Skip to content
DCC · DATA COMPLIANCE CHINA China data law, for overseas counsel.
§ 072 · CROSS-BORDER

First Filing Under Shanghai's Citywide Data-Export Negative List: Inditex's China Arm Drops from Security Assessment to Standard-Contract Filing

On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the Inditex group entity behind ZARA and Pull&Bear in China — received Shanghai's first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued under the Shanghai Data-Export Negative List Administrative Measures, cleared jointly by the Shanghai CAC and the Shanghai Data Bureau after same-day district-level initial review at the Jing'an District Cross-Border Data Service Center. The practical effect: member-information exports that previously sat in Data Export Security Assessment territory now clear on a Personal Information Standard Contract filing. DCC reads the case as the first operational proof of Shanghai's two policy moves — negative-list eligibility extended citywide beyond Pudong-registered enterprises, and volume thresholds inside listed scenarios (retail member management) raised so that non-sensitive member data between 1 and 10 million individuals falls to the standard-contract/certification tier. For overseas retail groups running membership programs out of China, this is the template case.

Editor’s Note — DCC.

This brief covers a single government press item: 网信上海 (the official account of the Shanghai municipal cyberspace administration) announced on June 26, 2026 the first filing completed under Shanghai’s expanded data-export negative-list policy. DCC read it via the 数据何规 repost, whose editor added a short gloss and two threshold-table excerpts from the underlying negative list; the structural framing below is DCC’s.

For the mechanism itself — Article 6 of the 2024 Provisions on Promoting and Regulating Cross-border Data Flows and the FTZ negative lists it authorized — see DCC’s explainer on the 17-sector FTZ negative-list landscape.

What happened

On June 26, 2026, ITX Asia Pacific Enterprise Management Co., Ltd. (爱特思亚太企业管理有限公司) — the China management entity of Inditex, the world’s largest fashion retailer and owner of ZARA and Pull&Bear — passed the filing review conducted by the Shanghai CAC and the Shanghai Data Bureau and received the city’s first data-export negative-list filing result notice (数据出境负面清单备案结果通知书) issued since the Shanghai Data-Export Negative List Administrative Measures (上海市数据出境负面清单管理办法) and its supporting documents took effect.

The filing was prepared under the guidance of the Jing’an District Cross-Border Data Service Center (静安区数据跨境服务中心), which the press release credits with policy interpretation, helping the company map its outbound data items against the negative list, and answering scope-and-counting questions (whether order information counts as personal information; how to count outbound volume). District-level initial review was completed the same day the materials were submitted.

The substantive effect, per the press release: ITX Asia Pacific’s member-information exports — cross-border order processing, customer communications, supply-chain coordination — previously required a Data Export Security Assessment declaration. Under the negative-list rules, the same flows now clear on a Personal Information Standard Contract filing — one tier down, with what the company describes as substantial savings in time and compliance cost for cross-border operations and unified global management.

The two policy moves the case proves out

The 数据何规 editor’s gloss identifies the first move: Shanghai had earlier expanded the applicable scope of its data-export negative list citywide — an enterprise no longer needs to be registered in Pudong to invoke it. ITX Asia Pacific filed through Jing’an, not Pudong; the first case is itself the demonstration that the citywide extension is operational.

The second move is inside the list: the thresholds. The baseline regime that the press release recites is the familiar one under the Provisions on Promoting and Regulating Cross-border Data Flows — cumulative outbound personal information of 100,000+ individuals in a calendar year requires a Standard Contract filing with the provincial cyberspace administration; 1,000,000+ pushes the handler up into the Data Export Security Assessment. The negative list re-draws those bands for listed scenarios. The excerpt tables attached to the repost — from the retail/catering/accommodation sector list, member-management scenario (会员管理场景) — show the standard-contract/certification tier reaching much higher:

  • Non-sensitive member personal information of 1,000,000 to under 10,000,000 individuals (cumulative from January 1 of the current year) sits in the Standard Contract filing / Personal Information Protection Certification tier — volumes that under the baseline rules would have required a security assessment. The listed data items are the standard membership-CRM inventory: name, nickname, contact details, member account and user ID, membership level, birthday, order numbers, product preferences, and purchase records that do not directly reveal personal asset positions.
  • Narrow bands of sensitive personal information tied to the same scenario (member login credentials; card information limited to last four digits plus validity) get their own raised band, and residual personal information outside those items follows a band tracking the baseline (100,000 to under 1,000,000 non-sensitive, or under 10,000 sensitive).
  • Counting is deduplicated by natural person, and flows falling within the exemption articles of the 2024 Provisions (Articles 3, 4, and 5(1)(i) through (iii)) are not counted toward the volumes.

That is the mechanics of “首例落地”: the company’s member-data volume put it in assessment territory under the baseline bands, and the negative list’s scenario-specific bands moved the same flows down to a filing.

Why the case matters beyond one retailer

  • The archetype is the foreign retail membership program. The first negative-list beneficiary is not a Chinese platform but a foreign multinational’s China entity exporting member/CRM data for global operations. That is precisely the fact pattern the retail-sector list’s member-management scenario was written for, and it is the fact pattern shared by most overseas consumer-brand groups operating in China.
  • The district service center is the operational interface. The filing ran through a district cross-border data service center — policy briefings (Jing’an has held four, covering 100+ enterprises), item-mapping guidance, same-day district initial review — before the municipal-level review by the Shanghai CAC and the Shanghai Data Bureau. Enterprises planning a filing should expect and use that front door.
  • Citywide eligibility is confirmed in practice. The negative list began as an FTZ instrument under Article 6 of the 2024 Provisions. Shanghai has now shown a non-Pudong-registered enterprise completing the process end-to-end. The press release closes with the Shanghai CAC instructing districts to keep promoting negative-list adoption — this is a policy the city wants used.

What overseas compliance teams should do with it

  1. Re-run the tier analysis for Shanghai entities. If a Shanghai-registered entity (any district) exports scenario-listed data — retail membership data being the proven example — check whether the negative list’s bands move a planned or completed security-assessment posture down to a Standard Contract filing, or a filing posture down to exemption.
  2. Mind the counting rules. Volumes are counted cumulatively from January 1, deduplicated by natural person, and exclude flows already exempt under the 2024 Provisions — the arithmetic that decides the tier is itself defined by the list.
  3. The filing still gets reviewed. This is a 备案 (filing) with a result notice issued after joint review by the Shanghai CAC and the Shanghai Data Bureau — lighter than an assessment, but not a self-declaration. Item mapping against the list (which data items, which scenario, which band) is the substance of the review.

网信上海 (Cyberspace Administration Shanghai), 上海负面清单扩大政策首例落地 (First Case Lands Under Shanghai’s Expanded Negative-List Policy), June 26, 2026, read via the 数据何规 WeChat Official Account repost. Repost with editor’s gloss (Chinese).

Not legal advice. Threshold descriptions above are transcribed from excerpt images attached to the repost and may be partial; the published Shanghai negative list and its supporting documents are authoritative.

— Not legal advice.


§ SUBSCRIBE

The Monday brief.

One short email every Monday. New briefs on Chinese data-compliance rules from the previous week, with the source law cited.

Opt-in only. Unsubscribe anytime by replying "unsubscribe" to any issue.