Analysis of the China (Beijing) Pilot Free Trade Zone Negative List for Data Export Management Measures (Trial) and China (Beijing) Pilot Free Trade Zone Data Export Management Negative List (2024 Edition)
Published 16 September 2024
Sarah Xuan
On August 26, 2024, based on the Provisions on Promoting and Regulating Cross-border Data Flow and other related documents, the Beijing Cyberspace Administration, Beijing Municipal Bureau of Commerce, and Beijing Municipal Government Service and Data Management Bureau jointly issued the China (Beijing) Pilot Free Trade Zone Negative List for Data Export Management Measures (Trial) and the China (Beijing) Pilot Free Trade Zone Data Export Management Negative List (2024 Edition) (hereinafter referred to as the “Management Measures” and “Negative List”). These regulations guide and supervise cross-border data flow activities within the Beijing Pilot Free Trade Zone (FTZ).
The Management Measures focus on the formulating the negative list, division of responsibilities, management of its use, and security supervision. They also refine the identification rules for important data, introducing classification and grading reference rules for 13 categories and 41 subcategories of data. The Negative List specifies the data subject to security assessments for export within five sectors—automotive, pharmaceuticals, retail, civil aviation, and artificial intelligence—as well as data requiring record-filing for personal information export standard contracts and personal information protection certification. Moving forward, other sector-specific negative lists will be issued by relevant departments in phases under a dynamic management mechanism.
This article provides a brief overview of the main content of the Management Measures and Negative List.
Main Points of the Management Measures
I. Scope of Application
The Management Measures clarify that they apply to formulating, approving, and managing the negative list for data export within the Beijing FTZ. Currently, the Beijing FTZ encompasses the Science and Technology Innovation Area, the International Business Services Area (including the Beijing Tianzhu Comprehensive Bonded Zone), and the High-end Industrial Area. Only companies registered within the Beijing FTZ and data export activities conducted within the FTZ are subject to the Management Measures and Negative List.
II. Main Procedures for Data Handlers Using the Negative List for Data Export
The Management Measures stipulate that the main procedures for data handlers using the negative list for data export include three key steps: application submission, record-filing, and compliant export:
1. Application Submission: Data handlers must submit an application to the relevant FTZ group based on the negative list implementation guidelines, which include information such as the company’s registered location, industry, business operations, and any administrative penalties or investigations over the past two years.2. Record-filing: Approved data handlers must complete record-filing according to the implementation guidelines. Record-filing materials should include scenarios for data export, the directory and scale of exported data, overseas recipients, and reasons for applying the negative list.3. Compliant Export: After record-filing, data handlers can proceed with data export activities per the FTZ group’s opinions while cooperating with city-level management departments and FTZ groups for supervision and verification. Any changes in data export conditions must be updated with the relevant FTZ group.
III. Important Data Identification Rules
The Management Measures also refine the rules for identifying important data, introducing 13 categories and 41 subcategories of data classification and grading guidelines, which include:
1. Unified Identification Rules for Important Data:
a. The unified identification reference rule for important data applies to non-confidential data, and confidential data is implemented by relevant regulations.b. Personal information of over 10 million people (excluding sensitive personal information) held by enterprises in Beijing Pilot Free Trade Zone; sensitive personal information of over 1 million people; sensitive personal information of over 100,000 people including personal bank accounts, personal insurance accounts, personal registration accounts and personal diagnosis and treatment data.c. Personal information of more than 100,000 people held by operators recognized by the state as critical information infrastructure.d. High-value sensitive data related to industry competitiveness and production safety are collected and generated by enterprises in the process of R&D and design, production and manufacturing, and operation and management in the Pilot Free Trade Zone; and data related to the supply chain of enterprises involving national security.e. Parameters of automatic control systems and control, operation, maintenance, and test data in the national economy and people’s livelihood are mastered by the enterprises in the Pilot Free Trade Zone.
