China’s Free Trade Zones Pioneer Data Export Liberalization Through Negative List Approach: A Paradigm Shift in Cross-Border Data Governance
Introduction: From Fragmented Pilots to National Framework
On September 24, 2025, China’s Ministry of Commerce (MOFCOM), Cyberspace
Administration of China (CAC), and seven other government agencies jointly issued
measures to promote service exports, including a groundbreaking proposal to
establish a unified national negative list for data exports from Free Trade Zones (FTZs).
This development represents a potential watershed moment in China’s approach to
cross-border data governance, signaling a shift from the current fragmented pilot
regime toward a centralized, business-friendly framework that could significantly ease
compliance burdens for multinational companies while maintaining essential data
security protections. For international law firms advising clients on China data
compliance and cross-border operations, this policy evolution demands immediate
attention and strategic recalibration.
The negative list approach to data exports represents a fundamental departure from
China’s traditional comprehensive licensing regime for cross-border data transfers.
Under the existing national framework established by the Personal Information
Protection Law (PIPL) and Data Security Law (DSL), companies must navigate complex
compliance procedures—including CAC security assessments, third-party
certifications, or standard contracts—for virtually all cross-border personal
information and important data transfers. The FTZ negative list pilots flip this
paradigm, defining specific categories of data that require compliance procedures
while allowing other data to be transferred overseas with greater ease and reduced
administrative burden.
Since the first FTZ negative list was introduced in Tianjin in May 2024, eight FTZs have
implemented their own lists, each reflecting different industry focuses and regulatory
approaches. The September 2025 call for a unified national negative list represents the
next evolutionary stage, promising to bring coherence to what has been a fragmented
landscape of varying requirements across different zones. For multinational
corporations with operations spanning multiple FTZs, this unification could eliminate
the complexity of navigating different compliance standards in different locations,
replacing it with a single, predictable framework applicable across all designated
zones.
The Evolution of FTZ Data Export Regimes: From Tianjin to National Unification
Understanding the current state of FTZ data export liberalization requires tracing the
evolution from the pioneering Tianjin model through subsequent zone-specific
implementations to the proposed national framework. This evolution reflects China’s
characteristic approach of testing regulatory innovations in limited geographic areas
before potential nationwide expansion, allowing policymakers to refine approaches
based on practical experience while managing risks associated with untested
frameworks.
The Tianjin FTZ negative list, implemented in May 2024, established the foundational
model that subsequent zones have adapted to their specific circumstances. Tianjin’s
approach divides data into two categories based on the level of compliance required.
List 1 identifies data requiring CAC security assessment—the most stringent
compliance procedure—including 13 broad categories ranging from strategic materials
and natural resources to certain volumes and types of personal information. List 2
identifies data requiring either standard contracts or third-party certification—lighter
compliance burdens—for specific volumes of personal information that fall below the
thresholds triggering security assessment requirements.
The Tianjin model’s significance lies not only in its specific categorizations but in its
methodological approach. By explicitly defining which data requires which
compliance procedures, the negative list creates certainty about regulatory obligations
and implicitly permits freer transfer of data not appearing on the lists. This represents
a substantial shift from the national regime’s approach, which establishes broad
categories of data subject to compliance requirements without clearly delineating
what falls outside those requirements. The negative list’s clarity enables companies to
conduct more confident compliance assessments and to identify opportunities for
streamlined data transfers.
Following Tianjin’s pioneering effort, seven additional FTZs have introduced negative
lists, each reflecting different strategic priorities and industry focuses. Beijing’s FTZ
negative list, implemented in August 2024, covers five industries: automotive,
pharmaceuticals, civil aviation, retail and modern services, and AI training data. This
industry-specific approach reflects Beijing’s position as a hub for technology and
advanced manufacturing, targeting sectors where cross-border data flows are
particularly critical for business operations. Shanghai’s Lingang FTZ, implementing its
list in February 2025, focuses on reinsurance, international shipping, and commerce
sectors, reflecting Shanghai’s role as a financial and logistics center.
