Beijing Releases Negative List to Facilitate Data Export in Free Trade Zone
Beijing is the latest free trade zone to publish a data negative list to facilitate the export of important industry data and personal information out of the country. The data negative list outlines types of data and personal information across five industries which require certain additional compliance procedures in order to be exported. Data not included in the list can be freely exported by companies based in the free trade zone, thus facilitating cross-border data transfer. We explain how the data negative list works and discuss the potential impact on companies operating in the zone.
Beijing has released its first data negative list for implementation in the Beijing Free Trade Zone (FTZ) in an effort to ease cross-border data transfer (CBDT) for companies operating in the area. The negative list was released along with a set of trial implementation measures — the Measures for the Management of Negative List for Cross-Border Data Transfer in the China (Beijing) Pilot Free Trade Zone (for Trial Implementation). These measures outline the rules for companies located in the Beijing FTZ to export “important data” and certain volumes and types of personal information out of the country.
The 2024 data negative list — the Management List (Negative List) for Cross-border Data Transfer in the China (Beijing) Pilot Free Trade Zone (2024 Edition) — catalogs specific types and volumes of data in five different industries that require certain compliance procedures to be exported. Data not included in the data negative list can be freely exported by companies located in the Beijing FTZ.
Both the trial implementation measures and the 2024 data negative list took effect upon their release on August 30, 2024.
China’s compliance requirements for cross-border data transfer
Under China’s Personal Information Protection Law (PIPL) and related regulations, companies that wish to export certain volumes or types of data outside of China are required to undergo certain compliance procedures. This adds a significant administrative burden on companies, particularly those handling large volumes of data or those with overseas operations, such as foreign companies.
There are currently three different compliance procedures for CBDT:
- Undergoing an export security assessment by the Cybersecurity Administration of China (CAC);
- Receiving a personal information export security certification by a third-party agency; and
- Signing a standard contract with the overseas recipient of the data.
The first of the three compliance procedures is the most stringent and applies to critical information infrastructure operators (CIIOs) and companies that export important data overseas. The latter two require a lower compliance burden and apply to companies that provide a certain volume of personal information or “sensitive personal information” overseas.
In an effort to improve the business environment and ease restrictions on CBDT, in March 2024 the CAC released a set of regulations to facilitate data export, which, among other measures, allowed China’s FTZs to implement their own data governance rules. This includes formulating data negative lists to manage data export from the zones.
Beijing is the second city in China to release a data negative list for its FTZ, following Tianjin, which released its own list in May 2024. In May 2024, the Shanghai Lingang New Area released a whitelist of data that can be freely exported from the area.
Contents of the 2024 data negative list
According to the trial implementation measures, data negative lists will always include at least the two following categories of data:
- Category I: Data for which a company must pass a data export security assessment to export. This mainly applies to:
- All CIIOs that export personal information or important data; and
- All companies other than CIIOs that provide important data overseas or provide personal information overseas under circumstances that meet the requirements of the data negative list to undergo a data export security assessment (see data classification below).
- Category II: Data for which a company needs to undergo a third-party personal information export security certification or sign a standard contract to export. This mainly includes:
- Companies (other than CIIOs) that export personal information that meets the requirements of the negative list to conclude a personal information export standard contract or pass the personal information protection certification (see data classification below).
Note that data related to national security, the lifeline of the national economy, important livelihood, and major public interests are classified as “national core data” and are subject to an even stricter management system. These types of data are therefore not included in the negative list.
Meanwhile, the 2024 data negative list itself contains a list of important data and personal information across five industries: automotive, pharmaceuticals, civil aviation, retail and modern services, and artificial intelligence training data. Under each industry, the negative list includes the Category I and Category II data listed above.
Below is a sample of the data categories included in the 2024 data negative list. Note that for personal information, the data negative list outlines the volume of a certain type of personal information that can be exported before a compliance procedure is triggered. Companies exporting an amount of personal information within or in excess of the parameters set in the data negative list will be required to undergo the applicable compliance procedure to continue exporting personal information during a given year.
