On May 9, the Administrative Committee of the Tianjin Pilot Free Trade Zone and the Tianjin Municipal Bureau of Commerce jointly announced the "China (Tianjin) Pilot Free Trade Zone Data Transfer Management List (Negative List) (2024 Edition)" (hereinafter referred to as the "Negative List"). The person in charge of the relevant unit interprets the issues related to the "Negative List".
Q1: Please tell us about the background and significance of the Negative List?
A: Promoting the safe and orderly cross-border flow of data is an important part of high-level opening-up, and it is also a hot topic in global economic and trade development. The mainland has actively promoted the orderly and free flow of data in accordance with the law, and has successively promulgated and implemented the Cybersecurity Law, the Data Security Law, and the Personal Information Protection Law, making clear provisions on data export activities. In order to implement the requirements of laws and regulations, the Measures for the Security Assessment of Cross-border Data Transfer, the Measures for Standard Contracts for Cross-border Transfer of Personal Information, and the Announcement on the Implementation of Personal Information Protection Certification have been promulgated successively, and a security management system for cross-border data transfer has been basically established. In August 2023, the State Council issued the Opinions on Further Optimizing the Foreign Investment Environment and Increasing Efforts to Attract Foreign Investment, supporting Tianjin and other places in exploring a convenient security management mechanism for cross-border data flows. On March 22 this year, the Cyberspace Administration of China (CAC) issued the Provisions on Promoting and Regulating Cross-border Data Flows, proposing that under the framework of the national data classification and hierarchical protection system, the Pilot Free Trade Zone may formulate its own data list (hereinafter referred to as the negative list) that needs to be included in the scope of security assessment of data export, standard contract for personal information export, and personal information protection certification management in the pilot free trade zone, and implement it after approval in accordance with the procedures. This provides a policy to follow for us to develop the Negative List.
With the strong support and careful guidance of the Cyberspace Administration of China, the National Data Bureau and other ministries and commissions, the Tianjin Municipal Party Committee and the Municipal Government have planned in advance and deployed the innovation of the cross-border data flow system in advance, focusing on docking with international high-standard economic and trade rules, creating a market-oriented, law-based and international first-class business environment, fulfilling the mission of the Tianjin Pilot Free Trade Zone to "test the system for the country", and exploring the institutional opening path of the data field with Tianjin characteristics. The National Data Bureau (NDA) officially announced it on May 9, becoming the country's first negative list for data export management in pilot free trade zones, providing "Tianjin experience" and "Tianjin model" for other pilot free trade zones, and playing an important role as a pioneer in cross-border data flow policy innovation.
The "Negative List" represents a wider range of opening-up. The "Negative List" sets out the management scope of data export activities carried out by enterprises in the Tianjin Pilot Free Trade Zone, and the data outside the "Negative List" can flow freely across borders, as opposed to the "positive list", that is, only the data in the list can flow freely across borders. On the premise of drawing a security bottom line, the Negative List will help facilitate the cross-border flow of enterprise data. In recent years, with the concerted efforts of various ministries and commissions, the security management system for cross-border data transfer in mainland China has been basically established, but enterprises still face some uncertainties when implementing relevant regulations, such as the relatively general definition of important data and the lack of specific identification standards, making it difficult for enterprises to determine whether the outbound data is important data. Under the existing legal framework, the Tianjin Pilot Free Trade Zone has formulated and implemented the Negative List, which clarifies the list of data that needs to be included in the scope of data export security assessment, personal information export standard contract, and personal information protection certification management, including important data, filling the institutional gap in this field and providing institutional guarantee for effectively solving the problem of enterprise data export and helping to cultivate new advantages in international economic cooperation and competition.
Q2: What are the main contents of the Negative List?
