Data policies for free trade zones

On 22 March 2024, the Cyberspace Administration of China (CAC) issued the Provisions on Promoting and Regulating Cross-border Data Transfers (CBDT Provisions), which authorised free trade zones (FTZs) to formulate local “negative lists” for data exports. Under this framework, business entities in the FTZs can transfer data falling outside the negative list abroad without undergoing China’s cross-border data transfer (CBDT) mechanisms. To date, 10 provincial-level FTZs have issued negative lists. While these FTZ regimes provide greater flexibility for CBDT compliance, companies must satisfy certain conditions, such as operating in specific industry sectors and being registered in FTZs (which are usually not in the central business districts of the relevant cities), to qualify for the FTZ policies.

In May 2026, the municipal governments of Beijing and Shanghai updated their negative lists, widening geographical coverage so that companies qualifying for the FTZ relaxations are not limited to those which are established and registered in the FTZs. Moreover, the relaxations under the updated negative lists cover more sectors compared with those released in 2024. Business entities in Beijing and Shanghai can now enjoy streamlined CBDT procedures and lower compliance costs.

In this client alert, we summarise the key changes introduced by these updated negative list mechanisms and discuss the practical steps companies can take to leverage them.

Beijing

The Beijing municipal government first adopted its negative list and corresponding administrative measures (Beijing Negative List) on 28 August 2024. This was replaced by a second version issued on 8 May 2026.

Under the second version of the Beijing Negative List, the regime applies to entities incorporated in Beijing whose cross-border data transfers relate to any of the following nine industries: (a) automotive; (b) pharmaceuticals; (c) retail; (d) civil aviation; (e) artificial intelligence; (f) medical devices; (g) autonomous driving and intelligent connected vehicles (ICVs); (h) trade and logistics; and (i) banking. Industries (f)-(i) were newly added in the second version. The Beijing Negative List breaks down these nine industries into 67 business scenarios and 612 data fields, each with descriptions and application guidance.

The Beijing Negative List has also raised the threshold for CAC-led security assessments, Chinese SCCs or Certification. Under the CBDT Provisions, where an entity transfers sensitive personal data outside China, it must adopt Chinese Standard Contractual Clauses (SCCs) or obtain certification. Where the number of affected data subjects is more than 10,000, it must undergo a CAC-led security assessment. However, the Beijing Negative List has raised this threshold in some scenarios, allowing more companies to choose Chinese SCCs or certification instead of the more burdensome security assessment. Taking clinical trials as an example, if a company transfers the health care information of more than 10,000 but fewer than 50,000 research subjects outside China, it may choose Chinese SCCs or certification, instead of going through the security assessment.

To benefit from the Beijing Negative List, companies must submit an online filing through the platform operated by the Beijing municipal government. Compared to the requirements under the previous version, and especially the CAC-led security assessment and SCC regime, the information and materials required under the new version of the Beijing Negative List have been significantly simplified. Companies need only complete the application form, sign the commitment letter based on the government template and, where applicable, provide supporting documents on their data security capabilities. Regulators will provide preliminary comments within 10 working days. If the regulators give the green light after review, the company may transfer the data abroad without the need to go through any other CBDT governmental approval or SCC filing process, unless there is a material change to the transfer scenario. The filing remains valid for three years, subject to further extension upon application by the company. 

Shanghai

The Shanghai municipal government first adopted its negative list and corresponding administrative measures (Shanghai Negative List) on 8 February 2024. This was replaced by a second version issued on 24 April 2026.
The mechanism of the Shanghai Negative List is generally the same as that of the Beijing Negative List, except for the following points:

• The Shanghai Negative List covers only four industries – reinsurance, international shipping, trade and commerce (retail, catering, and hospitality), and meteorology – which are further divided into nine business scenarios, 29 data fields, and 109 data items.
• The application process is even more straightforward than for Beijing, as the application form requires less information and companies do not need to submit any supporting documents on data security capabilities.
• The filing obtained under the Shanghai Negative List does not specify a validity period, but companies are required to submit an annual report. 

Business implications and next steps.

Relaxations of the FTZ negative lists in Beijing and Shanghai represent a significant positive development for businesses. In the past, the benefits were geographically limited to companies registered in the FTZs. However, most companies, in particular multinational companies, maintain their Chinese headquarters in the heart of these cities rather than in FTZs. By extending the FTZ negative lists across the entire municipality, more companies can enjoy these benefits without relying on China’s CBDT legal regimes, i.e., regulator-led security assessments, Chinese SCC filings, and third-party certification.

Companies need to take steps to fully leverage these benefits. First, companies should conduct thorough data mapping to determine whether the negative lists apply to them. Where applicable, companies must file with the local CAC, which is a straightforward process requiring basic information such as the data to be exported, its frequency and volume, and information on the overseas recipient. If the negative lists are not applicable, companies must still undergo a CAC-led security assessment, file Chinese SCCs, or obtain third-party certification. For ease of reference, we have prepared the flow chart here.

For example, a multinational medical device manufacturer located in central Beijing (i.e., outside the FTZs) transfers the personal data of 30,000 research subjects outside China for clinical trials in the current year. In the past, the company had to undergo a CAC-led security assessment because the transfer involved sensitive personal information and the number of data subjects exceeded 10,000. Now, by leveraging the expanded Beijing Negative List, the company may adopt Chinese SCCs for cross-border data transfers after filing with the local CAC. The compliance burden is significantly reduced, as Chinese SCCs are more straightforward than a CAC-led security assessment. Additionally, the company may freely transfer data that does not fall within the scope of the Beijing Negative List outside China freely after completing the filing.

Although the negative list alleviates the burden of CBDT compliance on business entities, it does not exempt them from other baseline data protection obligations under China’s Personal Information Protection Law, Cybersecurity Law, and Data Security Law, as well as other applicable regulations. Companies must establish a legal basis for data collection by providing notice to, and obtaining required consent from, data subjects; complete personal information compliance audits; conduct impact assessments for cross-border data transfers; execute data transfer agreements with recipients; implement appropriate technical and organisational measures, such as access controls and data encryption; establish procedures for the exercise of data subject rights; and develop systems for responding to data breaches and cyber incidents.

China’s data landscape is changing rapidly. Beijing and Shanghai, China’s two most pivotal cities, with dynamic digital economies and home to many international companies operating in the country, are being actively encouraged by the central government to experiment with regulatory sandboxes and other innovative governance initiatives. As a result, businesses are strongly advised to closely monitor regulatory and enforcement developments and adapt their data compliance and business strategies in a timely manner. This helps ensure they can fully leverage the latest policy relaxations while remaining compliant with evolving regulations.

Client Alert 26-114