Your privacy is very important to us.When you visit our website,please agree to the use of all cookies.For more information about personal data processing,please go to Privacy Policy.

Make an Enquiry
Home
About us
News
Services
Our Clients
Insights
Careers
Contact Us

Shanghai Releases Updated Data Export Management List for Free Trade Zone

2025-02-13

On February 8, 2025, the Shanghai Cyberspace Administration, along with other departments, jointly released the Data Export Management List for the China (Shanghai) Pilot Free Trade Zone and Lingang New Area (2024 Edition) and related management measures. This marks another step forward in cross-border data management for the Shanghai Free Trade Zone, following the release of the general data list for cross-border scenarios in areas such as intelligent connected vehicles by the Lingang New Area Administrative Committee in May 2024.

What Areas Does the Negative List Cover?
The newly introduced Negative List covers three key sectors: reinsurance, international shipping, and commerce (retail, catering, and accommodation). It includes two types of data—important data and personal information—spanning six specific scenarios and 84 data items.

What Are the Specific Requirements for Data Export Under the Negative List?
The Negative List categorizes business scenarios and data subcategories in the three sectors based on different regulatory requirements. It specifies whether data export security assessments are required or if filing a standard contract for personal information export or obtaining personal information protection certification is necessary. The list also provides detailed descriptions of the basic characteristics of the data.

What Are the Breakthroughs Compared to Previous Regulations?
The Regulations on Promoting and Regulating Cross-Border Data Flow, issued by the Cyberspace Administration of China in March 2024, stipulate that data processors must declare a data export security assessment if they have cumulatively provided over 1 million pieces of personal information (excluding sensitive personal information) or over 10,000 pieces of sensitive personal information to overseas entities since January 1 of that year. For exports of 100,000 to 1 million pieces of personal information (excluding sensitive personal information) or fewer than 10,000 pieces of sensitive personal information, a standard contract for personal information export or personal information protection certification is required.

The Negative List significantly raises these thresholds. For example, in reinsurance scenarios for life and property insurance, de-identified personal information such as name, gender, age, nationality, and occupation type, as well as sensitive personal information such as policy numbers, insured amounts, premiums, claim numbers, and claim amounts, will only require a data export security assessment if over 10 million pieces of personal information (excluding sensitive personal information) or over 1 million pieces of sensitive personal information are cumulatively exported since January 1 of that year. Similarly, in the same scenarios, filing a standard contract or obtaining certification is only required if 1 million to 10 million pieces of personal information (excluding sensitive personal information) or 10,000 to 1 million pieces of sensitive personal information are exported.

Who Does the Negative List Apply To?
The Negative List applies to data processors registered in the Shanghai Free Trade Zone and Lingang New Area who conduct data export activities within these zones. It does not apply to critical information infrastructure operators.

Which Data Exports Are Exempt from Security Assessments, Standard Contracts, or Certification?
The following data exports are exempt:

  1. Data collected and generated during international trade, cross-border transportation, academic cooperation, multinational manufacturing, and marketing activities, provided it does not contain personal information or important data.

  2. Personal information collected overseas and transmitted to China for processing before being exported, provided no domestic personal information or important data is introduced during processing.

  3. Personal information necessary for concluding or performing contracts where an individual is a party, such as cross-border shopping, delivery, remittance, payment, account opening, flight and hotel bookings, visa applications, and exam services.

  4. Personal information required for cross-border human resource management under legally established labor rules and collective contracts.

  5. Personal information necessary to protect the life, health, or property of individuals in emergencies.

  6. Data exports by non-critical information infrastructure operators involving fewer than 100,000 pieces of personal information (excluding sensitive personal information) cumulatively since January 1 of that year.

  7. Data exports not covered by the Negative List.
    Note: For conditions 3 to 6, the exported personal information must not be classified as important data by relevant authorities or publicly announced as such.

The Implementation Guidelines for the Data Export Negative List of the China (Shanghai) Pilot Free Trade Zone and Lingang New Area (Trial) were also released simultaneously, providing guidance on scope, filing procedures, and precautions for relevant enterprises.


-END-



Make an Enquiry
Please fill out the form below and we will respond as soon as we can.
  • Ms.
    Mr.
  • PRC
    Other jurisdictions
  • ODI services
    FDI services
    Fund services
    Tax services
    Foreign exchange services
    Bank services
    Offshore services
    Public Policy services
  • Search engine
    Sinobravo website
    Brochure
    Event
    Recommendation
    Social media
  • Yes,Please
    No,Thanks
  • I have read, acknowledged and understood the《Privacy Statement》,  and agree with the contents thereof.