Why It Matters
Tianjin Free Trade Zone released China’s first-ever negative list for cross-border data transfer on July 2, specifying exactly which types of data cannot leave China without approval. For foreign businesses operating in China’s FTZs, this is the clearest guidance yet on a compliance obligation that has been opaque since the 2021 Data Security Law took effect.
Until now, foreign companies faced a dilemma: the law required data classification and security assessments for cross-border transfers, but the categories were left open to interpretation. The Tianjin Negative List removes that ambiguity for companies located in the zone. Data types not on the list are free to transfer without additional approval.
The Details
The Tianjin FTZ negative list covers seven categories of restricted data: personal information of Chinese citizens exceeding specified volume thresholds, important industrial data related to national security, classified geological and mapping information, sensitive health data from clinical trials exceeding 10,000 patient records, financial transaction data beyond basic trade settlement, telecom subscriber data, and data from critical information infrastructure operations.
Importantly, the list exempts general business data — procurement records, logistics tracking, employee directory information under 1,000 individuals — from prior approval. This is a significant departure from previous practice, where all cross-border data transfers required a self-assessment and potential government review.
China Briefing reported the Tianjin move alongside a related development: Shanghai’s Lingang New Area published whitelists for data export covering categories that companies may transfer without restriction. Together, the two approaches — Tianjin’s “everything permitted unless listed” and Lingang’s “these categories are pre-approved” — give foreign companies in FTZs the most workable data compliance framework since the 2022 Data Export Security Assessment rules.
Both zones are piloting these frameworks under the State Council’s broader FTZ reform mandate. If successful, the negative list model could be adopted by other FTZs and eventually by the national Cyberspace Administration of China (CAC) as the standard approach to cross-border data governance.
For companies outside FTZs, the rules remain unchanged: a security self-assessment is still required for transfers of “important data” or personal information above CAC thresholds. But the FTZ pilots create a precedent that the CAC may adopt nationally in 2027.
The cost difference is substantial. Under the previous framework, a foreign WFOE conducting a data export security assessment spent an average of ¥280,000 ($38,500) on legal consultancy and documentation per assessment cycle, according to estimates from China Briefing’s compliance practice. Assessment timelines averaged 45 business days from submission to CAC approval. Under Tianjin’s negative list, companies only need to file a notification for unrestricted data categories — estimated cost under ¥15,000 ($2,060) and a processing time of 3-5 business days. For a mid-sized manufacturing WFOE with 12 monthly data transfer streams, the annual compliance savings exceed ¥2 million ($275,000).
What You Should Do
- Check your FTZ status: If your China entity is registered in Tianjin FTZ or Shanghai Lingang, you may already qualify for the streamlined data transfer rules. Verify with your zone administration office which framework applies.
- Map your data flows: Even under the negative list, you still need to document what data crosses borders. Create a data inventory covering HR records (≤1,000 employees), procurement data, logistics tracking, and any regulated categories like health data or industrial process data.
- Review your compliance timeline: The current CAC assessment process takes 30-60 business days. If your data falls on the negative list, start the application now — don’t wait for a regulator inquiry.
- Consider an FTZ relocation: If cross-border data compliance is a major cost for your business, moving your China entity to Tianjin FTZ or Lingang could reduce approval requirements by 60-80%. Compare this against any operational disruptions from relocating.
One Data Point
The number to remember: 7 — the number of restricted data categories on Tianjin FTZ’s negative list. Everything else — including general procurement records, logistics tracking, and HR data under 1,000 individuals — can be transferred without prior approval. For most manufacturing WFOEs, that means 90% of routine cross-border data flows are now unrestricted.
— China Gateway 360 —
Remote China market entry support, built around execution.