Answer: The "Negative List" mainly includes the following parts: First, it clarifies the purpose and significance of the formulation of the document. The second is to establish the basic principles of adhering to overall planning, convenience and compliance, conciseness and practicality, and dynamic adjustment. The third is to explain the scope of application of the Negative List. The Negative List sets out the circumstances under which an enterprise in the Tianjin FTZ needs to apply for a security assessment for data export, enter into a standard contract for personal information export, and pass the personal information protection certification when providing data overseas. Enterprises in the Tianjin Free Trade Zone that provide data not included in the "Negative List" abroad are exempted from applying for security assessment for data export, entering into a standard contract for personal information export, and passing the personal information protection certification. Data involving state secrets, core data, and government affairs data are not included in the management of the Negative List, and the export of relevant data is to be carried out in accordance with relevant laws, regulations, and provisions. Fourth, the main considerations for the "Negative List" are proposed. It is required to implement the requirements for classified and hierarchical management of data, strengthen the protection of personal information, serve the high-quality development of enterprises, and standardize the conduct of data export. Fifth, clarify the list of data that needs to be included in the management. On the basis of the classification and grading of enterprise data in the Tianjin Pilot Free Trade Zone, the outbound data is divided into 13 categories and 46 subcategories, and each sub-category gives a detailed description of the basic characteristics of the data and gives specific examples.
Q3: What are the scenarios for data export mentioned in the Negative List?
A: According to the Guidelines for the Application for Security Assessment of Cross-border Data Transfer (Second Edition) and the Guidelines for the Filing of Standard Contracts for Cross-border Transfer of Personal Information (Second Edition) issued by the Cyberspace Administration of China, the acts of data export include: (1) the data processor transfers the data collected and generated in the course of domestic operations to overseas. Second, the data collected and generated by data processors is stored within the country, and foreign institutions, organizations, or individuals may query, retrieve, download, or export. The third is to process the personal information of domestic natural persons and other data processing activities outside the territory of the People's Republic of China, in accordance with the circumstances of paragraph 2 of Article 3 of the Personal Information Protection Law.
Q4: What are the important data mentioned in the Negative List?
A: According to the Measures for Security Assessment of Cross-border Data Transfer, important data refers to data that may endanger national security, economic operation, social stability, public health and safety once it has been tampered with, destroyed, leaked, illegally obtained or used.
The Data Security Law stipulates that the national coordination mechanism for data security work shall coordinate with relevant departments to formulate a catalog of important data and strengthen the protection of important data. Each region and department shall follow the data classification and hierarchical protection system to designate a specific catalog of important data for that region, that department, and related industries and fields, and carry out key protections for data entered into the catalog.
Q5: What are the personal information and sensitive personal information mentioned in the Negative List, and how to distinguish them?
A: According to the Personal Information Protection Law, personal information refers to all kinds of information related to identified or identifiable natural persons recorded electronically or by other means, excluding anonymized information. Anonymization refers to the process by which personal information cannot be identified by a specific natural person after processing and cannot be recovered. "Sensitive personal information" refers to personal information that, once leaked or illegally used, could easily lead to infringement of a natural person's personal dignity or endangerment of their personal or property safety, including information such as biometrics, religious beliefs, specific identities, medical health, financial accounts, whereabouts and tracks, as well as the personal information of minors under the age of 14.
For the identification and distinction of personal information and sensitive personal information, please refer to the national standard "Information Security Technology - Personal Information Security Specification" (GB/T 35273-2020).
Q6: What is the relationship between the Negative List and the Provisions on Promoting and Regulating Cross-border Data Flows issued by the Cyberspace Administration of China (CAC)?
A: The Cyberspace Administration of China (CAC) has formulated the Provisions on Promoting and Regulating Cross-border Data Flows, which further clarifies the implementation and convergence of existing data export systems such as security assessments for cross-border data transfers, standard contracts for cross-border data transfers, and personal information protection certifications, appropriately relaxes the conditions for cross-border data flows, facilitates cross-border data flows, reduces compliance costs for enterprises, fully releases the value of data elements, expands high-level opening-up, and provides legal guarantees for the high-quality development of the digital economy on the premise of ensuring national data security. The Negative List is a local practice under the institutional framework of the Provisions. On the one hand, the Provisions on Promoting and Regulating Cross-border Data Flows provide a policy basis for the formulation and promulgation of the Negative List. On the other hand, the Negative List strictly implements the requirements of the Provisions, and the data delineated in the Tianjin Pilot Free Trade Zone as delineated in the Negative List includes the security assessment of data export, the standard contract for personal information export, and the personal information protection certification management, which have excluded the exemptions in the Provisions. That is, data that is exempt from the declaration of security assessment for data export, the conclusion of a standard contract for personal information export, and the personal information protection certification in the "Provisions" will not be included in the management of the "Negative List".
