Privacy & Information Security Law Blog

On February 8, 2025, the Shanghai Cyberspace Administration and four other Shanghai government agencies released the Data Export Management List in the Free Trade Trial Zone and Lin Gang New Area (“Negative List”), Administrative Measures on the Negative List (“Administrative Measures”), and the Implementation Guideline on the Negative List (“Guideline”). These data export policies apply to the Free Trade Trial Zone and Lin Gang New Area of Shanghai. They increase the thresholds that trigger the need for the data security assessment and/or filing of the standard contract for cross-border transfer (“SC”) in the fields of commerce and trade, reinsurance and international shipping, and reduce the compliance burden of data handlers significantly.

Application of the Negative List

The negative list only applies to the entities (excluding critical information infrastructure operators) that register in, and export data from, the Free Trade Trial Zone and Lin Gang New Area of Shanghai. Currently, the negative list only covers the fields of commerce and trade (including retail, catering and accommodation), reinsurance and international shipping. The relevant authority in the Shanghai Free Trade Trial Zone and Lin Gang New Area also may refer to the negative list issued by other free trade zones.

Procedures Regarding Use of the Negative List

If the processing activities are included in the negative list, the data handler may submit the following documents to the local data export service center and report the relevant information regarding the data export within 15 business days after the data is transferred outside of China, regardless whether the processing activities are subject to the security assessment or filing of the SC, or are exempted from approval and filing:

• unified Social Credit Code Certificate (business license);
• ID card of the legal representative;
• ID card of the person reporting the data export;
• authorization letter;
• explanation letter regarding the use of the negative list; and
• undertaking letter.

The above list of reporting documents is much simpler than the normal procedure for cross-border transfers.

If the application is approved, the relevant authority must notify the data handler within 15 business days of receipt of the relevant documents. If the application fails, the relevant authority must request the data handler to correct deficiencies within 15 business days of receipt of the relevant documents. If the data handler needs to continue the data export activities, it must do so in accordance with the normal procedures provided by the Measures on Security Assessment on Cross-border Transfer, Measures on Standard Contract of Cross-border Transfer of Personal Information and Provisions on Facilitation and Regulation of Cross-border Transfer.