2. Sector-specific Identification Rules for Important Data:
The Management Measures specify important data identification guidelines across 13 major sectors, including strategic materials, natural resources, industrial, defense, telecommunications, financial, healthcare, and public safety. These rules help industries identify which data falls under “important data” and facilitate more accurate risk assessments and preventive measures.
Main Points of the Negative List
The Negative List outlines the important data lists for the automotive, pharmaceutical, retail, civil aviation, and artificial intelligence sectors within the Beijing FTZ. Additionally, it adjusts the personal information thresholds that trigger data export security assessments and the need for standard contract record-filing. Specific details include:
I. Automotive Industry:
The Negative List specifies that security assessments are required for the export of sensitive data such as geographic information, personnel and vehicle traffic involving military management zones, national defense units, and essential party and government organs, as well as sensitive data generated in the course of the Telematics information service, such as vehicle location information, traffic flow, and data on the operation of the vehicle charging network. Other critical data include video and image data outside the vehicle, such as images containing information such as faces and license plates; vehicle remote control data; and technical and operational data related to the safety of the Telematics system and network, such as data reflecting the safety protection of the Telematics critical infrastructure and the emergency response plan.
Personal information that exceeds certain thresholds, such as personal information of more than 1 million people or sensitive personal information of more than 10,000 people (e.g., ID card numbers, vehicle tracks, biometric features, etc.) that an enterprise has cumulatively provided abroad since the year in question, also requires a security assessment.
The personal information that needs to pass the record is the personal information provided for 100,000 to 1,000,000 people cumulatively or the sensitive personal information of less than 10,000 people.
In addition, the Negative List states that the list targets automotive companies, including manufacturers, parts suppliers, dealers, etc., but does not apply to companies related to the field of autonomous driving.
II. Pharmaceutical Industry
In the pharmaceutical sector, essential data that must pass security assessments include large-scale diagnosis and treatment, health and medical insurance data, and data on specific drug trials. These data cover clinical trials, drug development, pharmacovigilance, etc., and involve more than 100,000 people’s medical records, medical data such as genetic tests, and information on the production and supply of essential vaccines and strategic drugs. In addition, biometric and medical resource data for specific regions and groups, such as the number of medical institutions and personnel, must be assessed. Some data may be related to export control or technology export management and are subject to relevant legal obligations. Personal information data that needs to pass a security assessment includes information on more than 50,000 subjects, including diagnosis and treatment records, medical history, etc., or information on more than 100,000 patients that an enterprise has cumulatively provided to foreign countries since January 1 of the current year; Besides, information on more than 50,000 subjects, including diagnosis and treatment records, medical history, etc., or information on more than 100,000 patients that an enterprise has cumulatively provided to foreign countries since January 1 of the current year, must also comply with security assessments or standard contract record-filing.
If the amount of outbound data is smaller but still reaches more than 10,000 people’s personal information, it is required to pass a standard contract or certification for personal information protection.
In addition, the information needs to comply with the requirements of the Code for Quality Management of Pharmaceutical Clinical Trials. Information on healthcare professionals, such as names and contact information, must also be evaluated. The exit of essential data, such as genetic information or large-scale genetic data, must also comply with other legal compliance pathways stipulated by the state.
III. Civil Aviation
Important data requiring security assessments before export includes flight data recorder data, covering flight parameters, cabin audio, flight simulation video, and other information related to civil aircraft accidents. Cockpit voice recorder data, including calls between pilots and command organizations and pilots, as well as cockpit audio and video. Aircraft health monitoring data includes aircraft maintenance information, sensor failure and damage images, etc. Data involving export control or technology export, such as R&D and manufacturing data.