Q7: What is the relationship between the Negative List and the Standards for the Classification and Grading of Enterprise Data in the China (Tianjin) Pilot Free Trade Zone?
A: Promoting the classification and grading of data is a clear requirement of the Data Security Law, and it is also the basic and pioneering work to promote and regulate the cross-border flow of data. In the early stage, under the framework of national data classification and grading, we formulated and issued the "Standard Specification for Classification and Grading of Enterprise Data in China (Tianjin) Pilot Free Trade Zone" based on the actual situation of Tianjin Pilot Free Trade Zone, which is applicable to the classification and grading of data generated, collected, stored, transmitted and processed by enterprises in the production and operation process of enterprises in Tianjin Pilot Free Trade Zone, and divides enterprise data into 13 categories and 40 subcategories, with three levels from high to low as core, important and general, and clarifies the identification criteria for important data.
The Standards and Specifications focus on the classification and grading of enterprise data in the Tianjin Pilot Free Trade Zone, regardless of whether the relevant data of the enterprise is exported or not, the classification and grading work must be carried out in accordance with the prescribed procedures, while the Negative List is used when enterprises in the Tianjin Pilot Free Trade Zone need to export data. On the basis of the Standards and Specifications, the Negative List provides more detailed and specific identification criteria for the identification of important data that needs to be flowed across borders in various industries and fields, and also gives examples to facilitate the judgment of enterprises. In addition, the Negative List proposes that "important data identified by the national industry competent authority or the Municipality shall be automatically included in the management of this list", so the important data identified and determined in accordance with the Standards and Specifications shall be included in the management of the Negative List, and the security assessment of data export shall be declared when leaving the country.
Q8: How do enterprises in the Tianjin Pilot Free Trade Zone use the Negative List?
A: According to the scope of application of the Negative List, enterprises in the Tianjin Pilot Free Trade Zone that need to export data should refer to the Negative List to identify whether their data to be exported is within the scope of the list, and the data within the scope of the list can be freely transferred across borders in accordance with national regulations, declare the security assessment of data export according to the actual situation, enter into a standard contract for the export of personal information, or pass the personal information protection certification. For example, if an enterprise in the field of chemical industry plans to transmit the transportation route planning information of a hazardous chemical to an overseas company, according to the basic characteristics and description of the chemical industry sub-category data of the industrial category in the Negative List, such information shall be included in the management of the data list that needs to be declared for the security assessment of data export, and the information shall be declared for the security assessment of data export.
Q9: How do you understand the list of data that needs to be declared for security assessment of cross-border data transfer and the list of data that need to enter into a standard contract for cross-border transfer of personal information and pass the personal information protection certification in the Negative List?
A: Article 7 of the Provisions on Promoting and Regulating Cross-border Data Flow clarifies two conditions for reporting for security assessment of data export: first, critical information infrastructure operators provide personal information or important data abroad; Second, data processors other than critical information infrastructure operators provide important data overseas, or provide the personal information of more than 1 million people (excluding sensitive personal information) or more than 10,000 sensitive personal information overseas since January 1 of that year. If it falls under the circumstances provided for in Articles 3, 4, 5 and 6 of the Provisions, follow those provisions. The Negative List summarizes the circumstances involving personal information in Article 7 of the Provisions into two sub-categories, 44 and 45, and refines the situations involving important data into 12 categories and 43 sub-categories of data in combination with the actual situation of the Tianjin Pilot Free Trade Zone. For the export of data in this list, it is necessary to apply for a security assessment for data export.