2024 Data Negative List for the Beijing FTZ (Sample) | ||
Data category | Data sub-categories | Basic characteristics and description of data |
1.1 Automotive industry data requiring a data export security assessment | ||
Important data | 1. Geographic information, personnel flow, vehicle flow, and other data related to important sensitive areas such as military management areas, national defense science and technology units, and party and government agencies at or above the county level; information that should not be made public when providing Internet of Vehicles (IoV) information services to government agencies, military industrial enterprises, and other sensitive and important institutions. | Including but not limited to: vehicle research and development, vehicle testing, and vehicle networking information service scenarios. Includes:
|
2. Data reflecting economic operations such as vehicle flow and logistics. | Including but not limited to: vehicle research and development, vehicle testing, and vehicle networking information service scenarios.
Including road traffic flow data, precise path information of goods flow, etc. |
|
3. Data that can reflect the operation status of the vehicle charging network in a certain area. | Including but not limited to: charging station service scenarios. Including charging pile/station location information, usage status, billing and payment information, charging and swapping vehicle statistics, station statistics, distribution information and other data. | |
4. … | … | |
Personal information | 1. Companies that have exported the personal information of more than 1 million people (excluding sensitive personal information) since January 1 of the current year. | All scenarios. The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume. |
2. Companies that have exported the sensitive personal information of more than 10,000 people since January 1 of the current year. | All scenarios. Sensitive personal information includes ID number, driver’s license number and file number, vehicle track, audio, video, image and biometric features, etc.
The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume. |
|
1.2 Automotive industry data requiring a standard contract or personal information protection certification | ||
Personal information | 1. Companies that have exported the personal information of more than 100,000 people but less than 1 million people (excluding sensitive personal information) since January 1 of the current year | All scenarios. The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume. |
2. Companies that have provided the sensitive personal information of less than 10,000 people since January 1 of the current year. | All scenarios. Sensitive personal information includes ID number, driver’s license number and file number, vehicle track, audio, video, image and biometric features, etc.
The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume.
|
|
2.1 Pharmaceutical industry data requiring a data export security assessment | ||
Important data | 1. Diagnosis and treatment of groups above a certain size, health and physiological conditions, medical rescue and security data, specific drug experimental data, etc. | Including but not limited to: clinical trials, drug development, drug vigilance, diagnosis and treatment services, and medical and health professionals management scenarios. After aggregation, it can be used for big data analysis, such as medical records, imaging, pathology, blood tests, genetic tests, and other medical treatment data involving the life, health, and safety of the people, electronic medical record databases, health archives databases, and the results of the above data mining and analysis, etc. of more than 100,000 people; data on the production, supply, and guarantee of major medical supplies such as important vaccines and strategically important basic drugs; drug experimental data involving national strategic security, and test data related to drug production processes and production facilities. |
2. Biometric data and medical resource data in specific fields, specific groups, and specific areas above a certain scale. | Including but not limited to: clinical trials, drug development, pharmacovigilance, diagnosis and treatment services, and medical and health professional management scenarios. Biometric data includes physical, physiological, or behavioral data; medical resource data includes the number of medical and health institutions, the number of beds, the number of medical, and health personnel, etc. | |
3. … | … | |
Personal information | Companies that have exported the basic personal information, diagnosis, treatment, health, and physiological information of more than 50,000 people since January 1 of the current year | Limited to: clinical trials, drug development scenarios.
Personal information should be processed in accordance with the requirements of the Good Clinical Practice for Drugs. The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume. |
2. Companies that have exported the basic personal information, diagnosis, treatment, health, and physiological information of more than 100,000 patients since January 1 of the current year. | Limited to: pharmacovigilance, product complaints, and medical inquiry scenarios. The patient’s real name and contact information are not included; the patient’s diagnosis, treatment, health, and physiological information includes medical history, allergy history, living habits, adverse reaction event information or description, diagnosis, and treatment records, medication records, test reports, hospitalization records, and other data.
The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume. |
|
3. … | … | |
2.2 Pharmaceutical industry data requiring a standard contract or personal information protection certification | ||
Personal information | 1. Companies that have exported the basic personal information, diagnosis and treatment, and health and physiological information of more than 10,000 but less than 50,000 people since January 1 of that year | Limited to: clinical trials, drug development scenarios.
