FTZ Data Export Negative Lists — How 17 Sectors Across Seven Provinces Now Identify Important Data

Editor’s Note — DCC.

Article 6 of the 2024 Provisions on Promoting and Regulating Cross-Border Data Flow authorized Free Trade Zones to publish their own data-export negative lists — data on the list requires the standard CAC pathways (security assessment / SCC / certification); data off the list flows freely. In the 18 months since, seven FTZs have published negative lists covering 17 sectors and dozens of business scenarios. The Compliance Talker team produced one of the cleanest practitioner overviews. DCC’s framing emphasizes what overseas multinationals should be doing operationally to take advantage of the regime.

The negative-list mechanism, in one paragraph

Article 6 of the 2024 CBDF Provisions delegates to Free Trade Zones the authority to publish jurisdictionally specific data-export negative lists. Within the FTZ, data falling on the negative list requires the standard CAC cross-border pathway (security assessment for important data and large-volume PI; SCC for medium volumes; certification for voluntary alternative paths). Data falling off the negative list is exempt from these pathways and can flow cross-border without the standard formalities.

The mechanism is the most operationally impactful piece of the 2024 CBDF Provisions for cross-border-data compliance. It is also explicitly experimental — the FTZs are policy laboratories for an eventual nationally generalized framework.

What’s been published

As of August 2025 (the Compliance Talker article’s publication date), seven FTZs across China have published data-export negative lists:

• Tianjin (first published 2024)
• Beijing (2024 FTZ-only version, then 2025 city-wide expansion to “1+9” architecture covering 9 sectors / 67 scenarios / 612 fields — see DCC’s tracking)
• Hainan
• Shanghai (with the Lingang New Area piloting a positive list mechanism alongside)
• Zhejiang
• Fujian (Pingtan area, with positive + negative lists)
• Additional FTZs in various stages of publication

Coverage spans 17 sectors / sub-sectors: automotive, pharmaceuticals, retail, civil aviation, reinsurance, deep-sea industry, seed industry, medical devices, autonomous driving / intelligent connected vehicles, trade logistics, banking, AI, biopharma, and others.

The Compliance Talker team’s note on dominance: while the Lingang positive-list approach is theoretically interesting, “in independent published documents, the negative-list format is overwhelmingly dominant.” The negative-list model has become the de facto standard.

Three structural patterns across the published lists

Pattern 1 — Structural convergence in format

Outside the Tianjin 2024 list (which was a first-mover and used a different format), every subsequent FTZ negative list adopted a common structure:

Industry (with applicable enterprise types) → Cross-border path required (security assessment / SCC / certification) → Data category (important data / personal information) → Data sub-class → Basic features and description

This convergence is regulator-led, per the CAC’s April 9, 2025 Q&A on Data Export Security Management Policy, which emphasized coordination and the avoidance of conflicting requirements across FTZs for the same data activity.

Pattern 2 — Sector selection reflects local economic priorities

Each FTZ selects sectors aligned with its strategic positioning:

• Shanghai FTZ — focuses on reinsurance, international shipping, and retail (including hospitality / dining / lodging) — sectors aligned with Shanghai’s international finance and shipping hub positioning.
• Beijing FTZ — automotive, pharmaceuticals, civil aviation, retail, AI initially; expanded to 9 sectors in 2025 covering medical devices, autonomous driving, trade logistics, banking — tracking the National Demonstration Zone for Service-Sector Opening.
• Hainan FTZ — focuses on duty-free retail and clearance shopping personal-information export — aligned with Hainan’s free-trade-port positioning.
• Tianjin FTZ — first-mover, with auto-industry focus.

Same industries appear across multiple FTZs, but with different scope and scenario emphasis. For example: both Shanghai and Hainan include retail-related personal data export — but Hainan focuses on duty-free / clearance shopping scenarios while Shanghai restricts to membership management scenarios.

Pattern 3 — Dynamic update mechanisms

Each FTZ negative list explicitly provides for dynamic management. The Beijing 2024 list (Article 9) is representative:

“The negative list shall be subject to dynamic management. For industries / sectors where no negative list has been issued, the corresponding negative list shall be timely studied and formulated.”

The mechanism allows the regulator to (a) add new sectors to the list as data-economy needs evolve, and (b) loosen restrictions on low-risk scenarios within existing sectors based on implementation experience.

How the negative lists refine important-data identification

The Compliance Talker team’s most useful contribution: showing how each negative list operates as a public important-data catalogue for its sector. Under the 2024 CBDF Provisions Article 2, publicly published identification of data as important data is sufficient to trigger the important-data export regime.

As of May 30, 2025, the FTZs have published important-data catalogues for 15 sectors / sub-sectors. Some examples:

Automotive (Beijing FTZ 2024 — refined from the 2021 Automotive Data Provisions)

The Beijing FTZ list refined the 2021 Provisions on Automotive Data Security Management’s broad catalogue of “automotive charging network operational data” into operational granularity:

“Charging post / station location information; usage status; billing and payment information; switching-station vehicle statistics; site statistics; distribution information; and other data.”

The result: enterprises can now map their automotive data inventory against specific field-level catalogues, not against high-level category descriptions.