With regard to the list of data that requires the conclusion of a standard contract for the export of personal information and the certification of personal information protection, the content of the list is consistent with Article 8 of the Provisions. For the export of data in this list, it is necessary to conclude a standard contract for the export of personal information or pass the personal information protection certification.
Q10: How to understand the remarks in the Negative List?
Answer: The remarks in the "Negative List" are supplementary explanations for its corresponding subcategories, which can be roughly divided into three categories: first, the remarks of the meteorological subcategory are "except for the data that has been publicly released by the meteorological and other relevant departments", and the data that has been publicly released by the competent authorities of the industry and field are exempted from being included in the list of data that need to be declared for the security assessment of data export, and most of the remarks in the "Negative List" belong to this category; For example, the remarks of the environmental protection sub-category are "data that has been disclosed separately but not disclosed according to regional and industry statistics are included in the list management", which clarifies the special circumstances that need to be included in the list of security assessment data for cross-border data declaration; For example, the remarks of the emergency management subcategory are "the specific requirements of 'certain accuracy', 'certain range' and 'certain scale' are subject to the policy documents issued by relevant departments such as emergency management", which further explains the more general concepts in the description of the subcategory.
Q11: What kind of data are exempted from applying for security assessment, entering into a standard contract for personal information export, and passing the personal information protection certification for enterprises in the Tianjin Pilot Free Trade Zone when they carry out data export activities?
A: For enterprises in the Tianjin Pilot Free Trade Zone, the following seven types of data export activities are exempted from applying for data export security assessment, entering into a standard contract for personal information export, and passing personal information protection certification:
First, the data collected and generated in international trade, cross-border transportation, academic cooperation, cross-border manufacturing and marketing activities is provided overseas, and does not contain personal information or important data. Second, personal information collected and generated overseas is transferred to the mainland for processing and then provided overseas, and no domestic personal information or important data is introduced in the process of processing. Third, it is necessary to provide personal information overseas for the purpose of entering into and performing a contract to which an individual is a party, such as cross-border shopping, cross-border delivery, cross-border remittance, cross-border payment, cross-border account opening, air ticket and hotel reservation, visa processing, examination services, etc. Fourth, cross-border human resources management is implemented in accordance with the labor rules and regulations formulated in accordance with the law and the collective contract signed in accordance with the law, and it is truly necessary to provide employees' personal information overseas. Fifth, in an emergency, it is truly necessary to provide personal information overseas in order to protect the life, health, and property safety of natural persons. Sixth, data processors other than critical information infrastructure operators have provided less than 100,000 people's personal information (excluding sensitive personal information) overseas since January 1 of that year. Seventh, provide data outside the "Negative List" to overseas countries. Among them, the personal information provided overseas as mentioned in the third to seventh conditions does not include personal information that has been notified by relevant departments or regions or publicly released as important data.
Q12: How can enterprises in the Tianjin Pilot Free Trade Zone apply for security assessment of data export, file standard contracts for personal information export, and apply for personal information protection certification?
Answer: Enterprises in the Tianjin Pilot Free Trade Zone, like other data processors in the administrative area of Tianjin, can log in to the data export declaration system to apply for security assessment of data export and filing standard contracts for personal information export at the website of https://sjcj.cac.gov.cn. For details, please refer to the Guidelines for the Application for Security Assessment of Cross-border Data Transfer (Second Edition) and the Guidelines for the Filing of Standard Contracts for Cross-border Transfer of Personal Information (Second Edition) published by the Cyberspace Administration of China. If the security assessment declaration and standard contract filing materials have already been submitted offline, they do not need to resubmit them through the data export declaration system. To apply for personal information protection certification, you can log in to the personal information protection certification management system at https://data.isccc.gov.cn. Where critical information infrastructure operators or others are not suitable to apply for a security assessment for data export through the data export declaration system, they are to use offline methods to apply for a security assessment for data export. The Tianjin Municipal Internet Information Office has opened a special hotline 022-88355322 for data export management consultation to provide guidance services for data processors.