Personal information should be processed in accordance with the requirements of the Good Clinical Practice for Drugs. The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume. |
2. Companies that have exported the basic personal information, diagnosis, treatment, health, and physiological information of between 10,000 and 100,000 patients since January 1 of the current year. | Limited to: pharmacovigilance, product complaints, and medical inquiry scenarios. The patient’s real name and contact information are not included; the patient’s diagnosis, treatment, health, and physiological information includes medical history, allergy history, living habits, adverse reaction event information or description, diagnosis, and treatment records, medication records, test reports, hospitalization records, and other data.
The volume of personal information is calculated based on the statistical results after deduplication of natural persons. The export of data overseas in certain scenarios listed in the Provisions on Promoting and Regulating Cross-Border Data Flows is excluded from the total volume. |
|
3. … | … |
The data negative list will continue to be reviewed and updated. The municipal management department is tasked with tracking and evaluating the implementation and security risks of the current negative list and coordinating its revision.
The trial implementation measures also call on industries and fields that have not yet issued negative lists to determine the demand for data export and study and formulate negative lists for the corresponding industries and fields.
Data classification guidelines under the trial implementation measures
In addition to the 2024 data negative list, the trial implementation measures provide a reference guide for identifying important data and personal information more generally to help companies operating in the Beijing FTZ understand which of the above-mentioned compliance procedures will apply to the data they are handling.
The data negative list first provides a list of characteristics for identifying important data, which, as mentioned above, requires a data export security assessment to be exported.
Under the trial implementation measures, the following are considered important data:
- The personal information of more than 10 million people (excluding sensitive personal information) held by enterprises in the Beijing FTZ;
- The sensitive personal information of more than 1 million people;
- The personal sensitive information of more than 100,000 people including information on personal bank accounts, insurance accounts, registration accounts, and medical treatment data, and so on;
- The personal information of more than 100,000 people held by CIIOs;
- High-value sensitive data related to industry competitiveness and industry production safety collected and generated by enterprises in the Beijing FTZ during the process of R&D and design, production and manufacturing, and business management;
- Data related to enterprise supply chains that involve national security; and
- The automatic control system parameters, as well as control, operation and maintenance, and test data in areas related to the national economy and people’s livelihoods that are held by enterprises in the Beijing FTZ.
Note that the above guidelines apply to non-confidential data only; confidential data is regulated by separate standards and regulations.
The trial implementation measures next provide a reference catalog of data classification in different industry sectors, including specific examples. Below is a sample of the classification guidelines provided in the reference catalog.
Data Classification Reference Catalog for the Beijing FTZ |
|||
Category | Sub-category | Description of basic data information | Reference rules for identifying important data (example) |
Strategic materials and commodities | Oil, petrochemicals, and natural gas | Includes storage and transaction data, international trade data, etc. | Product output data, international trade data, and other data in the fields of petroleum, petrochemicals, and natural gas that could be used to deduce the operational status, development trends, growth rates, and other aspects of important areas involving national strategic interests.
Strategic reserve data of major agricultural products such as grain, cotton, edible vegetable oil, sugar, meat, and dairy products, as well as unpublished international cooperation data and international trade data; data that may affect biosafety on the categories and quantities of rare and endangered germplasm resources (including genes) of crops, livestock, poultry, and aquatic products; unpublished agricultural and rural statistical data, inspection and monitoring data, epidemic prevention and quarantine data; and geographic information data of a certain level accuracy or that is unpublished. |
Agricultural products | Includes germplasm resource data, international cooperation data, international trade data, strategic reserve data, etc. |
Note there are a total of 13 categories and 41 sub-categories in the reference catalog, covering areas such as natural resources and the environment, industry, national defense, telecommunications, and radio, television, and online audio-visual media.
Procedures for exporting data under the negative list
If a company wishes to export data included in the data negative list, it must submit an application to the corresponding free trade group and comply with certain filing and compliance requirements.
The process for application is as follows:
- Submitting an application: Companies must submit an application to the corresponding free trade group in accordance with the requirements of the supporting implementation guidelines for the negative list of the free trade group where they are located. The application materials must include the place of registration, industry, business conditions, any administrative penalties received during business operations in the past two years, and investigations and rectifications by relevant competent regulatory authorities.