The diversity of FTZ approaches creates both opportunities and challenges. On one
hand, zone-specific lists enable tailoring to local industry characteristics and can
facilitate experimentation with different regulatory models. Companies operating in
sectors covered by specific FTZ lists may benefit from compliance frameworks
designed with their industry’s particular needs in mind. On the other hand, the
fragmentation creates complexity for companies operating across multiple FTZs,
requiring navigation of different standards and potentially limiting the ability to
establish unified data governance frameworks across Chinese operations.
The Proposed National Negative List: Toward Unified Cross-Border Data Governance
The September 24, 2025 joint agency measures calling for exploration of a national
negative list for data exports from FTZs represent the logical next step in this
evolutionary process. A unified national list would address the fragmentation
challenges inherent in the current zone-specific approach while preserving the
negative list methodology’s benefits for business operations. The proposal reflects
recognition that while FTZ pilots have demonstrated the negative list approach’s
viability, realizing its full potential requires moving beyond fragmented
implementation toward a coherent national framework.
The structure and content of a potential national negative list remain subject to
development, but the existing FTZ lists provide important indications of likely
approaches. A national list would likely need to accommodate the diverse industry
focuses reflected in current zone-specific lists while establishing consistent baseline
standards applicable across all FTZs. This might involve a tiered structure with core
categories applicable to all zones supplemented by industry-specific provisions
relevant to particular sectors or regions.
The national list would also need to address the relationship between FTZ data export
rules and the broader national data protection framework. The negative list approach
does not replace PIPL, DSL, or Cybersecurity Law requirements; rather, it provides a
streamlined compliance pathway for data exports from designated FTZs. A national
negative list would need to clearly articulate this relationship, specifying how FTZ
provisions interact with national requirements and under what circumstances
companies can rely on FTZ frameworks rather than national compliance procedures.
The development of a national negative list also raises important questions about
scope and coverage. Current FTZ lists apply only to data exports from enterprises
registered in the respective zones, limiting benefits to companies with FTZ presence. A
national framework might maintain this geographic limitation, creating incentives for
companies to establish FTZ operations to access streamlined data export procedures.
Alternatively, policymakers might consider broader application to maximize the
framework’s economic benefits, though this could raise concerns about undermining
the national compliance regime’s effectiveness.
The timeline for national negative list development remains uncertain. The September
2025 measures call for “exploring” such a framework, language suggesting that
detailed policy development is still underway. However, the momentum created by
successful FTZ pilots and the clear articulation of national unification as a policy
objective suggest that concrete proposals may emerge in the coming months.
Companies and their legal advisors should monitor regulatory developments closely
and prepare to adapt compliance strategies as the national framework takes shape.
Compliance Implications: Navigating the Dual-Track Data Export Regime
The emergence of FTZ negative lists creates a dual-track regime for cross-border data
exports in China, with different compliance pathways available depending on
companies’ geographic presence and the nature of their data transfers. Understanding
and effectively navigating this dual-track system is essential for multinational
companies seeking to optimize their data governance frameworks while ensuring full
regulatory compliance.
For companies with operations in FTZs that have implemented negative lists, the first
step involves determining whether their data exports qualify for the streamlined FTZ
framework. This requires analyzing whether the exporting entity is properly registered
in the FTZ, whether the data being transferred falls within categories specified in the
negative list, and whether the transfer triggers requirements for security assessment,
certification, or standard contracts under the FTZ framework. Companies must
maintain detailed documentation of these determinations to demonstrate compliance
if questioned by regulators.
When data exports fall within FTZ negative list categories requiring compliance
procedures, companies must ensure they satisfy the specified requirements. For data
requiring CAC security assessment, companies must submit applications providing
detailed information about data types, volumes, overseas recipients, security
measures, and potential risks. The assessment process can be lengthy and outcome
uncertain, requiring careful preparation and potentially significant lead time before
data transfers can commence. For data requiring certification or standard contracts,
companies must engage with approved certification bodies or execute CAC-approved
standard contracts with overseas recipients, each involving specific procedural
requirements and documentation.
Critically, companies must also evaluate whether data exports not appearing on FTZ
negative lists can proceed without compliance procedures, or whether national
framework requirements still apply. The relationship between FTZ and national
regimes on this question remains somewhat ambiguous. While the negative list
approach suggests that unlisted data can be transferred more freely, companies
should exercise caution and consider whether national PIPL or DSL requirements
might still apply based on data sensitivity, volume, or other factors. Conservative
compliance approaches might involve treating FTZ frameworks as providing
streamlined procedures for listed data while continuing to apply national standards to
unlisted data, at least until regulatory guidance provides greater clarity.