Q13: How to protect the legitimate rights and interests of enterprises such as trade secrets in the process of assessment, filing and certification?
A: The Measures for Security Assessment of Cross-border Data Transfer stipulate that relevant institutions and personnel involved in the security assessment shall keep confidential state secrets, personal privacy, personal information, commercial secrets, confidential business information and other data learned in the performance of their duties in accordance with the law, and shall not disclose or illegally provide or use them to others. The Measures for Standard Contracts for the Export of Personal Information stipulate that the internet information departments and their staff shall keep confidential the personal privacy, personal information, trade secrets, and confidential business information that they learn of in the course of performing their duties in accordance with the law, and shall not disclose or illegally provide or use them to others. The Regulations of the People's Republic of China on Certification and Accreditation stipulate that institutions and their personnel engaged in certification and accreditation activities shall have the obligation to keep confidential the state secrets and commercial secrets that they are aware of.
Q14: How will the Tianjin Pilot Free Trade Zone strengthen policy guidance to ensure the compliant cross-border flow of enterprise data?
Answer: The Tianjin Pilot Free Trade Zone will focus on the publicity and interpretation of policies and service guidance for enterprises. The first is to provide facilitation consultation. Through the establishment of a cross-border data service window, the announcement of the consultation telephone number (022-66707689), network interaction, etc., to provide enterprises with all-round inquiry services, so that enterprises know and grasp the policies, sort out and summarize the typical problems encountered by enterprises, and publish them in the form of questions and answers. The second is to do a good job of accurate preaching. On the one hand, widely publicize the policy, mobilize various areas, and publicize and interpret the policy through multiple channels and forms through media publicity, policy lectures, various enterprise policy service platforms and policy service application apps, etc., expand the coverage of policy publicity, and improve the policy awareness rate of small and medium-sized enterprises; On the other hand, we accurately push policies, and provide professional guidance for key industries and enterprises in key areas that we have investigated and visited in the early stage, through special policy promotion meetings, door-to-door services, etc., combined with business, to interpret detailed policies and provide professional guidance. The third is to carry out normalized services. Strengthen policy training and guidance for relevant departments such as investment promotion, government services, and business promotion, and integrate cross-border data compliance into the daily work of enterprises as an important content, and carry out normalized services.
Q15: After the implementation of the Negative List, how to do a good job in the safety supervision of data export activities in the Tianjin Pilot Free Trade Zone?
A: The Negative List proposes to adhere to the principle of overall planning, development and security, adhere to the bottom line of national data security, and promote the orderly flow, development and utilization of data resources on the basis of ensuring the security of important data and safeguarding the rights and interests of personal information, and promote the high-quality development of the digital economy and digital trade. In the next step, the relevant units of Tianjin will focus on the following aspects: First, strengthen publicity and guidance. Through various forms of in-depth enterprises, strengthen the publicity and interpretation of the data export policies and systems of the Tianjin Free Trade Zone, and enhance the compliance awareness of enterprises. The second is to do a good job in service guidance. Actively help and guide enterprises to do a good job in the security assessment and declaration of data export, the filing of standard contracts for personal information export, and the certification of personal information protection, so as to improve the ability of compliance supervision in advance, and promptly nip problems and hidden dangers in the bud. The third is to improve the regulatory system. Accelerate the establishment of a supervision system for cross-border data transfer, improve the monitoring and early warning capabilities of industries with abnormal cross-border exports, do a good job of on-site inspections and spot checks, promptly discover and deal with illegal cross-border data exports, and maintain the bottom line of data security.
Click [https://www.china-tjftz.gov.cn/contents/10806/282636.html] to view the full list.
Source: Official website of the China (Tianjin) Pilot Free Trade Zone Management Committee
![The fatter you get, the harder it is to lower your blood sugar? Doctor: Comprehensive treatment and management of fat sugar friends, to understand[fig]](data:image/gif;base64,R0lGODlhAQABAIAAAP///wAAACwAAAAAAQABAAACAkQBADs=)