In customer service scenarios, if more than 5 million personal information or more than 100,000 people’s sensitive personal information has been provided to foreign countries cumulatively during the year, and if more than 1 million personal information or more than 10,000 people’s sensitive personal information has been provided to foreign countries cumulatively in non-customer service scenarios, they are required to pass the security assessment of data exportation; if the cumulative total of personal information transmitted by an enterprise to foreign countries during the year is more than 500,000 but not more than 5 million or if the transmitted of sensitive personal information does not exceed 100,000, and in non-customer service related scenarios, if an enterprise transmits more than 100,000 but less than 1 million personal information or no more than 10,000 sensitive personal information abroad within the same year, it is required to pass the filing of standard contracts or certification.
In addition, the Negative List mainly applies to enterprises in the air transportation industry and general aviation services and does not cover non-civil aviation businesses such as aircraft manufacturing.
IV. Retail and Modern Services:
Data export in this sector mainly involves personal information in customer management scenarios. Cases that require security assessments include enterprises that have cumulatively provided more than 5 million personal information or more than 1 million sensitive personal information or more than 1 million personal information plus more than 10,000 sensitive personal information to foreign countries since January 1 of the current year; cases that require the filing of a standard contract include cumulatively providing 500,000 to 5 million personal information or 100,000 to 1 million sensitive personal information to foreign countries, or more than 100,000 personal information and less than 1 million sensitive personal information.
V. Artificial Intelligence Training Data:
According to the Negative List, essential data generated from AI training data that need to pass the security assessments include high-value sensitive data collected in the course of R&D, such as model training, algorithm development, product testing scenarios, etc., data that may affect national security, economic operation or social stability, and data that is included in the management of export control or technology export. Personal information that needs to pass the security assessments includes audio, image, and text data involving a large amount of sensitive personal information, which needs to be accumulated over 50,000 people’s sensitive personal information or 1 million people’s non-sensitive personal information.
As for audio, image, and text data involving 10,000 to 100,000 people of sensitive personal information or 100,000 to 1 million people of non-sensitive personal information, this type of data needs to be filed through a standard contract or certified for personal information protection to ensure the cross-border security of the data.
Comments
The introduction of China (Beijing) Pilot Free Trade Zone Negative List for Data Export Management Measures (Trial) and the Negative List (2024 Edition) marks a significant step in refining the regulatory framework for cross-border data flow in the Beijing FTZ. These measures enhance security and compliance in data export by clearly classifying and grading data across critical sectors such as automotive, pharmaceuticals, civil aviation, retail, and AI. Moreover, the dynamic management mechanism ensures that these regulations remain adaptable to the evolving global data landscape, providing clear operational guidelines and establishing a robust legal foundation for cross-border data security.
The Management Measures focus on the formulating the negative list, division of responsibilities, management of its use, and security supervision. They also refine the identification rules for important data, introducing classification and grading reference rules for 13 categories and 41 subcategories of data. The Negative List specifies the data subject to security assessments for export within five sectors—automotive, pharmaceuticals, retail, civil aviation, and artificial intelligence—as well as data requiring record-filing for personal information export standard contracts and personal information protection certification. Moving forward, other sector-specific negative lists will be issued by relevant departments in phases under a dynamic management mechanism.
This article provides a brief overview of the main content of the Management Measures and Negative List.
Main Points of the Management Measures
I. Scope of Application
The Management Measures clarify that they apply to formulating, approving, and managing the negative list for data export within the Beijing FTZ. Currently, the Beijing FTZ encompasses the Science and Technology Innovation Area, the International Business Services Area (including the Beijing Tianzhu Comprehensive Bonded Zone), and the High-end Industrial Area. Only companies registered within the Beijing FTZ and data export activities conducted within the FTZ are subject to the Management Measures and Negative List.