For companies without FTZ presence, the negative list developments create strategic
considerations about whether establishing FTZ operations could provide data
governance benefits justifying the investment. Companies with significant cross-
border data transfer needs should evaluate whether their data falls within categories
covered by FTZ negative lists and whether the compliance simplification would
provide meaningful operational or cost advantages. This analysis must consider not
only direct compliance costs but also factors including operational flexibility, time-to-
market for data-dependent services, and competitive positioning relative to
companies leveraging FTZ frameworks.
The dual-track regime also creates opportunities for strategic data architecture
decisions. Companies might structure their Chinese operations to concentrate data
processing activities in FTZ entities, enabling maximum utilization of streamlined
export procedures. They might establish data processing agreements between FTZ
and non-FTZ entities to channel data exports through FTZ pathways. They might
adjust their data collection and processing practices to align with FTZ negative list
categories, potentially restructuring data flows to maximize coverage under
streamlined procedures. Each of these strategies requires careful legal and operational
analysis to ensure compliance while achieving desired business outcomes.
Strategic Implications for Multinational Corporations and Service Exporters
The evolution toward a national negative list framework for FTZ data exports carries
profound strategic implications for multinational corporations and service exporters
operating in or connected to China’s market. These implications span immediate
operational decisions, medium-term compliance program development, and longer-
term strategic positioning in China’s data-driven economy.
Operational Location Decisions
The availability of streamlined data export procedures in FTZs creates new
considerations for operational location decisions. Companies establishing new
Chinese operations or restructuring existing ones should evaluate whether FTZ
locations offer data governance advantages that justify any additional complexity or
cost associated with FTZ establishment. This evaluation should consider the specific
industries and data categories covered by relevant FTZ negative lists, the volume and
frequency of anticipated cross-border data transfers, and the potential compliance
cost savings and operational flexibility gains from FTZ frameworks.
For companies in industries specifically addressed by FTZ negative lists—such as
automotive, pharmaceuticals, reinsurance, or AI development—FTZ locations may
offer particularly compelling advantages. These industries often involve substantial
cross-border data flows essential to business operations, including technical data
sharing with overseas partners, cross-border R&D collaboration, and international
service delivery. The ability to conduct these data transfers through streamlined FTZ
procedures rather than complex national compliance processes could provide
significant competitive advantages in speed to market, operational efficiency, and cost
management.
Compliance Program Architecture
The dual-track data export regime necessitates sophisticated compliance program
architecture capable of navigating both FTZ and national frameworks. Companies
should develop compliance processes that can accurately determine which framework
applies to specific data transfers, ensure appropriate compliance procedures are
followed for each pathway, and maintain comprehensive documentation
demonstrating regulatory adherence. This may require investment in compliance
technology platforms capable of tracking data flows, applying complex decisional
logic to determine applicable requirements, and generating required documentation
for different compliance pathways.
Compliance programs should also incorporate mechanisms for monitoring regulatory
developments and adapting to evolving requirements. The transition from fragmented
FTZ pilots to a potential national negative list framework will likely involve regulatory
adjustments, interpretive guidance, and enforcement precedents that shape practical
compliance requirements. Companies must establish processes for tracking these
developments and updating compliance procedures accordingly, ensuring that their
data governance frameworks remain aligned with current regulatory expectations.
Service Export Strategy
For companies engaged in cross-border service delivery—including cloud computing,
data analytics, software-as-a-service, and other data-intensive services—the FTZ
negative list framework creates opportunities to enhance service export capabilities.
By establishing service delivery operations in FTZs and structuring data flows to
leverage streamlined export procedures, companies can potentially reduce
compliance friction that might otherwise impede service delivery. This could enable
faster service deployment, more flexible service configurations, and more competitive
pricing compared to approaches requiring complex national compliance procedures
for each data transfer.
