Tianjin FTZ Releases China’s First Negative List for Cross-Border Data Transfer

The Tianjin Free Trade Zone published China’s first-ever negative list for cross-border data transfers on June 25, 2026. For foreign companies operating across China’s data regulation landscape, this shifts the model from case-by-case approval to a rules-based framework — and it signals how other FTZs may follow.

Why It Matters

Cross-border data transfer has been one of the top compliance headaches for foreign businesses in China since the 2021 Data Security Law and Personal Information Protection Law took effect. Companies faced unpredictable approval timelines, shifting security assessment requirements, and significant legal risk for non-compliance — with fines of up to RMB 50 million (US$6.9 million) or 5% of annual revenue for serious violations.

The Tianjin FTZ’s negative list approach is the first attempt to replace that uncertainty with clarity. It lists which data categories cannot be freely transferred out of China — everything else is presumed permissible under standard compliance procedures. This flips the burden from “prove you can export” to “prove you’re on the restricted list.”

The move follows Shanghai’s Lingang New Area, which released its own general data export whitelists earlier in June — creating a two-track experiment that other FTZs will study closely before rolling out their own frameworks. Together, Tianjin and Lingang cover approximately 40% of China’s FTZ-registered foreign enterprises, making the two pilot programs a meaningful sample for national-scale policy design.

The timing is also significant. China’s State Council published its 2026 cross-border data work plan in February, which explicitly called for “zone-based pilots with negative list methodology” — meaning today’s FTZ announcement was always part of a broader legislative roadmap, not a standalone local initiative.

The Details

The Tianjin negative list covers five restricted categories: (1) data related to national security and critical infrastructure operations, (2) personal information of sensitive populations exceeding volume thresholds, (3) important data from key industries as defined by sectoral regulators, (4) trade secret data explicitly marked by the data’s owner, and (5) data subject to cross-border restrictions under bilateral or multilateral agreements China has signed.

Data falling outside these five categories can be transferred after completing a streamlined notification procedure — a three-step process expected to take 5-10 business days, compared to the 30-60 day security assessment cycle that previously applied to most transfers. For context on how data regulation intersects with other regulatory frameworks, see our analysis of SAMR’s extraterritorial merger enforcement trends — the same agencies enforcing data rules also oversee cross-border deal compliance.

The FTZ’s administrative committee will maintain a public registry of approved transfer notices, creating the first transparent view of what data actually moves across China’s borders. Foreign companies registered in the Tianjin FTZ — roughly 8,600 as of Q1 2026 — are eligible immediately. The FTZ covers 119.9 square kilometers including the Tianjin Port area and the Tianjin Airport Economic Zone.

What You Should Do

If your business operates in the Tianjin FTZ, map your current cross-border data flows against the five restricted categories now. The streamlined procedure is only faster if your data qualifies — and the compliance burden for getting that determination wrong remains severe.

Three immediate steps:

• Audit your data categories. Classify every data stream that crosses China’s border. Pay special attention to “important data” — this is defined by sectoral regulators and varies by industry (manufacturing, finance, healthcare all have different rules).
• Check your FTZ eligibility. If your registered address is in the Tianjin FTZ but your data operations are elsewhere, consult the committee on geographic scope.
• Watch Lingang and Qianhai. Shanghai’s Lingang and Shenzhen’s Qianhai zones are expected to release similar lists within 60 days. If you operate in those zones, start your data audit now — the window for parallel compliance will be narrow.

One Data Point

The number to remember: 5 to 10 — the business days required for the streamlined notification, down from 45-60 for a full security assessment. If the model scales nationally, it would cut 80% of the regulatory timeline for cross-border data compliance.

— China Gateway 360 —
Remote China market entry support, built around execution.