- Filing: Companies that have passed the review shall carry file the use of the negative list in accordance with the supporting implementation guidelines. Filing materials include the business scenarios, data directories, scale, overseas recipients, reasons for the use of the negative list, and data subcategories of the exported data.
- Legal compliance: Companies that have completed the filing may export data in accordance with the research and judgment opinions issued by each free trade group, and cooperate with the municipal management departments and each free trade group to carry out supervision and verification. If the situation surrounding the export of the data changes, the filing must be updated for each free trade group in a timely manner.
Each trade delegation shall review the application materials submitted by companies according to the supporting implementation guidelines. The company will be notified of the review results in writing within five working days, and the trade delegation will assist companies who pass the review to file the usage of the negative list.
Similarly, each trade delegation shall, within five working days of receiving the filing materials from the company, provide preliminary opinions on whether the data to be exported falls under the scope of the negative list. After confirmation by the Beijing FTZ management agency, the company will receive feedback on this matter. If the data to be exported is on the negative list, the trade delegation will guide the company to apply for data export security assessment, sign a standard contract, or obtain personal information protection certification.
If the data to be exported is not on the negative list, the company will be informed that it can be exported freely, in accordance with the trial implementation measures. However, if the data to be exported does not fall under the scope of the negative list (such as if it is from an industry not currently included in the negative list), it will be handled in accordance with current laws and regulations.
The trial implementation measures stipulate that each trade delegation is required to organize professional technical institutions to conduct consistency sampling inspections on the actual data export situation and the filing materials. If the data processor fails to strictly fulfill its commitments when exporting data or conceals, falsely reports, or deliberately causes inconsistencies between the data it has filed and the data it actually exports, each trade delegation may order it to suspend the export activities, require rectification within a time limit, and re-submit the negative list application and filing procedures after the rectification is completed.
In serious circumstances, the company may be ordered to terminate its data export activities, be subject to key supervision measures, and be reported to the municipal management department.
Impact of the data negative list on companies in the Beijing FTZ
The implementation of the data negative list in the Beijing FTZ marks a significant development for companies operating within the zone by offering greater transparency and guidance regarding cross-border data transfer. By clearly delineating the types of data that can be freely exported and those that cannot, the negative list provides companies with much-needed clarity, in particular addressing long-standing concerns about what constitutes “important data.” This added specificity helps companies better navigate the complex landscape of data export compliance, reducing uncertainty and aiding in strategic planning.
However, despite these improvements, the regulations for data export within the listed industries remain stringent. Companies in sectors such as automotive, pharmaceuticals, and artificial intelligence must continue to adhere to detailed compliance procedures for many of their operations.
More generally, while the negative list clarifies regulatory expectations, it does not necessarily reduce the overall compliance burden for many businesses. Companies exporting data classified as “important” or managing high volumes of personal information must continue to meet stringent regulatory standards. As a result, while the data negative list represents progress in terms of regulatory clarity, it does not alleviate the compliance demands placed on businesses within the Beijing FTZ, underscoring the need for ongoing vigilance and careful management of data export practices.
That said, the Beijing FTZ data negative list potentially lays the groundwork for further loosening of regulations in the future. China Briefing will continue to monitor developments regarding CBDT regulations.
About Us
China Briefing is one of five regional Asia Briefing publications, supported by Dezan Shira & Associates. For a complimentary subscription to China Briefing’s content products, please click here.
Dezan Shira & Associates assists foreign investors into China and has done so since 1992 through offices in Beijing, Tianjin, Dalian, Qingdao, Shanghai, Hangzhou, Ningbo, Suzhou, Guangzhou, Dongguan, Haikou, Zhongshan, Shenzhen, and Hong Kong. We also have offices in Vietnam, Indonesia, Singapore, United States, Germany, Italy, India, and Dubai (UAE) and partner firms assisting foreign investors in The Philippines, Malaysia, Thailand, Bangladesh, and Australia. For assistance in China, please contact the firm at china@dezshira.com or visit our website at www.dezshira.com.
- Previous Article How Swedish Companies Navigate China’s Evolving Market with Strategic Localization and Diversification
- Next Article Asia Transfer Pricing Brief: Q2 2024