II. Main Procedures for Data Handlers Using the Negative List for Data Export
The Management Measures stipulate that the main procedures for data handlers using the negative list for data export include three key steps: application submission, record-filing, and compliant export:
1. Application Submission: Data handlers must submit an application to the relevant FTZ group based on the negative list implementation guidelines, which include information such as the company’s registered location, industry, business operations, and any administrative penalties or investigations over the past two years.2. Record-filing: Approved data handlers must complete record-filing according to the implementation guidelines. Record-filing materials should include scenarios for data export, the directory and scale of exported data, overseas recipients, and reasons for applying the negative list.3. Compliant Export: After record-filing, data handlers can proceed with data export activities per the FTZ group’s opinions while cooperating with city-level management departments and FTZ groups for supervision and verification. Any changes in data export conditions must be updated with the relevant FTZ group.
III. Important Data Identification Rules
The Management Measures also refine the rules for identifying important data, introducing 13 categories and 41 subcategories of data classification and grading guidelines, which include:
1. Unified Identification Rules for Important Data:
a. The unified identification reference rule for important data applies to non-confidential data, and confidential data is implemented by relevant regulations.b. Personal information of over 10 million people (excluding sensitive personal information) held by enterprises in Beijing Pilot Free Trade Zone; sensitive personal information of over 1 million people; sensitive personal information of over 100,000 people including personal bank accounts, personal insurance accounts, personal registration accounts and personal diagnosis and treatment data.c. Personal information of more than 100,000 people held by operators recognized by the state as critical information infrastructure.d. High-value sensitive data related to industry competitiveness and production safety are collected and generated by enterprises in the process of R&D and design, production and manufacturing, and operation and management in the Pilot Free Trade Zone; and data related to the supply chain of enterprises involving national security.e. Parameters of automatic control systems and control, operation, maintenance, and test data in the national economy and people’s livelihood are mastered by the enterprises in the Pilot Free Trade Zone.
2. Sector-specific Identification Rules for Important Data:
The Management Measures specify important data identification guidelines across 13 major sectors, including strategic materials, natural resources, industrial, defense, telecommunications, financial, healthcare, and public safety. These rules help industries identify which data falls under “important data” and facilitate more accurate risk assessments and preventive measures.
Main Points of the Negative List
The Negative List outlines the important data lists for the automotive, pharmaceutical, retail, civil aviation, and artificial intelligence sectors within the Beijing FTZ. Additionally, it adjusts the personal information thresholds that trigger data export security assessments and the need for standard contract record-filing. Specific details include:
I. Automotive Industry:
The Negative List specifies that security assessments are required for the export of sensitive data such as geographic information, personnel and vehicle traffic involving military management zones, national defense units, and essential party and government organs, as well as sensitive data generated in the course of the Telematics information service, such as vehicle location information, traffic flow, and data on the operation of the vehicle charging network. Other critical data include video and image data outside the vehicle, such as images containing information such as faces and license plates; vehicle remote control data; and technical and operational data related to the safety of the Telematics system and network, such as data reflecting the safety protection of the Telematics critical infrastructure and the emergency response plan.
Personal information that exceeds certain thresholds, such as personal information of more than 1 million people or sensitive personal information of more than 10,000 people (e.g., ID card numbers, vehicle tracks, biometric features, etc.) that an enterprise has cumulatively provided abroad since the year in question, also requires a security assessment.
The personal information that needs to pass the record is the personal information provided for 100,000 to 1,000,000 people cumulatively or the sensitive personal information of less than 10,000 people.
In addition, the Negative List states that the list targets automotive companies, including manufacturers, parts suppliers, dealers, etc., but does not apply to companies related to the field of autonomous driving.
II. Pharmaceutical Industry
In the pharmaceutical sector, essential data that must pass security assessments include large-scale diagnosis and treatment, health and medical insurance data, and data on specific drug trials. These data cover clinical trials, drug development, pharmacovigilance, etc., and involve more than 100,000 people’s medical records, medical data such as genetic tests, and information on the production and supply of essential vaccines and strategic drugs. In addition, biometric and medical resource data for specific regions and groups, such as the number of medical institutions and personnel, must be assessed. Some data may be related to export control or technology export management and are subject to relevant legal obligations. Personal information data that needs to pass a security assessment includes information on more than 50,000 subjects, including diagnosis and treatment records, medical history, etc., or information on more than 100,000 patients that an enterprise has cumulatively provided to foreign countries since January 1 of the current year; Besides, information on more than 50,000 subjects, including diagnosis and treatment records, medical history, etc., or information on more than 100,000 patients that an enterprise has cumulatively provided to foreign countries since January 1 of the current year, must also comply with security assessments or standard contract record-filing.
