Tianjin FTZ Releases China’s First Negative List for Cross-Border Data Transfer
China’s free trade zones are rewriting the rules on data exports. The Tianjin Pilot Free Trade Zone has released the country’s first Negative List (负面清单, fùmiàn qīngdān) for cross-border data transfer — a move that directly affects how foreign companies in the zone handle data compliance. The list, published jointly by the Tianjin FTZ Management Committee and the Tianjin Municipal Commerce Bureau on May 8, 2024, specifies exactly which data types require a security review by the Cybersecurity Administration of China (CAC) before they can be transferred out of the country.
Why This Matters
Data compliance has been one of the most persistent operational headaches for foreign companies in China since the Personal Information Protection Law (PIPL) took effect in 2021. Under the current framework, companies exporting personal information or “important data” must undergo one of three compliance procedures: a CAC security assessment, signing a Standard Contract with the overseas recipient, or obtaining third-party data export security certification. The thresholds triggering these requirements have been low, catching even routine cross-border business data flows.
The Tianjin Negative List changes the dynamic. Data types that do not appear on the list can theoretically be transferred freely out of China — a significant reduction in compliance burden for companies operating in the zone. For foreign firms in sectors like manufacturing, logistics, and professional services that handle moderate volumes of standard business data, this could cut weeks of approval time per export request.
The list is also the first concrete implementation of the CAC’s 2023 Regulations to Promote and Standardize Cross-Border Data Flows, which empowered individual FTZs to design their own data governance rules. Tianjin is the first to publish. Other FTZs — including Shanghai’s Lingang New Area, which released sector-specific “general data lists” for intelligent connected vehicles, biopharmaceuticals, and mutual funds in May 2024 — are following with their own variations. The approach is spreading.
The Details
The Negative List maintains the existing volume thresholds for triggering data export compliance. Companies handling personal information of more than one million individuals, for example, remain subject to mandatory CAC security assessments regardless of the data type. But the list provides something new: industry-specific clarity on which data categories are restricted, regardless of volume.
Companies in the Tianjin FTZ operating in sectors such as finance, healthcare, transportation, and energy will benefit most. The list specifies restricted data categories within each sector, removing the ambiguity that has forced many foreign firms to apply the strictest possible interpretation — and the heaviest compliance process — to all their data exports. For a foreign-invested logistics company in Tianjin, the list may clarify that shipment tracking data falls outside restricted categories, allowing routine data flows to proceed without a CAC application.
The reduced burden is not uniform, however. Companies handling large data volumes or operating in sensitive sectors (finance, telecom, critical infrastructure) will still face the full compliance suite. For these firms, the Negative List functions more as a compliance roadmap than a waiver — it tells them exactly which data categories must go through security review, enabling better administrative planning and reducing the risk of unknowing violations.
What You Should Do
If your company operates in the Tianjin FTZ (or is considering locating there), three steps are worth taking now:
- Map your data flows. Identify every category of personal information and business data that crosses China’s border. Compare each category against the Tianjin Negative List to determine which are restricted and which can flow freely.
- Check your volume thresholds. Even data not on the Negative List may trigger compliance if your company handles personal information of more than one million individuals or transfers sensitive data types that exceed volume caps.
- Prepare for other FTZs. Tianjin’s Negative List is a template. Shanghai Lingang, Guangdong-Hong Kong-Macao GBA, and Hainan FTZ are all developing their own versions. If you operate across multiple FTZs, you will need to comply with each zone’s rules separately.
For a broader look at how FTZs are reshaping the regulatory landscape for foreign firms, see our guide to China Free Trade Zones and Foreign Investment Location Screening.
One Data Point
The number to remember: three compliance paths reduced to one data check — for data not on the Negative List, companies skip CAC security assessments, Standard Contract filing, and third-party certification, moving from weeks of processing to immediate transfer. That is the operational difference the list makes for qualifying firms in the Tianjin FTZ.
Where to Go From Here
Data compliance is evolving rapidly across China’s FTZs. For a comparative analysis of how Shanghai’s Lingang approach differs from Tianjin’s, see Shanghai and Tianjin FTZ Data Transfer Frameworks Compared. For a broader view of China’s cross-border data rules and their impact on foreign manufacturers, see our analysis of Shanghai and Tianjin FTZ Cross-Border Data Rules.
— China Gateway 360 —
Remote China market entry support, built around execution.
