTZ with a published negative list may reduce your compliance burden substantially.

One Data Point

The number to remember: 45 data types across 13 categories — that’s the Tianjin FTZ Negative List’s scope. Compare that to the previous regime where every cross-border data transfer carried potential compliance risk. As more FTZs adopt similar lists, the cost of compliance for FTZ-based FIEs could drop by an estimated 40-60% on data export procedures alone.

— China Gateway 360 —
Remote China market entry support, built around execution.

Related articles

China Relaxes Foreign Ownership Caps in Manufacturing: 5 Key Takeaways

China removed all foreign ownership caps in manufacturing. 100% WFOE now permitted in automotive, biotech, telecom equipment. 5 key takeaways for foreign businesses evaluating the shift.

German Auto Supplier China JV Case Study: 40% Market Share in 5 Years

How a German automotive supplier achieved 40% market share in China through a strategic JV. Partner selection, IP protection, buyout clause, and 5 key lessons for foreign investors.

Equity JV vs Cooperative JV: Best China Structure for Your Strategy (2026)

Equity JV vs Cooperative JV: which structure fits your China strategy? Compare legal status, liability, profit sharing, governance, and costs for your specific business needs.

JV vs WFOE China Market Entry: Which Structure Fits Your Business? (2026)

JV vs WFOE: which China market entry structure is right for your business? Compare ownership, timeline, IP protection, costs, and industry restrictions across 7 decision criteria.