On May 9, 2024, Tianjin Commission of Commerce released the Tianjin FTZ Negative List (2024 Edition) to facilitate the cross-border data flows of entities established in Tianjin FTZ. In the Tianjin FTZ Negative List, cross-border data that requires a CAC security assessment is divided into 13 categories, including: strategic materials and commodities, natural resources and environment, industry, finance, statistics, telecoms and broadcasting, housing and construction, transportation, public health, public security, internet services and e-commerce, science and technology, and personal information.
On May 16, 2024, Shanghai FTZ released trial lists of general data for three sectors (intelligent connected vehicles, biopharmaceuticals, and public funds) to facilitate cross-border data flows for entities within the Shanghai FTZ.
On March 22, 2024, China’s Cyberspace Administration of China (“CAC”) issued the Measures on Facilitating and Regulating Cross-Border Data Flows (“Measures”) in an effort to make cross-border transfers less burdensome. The Measures enable the 22 Chinese pilot Free Trade Zones (“FTZs”) to formulate a Negative List of data that are subject to the Personal Information Protection Law (“PIPL”) Article 38 cross-border transfer requirements, and they exempt transfers of any data not included on the Negative List when such transfers are initiated by a legal entity located within an FTZ.
On May 9, 2024, the Tianjin Commission of Commerce released the Tianjin FTZ Negative List (2024 Edition) to facilitate the cross-border data flows of entities established in Tianjin FTZ. It is the first Negative List for cross-border data transfer published by the Chinese FTZs. The Tianjin FTZ Negative List makes clear once again that: i) transfers of personal information from Critical Information Infrastructure Operators (“CIIOs”), transfers of personal information (excluding sensitive personal information) of 1,000,000 individuals or more per calendar year, or transfers of sensitive PI of 10,000 individuals or more per calendar year, require a CAC security assessment; and ii) transfers of personal information (excluding sensitive personal information) of 100,000–999,999 individuals per calendar year or transfers of sensitive personal information of 1-9,999 individuals per calendar year require PIPL Standard Contractual Clauses ("SCCs") or personal information protection certification. In the Tianjin FTZ Negative List, cross-border data that requires a CAC security assessment is divided into 13 categories, namely: strategic materials and commodities, natural resources and environment, industry, finance, statistics, telecoms and broadcasting, housing and construction, transportation, public health, public security, internet services and e-commerce, science and technology, and personal information. It emphasizes that data involving state secrets, core data, and government data does not apply to the Tianjin FTZ Negative List and is subject to separate applicable laws and regulations.
Additionally, on May 16, 2024, Shanghai FTZ released trial general data lists for three sectors (intelligent connected vehicles, biopharmaceuticals, and public funds) to facilitate cross-border data flows for entities within the Shanghai FTZ, which remain valid until May 16, 2025. The three lists specify the data that are exempt from Article 38 safeguards, with any data not included on the lists requiring an Article 38 safeguard for cross-border transfer. Specifically, the list of general data for intelligent connected vehicles requires that the video and image data included in the list not contain personal information or Vehicle Identification Number (VIN) numbers and that any data transferred outside China not be able to be directly or indirectly identify an individual. The lists of general data for biopharmaceuticals and public funds exempt cross-border transfers by institutions in the FTZs that have transferred the non-sensitive PI of less than 100,000 individuals since January 1 of the current calendar year. In addition, the list of general data for biopharmaceuticals requires handlers to de-identify the data subject’s PI when transferring any PI included in the list.
Implications for U.S. Higher Education Institutions
The requirements pertaining to the thresholds of personal information set forth in the Tianjin FTZ Negative List and the Shanghai FTZ general data lists that are subject to the PIPL cross-border transfer requirements are unchanged from the thresholds stipulated in the Measures. In other words, entities located in the two FTZs are still required to follow the requirements associated with the thresholds of personal information under the Measures. The lists help institutions to better understand the types of data that would be considered “important” and may be subject to a CAC security assessment, although the Measures expressly state that data qualifies as Important Data only if relevant government bodies or departments have (1) notified the institution that the data qualifies as Important Data or (2) publicly disclosed that the data qualifies as Important Data. It is still not yet known if or when the other FTZs will create their Negative Lists. Institutions should continue to follow developments from the CAC so they are made aware of the publication of any additional Negative Lists.