AI sector (newly published)

For the first time, the FTZ negative lists publish a sector-specific important-data catalogue for AI. The Beijing list specifies:

• High-value sensitive data collected and generated during R&D / design related to industry competitiveness.
• Audio, image, and text data the alteration, destruction, leakage, or illegal acquisition / use of which may endanger national security, economic operation, social stability, public health, or safety.
• Data included in export control or technology-export management lists.

Medical / pharmaceutical (Beijing 2024)

The 2024 Beijing list specified important medical data with quantitative thresholds:

“…10,000-individual-or-more medical records, imaging, pathology, blood-test, and genetic-test diagnostic data involving public health and safety.”

The “certain scale” framing of the underlying Network Data Security Regulation gets quantified — 10,000 individuals.

The Compliance Talker team’s framing: “This framework structure aligns well with enterprise data classification and grading workflows. It converts abstract important-data compliance requirements into operationalizable, executable concrete rules.”

The cross-border export process — what FTZs change

For Beijing, Zhejiang, and Shanghai (the three FTZs the Compliance Talker team analyzes for filing procedure):

Beijing and Zhejiang FTZ — sequential filing model

1. Data handler submits application to the FTZ administrative committee (registration location, sector, operating status, recent administrative penalties / regulatory investigations / remediation status).
2. Upon approval, data handler submits negative-list filing (data export business scenario, list of data being exported, export volume, overseas recipient, applicable negative-list sub-class, reason for applicability).
3. Based on the FTZ committee’s evaluation opinion, the data handler conducts data export.
4. If the data is on the negative list (i.e., is identified as important data), the data handler files data-export security assessment with the national CAC.

Shanghai FTZ — post-export reporting model

Shanghai’s negative list permits FTZ enterprises to conduct data export first and submit negative-list materials within 15 working days to the local cross-border data service center. The Shanghai approach is slightly more permissive on timing — but the substantive reporting and oversight requirements are similar.

The Compliance Talker team’s framing: the FTZ filing is a substitute for the sector-regulator identification step in the standard important-data export workflow. The FTZ committee replaces the sector regulator as the identification authority; the standard CAC security assessment process continues afterward.

The substantive simplification is limited. The FTZ negative list provides clarity on important-data identification — but does not bypass the security assessment itself. For enterprises whose data is on the negative list as important data, the FTZ benefit is clarity in classification, not exemption from review.

Impact and operational guidance

For enterprises inside an FTZ with published negative lists

• High direct impact. The negative list applies specifically to enterprises registered in the FTZ. Enterprise data falling on the list gets clarified important-data status; enterprise data falling off gets a much simpler cross-border export path.
• For sectors covered:
  • Important-data identification benefit: the published catalogue provides an authoritative external reference. Use it to organize the enterprise’s important-data inventory.
  • Cross-border path benefit: where the enterprise’s data falls off the negative list, cross-border export proceeds without standard CAC procedures.
• For sectors not yet covered:
  • Identification still uncertain. Enterprises remain in the position of self-assessing whether their data is “important data,” without authoritative reference.
  • Cross-border path uncertain. Enterprises still need sector-regulator identification (where available) or self-assessment to determine whether the standard security assessment applies.

For enterprises outside an FTZ

• Indirect impact, but useful as reference. The negative lists are published documents. Enterprises in the same sector outside the FTZ can use them as identification reference — the lists effectively become the most operational important-data catalogue currently available in that sector.
• Watch for cross-province negative-list adoption. Some FTZs (Beijing 2025) have begun adopting other provinces’ negative lists for enterprises operating across provinces. This pattern, if it spreads, will let enterprises in non-FTZ jurisdictions effectively benefit from FTZ negative-list infrastructure.

Why this matters for overseas teams

Three operational takeaways:

• FTZ registration is now a serious cross-border-data strategic lever. Foreign-invested entities with significant cross-border data flows should evaluate whether registering operations in a covered FTZ (especially Beijing post-2025 expansion or Shanghai) materially reduces compliance friction. For data-heavy sectors (auto, pharma, biotech, AI, banking), the negative-list path is operationally cheaper than the standard CAC security assessment.
• The FTZ catalogues are the best important-data identification reference available. Even for enterprises operating outside any FTZ, the published negative lists are the most authoritative sector-specific important-data catalogues currently in existence. Use them as identification reference; document the analysis.
• Watch the dynamic update mechanism. Each FTZ’s negative list will continue to be updated. Compliance teams should set up monitoring of the relevant FTZ administrative committees’ announcement channels and review the negative list annually at minimum.

The deeper point in the Compliance Talker piece is that China’s cross-border data regime is genuinely tiering through the FTZ mechanism. The 2024 CBDF Provisions framework is becoming a two-track system: standard CAC pathways for cross-border export plus FTZ negative-list pathways for FTZ-registered entities in covered sectors. Multinationals that ignore the FTZ track will operate against unnecessary friction; those that build their China presence around an FTZ footprint will operate at materially lower compliance cost.

— Compliance Talker (合规小叨客) Global Legal Policy Research Team, 原创 || 我国自贸区相继发布数据出境负面清单，企业重要数据管理影响几何？ (China’s FTZs Successively Publish Data Export Negative Lists — How Will Enterprise Important Data Management Be Affected?), 合规小叨客 WeChat Official Account, August 12, 2025. Original article (Chinese).

Not legal advice. The above is DCC’s structured summary of the source article’s analysis; not a verbatim translation. The source carries an original-content non-republish clause and is summarized here under fair-use principles with full attribution.