The September 2025 joint agency measures explicitly link FTZ data export
liberalization to service export promotion, signaling government intent to leverage
streamlined data governance as a tool for enhancing China’s service trade
competitiveness. Companies aligned with this policy objective may find regulatory
authorities receptive to innovative approaches that facilitate service exports while
maintaining appropriate data protection standards. Engaging with FTZ administrators
and relevant regulatory agencies to explore such approaches could yield competitive
advantages and contribute to shaping the evolving regulatory framework.
Long-Term Strategic Positioning
Beyond immediate operational and compliance considerations, the FTZ negative list
evolution signals broader trends in China’s data governance that should inform long-
term strategic positioning. The shift toward more business-friendly frameworks in
designated zones suggests recognition that excessive compliance burdens can impede
economic objectives, particularly in data-intensive industries critical to China’s
development priorities. Companies that position themselves to benefit from this
liberalization trend—through FTZ presence, alignment with priority industries, and
engagement with regulatory development processes—may gain advantages as the
framework continues to evolve.
However, companies should also recognize that liberalization in FTZs coexists with
continued stringent requirements under the national framework and ongoing
emphasis on data security and sovereignty. The dual-track approach reflects a
calibrated strategy of enabling data flows where economic benefits are clear while
maintaining strict controls where security concerns predominate. Long-term success
requires navigating this balance, leveraging liberalization opportunities while
maintaining robust data protection practices that address legitimate regulatory
concerns and build trust with Chinese authorities and stakeholders.
Conclusion: Embracing the Negative List Paradigm While Managing Transition Complexity
China’s evolution toward a national negative list framework for FTZ data exports
represents a significant step in the maturation of its cross-border data governance
regime. By moving from comprehensive licensing requirements toward a more
targeted approach that defines specific compliance obligations while implicitly
permitting freer transfer of other data, China is creating a more business-friendly
environment that could significantly ease compliance burdens for multinational
companies. The proposed unification of fragmented FTZ pilots into a coherent
national framework promises to enhance this business-friendly orientation while
providing the consistency and predictability essential for effective compliance
planning.
For international law firms and their clients, the immediate priority involves
understanding the current FTZ negative list landscape and evaluating whether and
how to leverage available streamlined procedures. This requires detailed analysis of
FTZ frameworks, assessment of data transfer patterns against negative list categories,
and strategic decisions about operational structuring to optimize data governance
outcomes. It also demands careful attention to the relationship between FTZ and
national frameworks, ensuring that reliance on streamlined procedures does not
inadvertently create compliance gaps under broader regulatory requirements.
As the transition toward a national negative list framework unfolds, companies and
their advisors must maintain flexibility and adaptability. The specific structure, scope,
and implementation of a national framework remain subject to development, and the
transition from current fragmented approaches to unified standards will likely involve
regulatory adjustments and interpretive evolution. Success requires not only
understanding current requirements but also anticipating regulatory direction and
positioning to adapt efficiently as frameworks evolve.
The broader message is clear: China’s approach to cross-border data governance is
evolving toward greater sophistication and business alignment, with FTZ negative lists
representing an important manifestation of this evolution. Companies that engage
proactively with this development—through strategic FTZ positioning, sophisticated
compliance program development, and constructive engagement with regulatory
processes—can gain significant advantages in operational flexibility, compliance
efficiency, and competitive positioning. Those that fail to adapt risk being left behind
as the data governance landscape transforms around them.
For international law firms, these developments create substantial advisory
opportunities spanning compliance counseling, operational structuring, regulatory
engagement, and strategic planning. Firms that develop deep expertise in FTZ data
governance frameworks, maintain current knowledge of regulatory developments,
and provide integrated advice addressing both immediate compliance and longer-
term strategic positioning will be well-positioned to serve clients navigating China’s
evolving data governance landscape. The negative list paradigm represents not just a
regulatory change but a fundamental shift in how China balances data protection and
economic objectives—a shift that will shape cross-border business operations for
years to come.
References
[1] China Briefing. (2025, October 8). China’s Data Export Policy for Free Trade Zones: A
Negative List Approach. https://www.china-briefing.com/news/china-data-export-
policy-ftzs/
[2] Ministry of Commerce, Cyberspace Administration of China, et al. (2025, September
24). Measures to Promote Service Exports. [Official Government Publication]
[3] Cyberspace Administration of China. (2024, March). Regulations to Promote and
Standardize Cross-Border Data Flows. [Official CAC Website]