If the amount of outbound data is smaller but still reaches more than 10,000 people’s personal information, it is required to pass a standard contract or certification for personal information protection.
In addition, the information needs to comply with the requirements of the Code for Quality Management of Pharmaceutical Clinical Trials. Information on healthcare professionals, such as names and contact information, must also be evaluated. The exit of essential data, such as genetic information or large-scale genetic data, must also comply with other legal compliance pathways stipulated by the state.
III. Civil Aviation
Important data requiring security assessments before export includes flight data recorder data, covering flight parameters, cabin audio, flight simulation video, and other information related to civil aircraft accidents. Cockpit voice recorder data, including calls between pilots and command organizations and pilots, as well as cockpit audio and video. Aircraft health monitoring data includes aircraft maintenance information, sensor failure and damage images, etc. Data involving export control or technology export, such as R&D and manufacturing data.
In customer service scenarios, if more than 5 million personal information or more than 100,000 people’s sensitive personal information has been provided to foreign countries cumulatively during the year, and if more than 1 million personal information or more than 10,000 people’s sensitive personal information has been provided to foreign countries cumulatively in non-customer service scenarios, they are required to pass the security assessment of data exportation; if the cumulative total of personal information transmitted by an enterprise to foreign countries during the year is more than 500,000 but not more than 5 million or if the transmitted of sensitive personal information does not exceed 100,000, and in non-customer service related scenarios, if an enterprise transmits more than 100,000 but less than 1 million personal information or no more than 10,000 sensitive personal information abroad within the same year, it is required to pass the filing of standard contracts or certification.
In addition, the Negative List mainly applies to enterprises in the air transportation industry and general aviation services and does not cover non-civil aviation businesses such as aircraft manufacturing.
IV. Retail and Modern Services:
Data export in this sector mainly involves personal information in customer management scenarios. Cases that require security assessments include enterprises that have cumulatively provided more than 5 million personal information or more than 1 million sensitive personal information or more than 1 million personal information plus more than 10,000 sensitive personal information to foreign countries since January 1 of the current year; cases that require the filing of a standard contract include cumulatively providing 500,000 to 5 million personal information or 100,000 to 1 million sensitive personal information to foreign countries, or more than 100,000 personal information and less than 1 million sensitive personal information.
V. Artificial Intelligence Training Data:
According to the Negative List, essential data generated from AI training data that need to pass the security assessments include high-value sensitive data collected in the course of R&D, such as model training, algorithm development, product testing scenarios, etc., data that may affect national security, economic operation or social stability, and data that is included in the management of export control or technology export. Personal information that needs to pass the security assessments includes audio, image, and text data involving a large amount of sensitive personal information, which needs to be accumulated over 50,000 people’s sensitive personal information or 1 million people’s non-sensitive personal information.
As for audio, image, and text data involving 10,000 to 100,000 people of sensitive personal information or 100,000 to 1 million people of non-sensitive personal information, this type of data needs to be filed through a standard contract or certified for personal information protection to ensure the cross-border security of the data.
Comments
The introduction of China (Beijing) Pilot Free Trade Zone Negative List for Data Export Management Measures (Trial) and the Negative List (2024 Edition) marks a significant step in refining the regulatory framework for cross-border data flow in the Beijing FTZ. These measures enhance security and compliance in data export by clearly classifying and grading data across critical sectors such as automotive, pharmaceuticals, civil aviation, retail, and AI. Moreover, the dynamic management mechanism ensures that these regulations remain adaptable to the evolving global data landscape, providing clear operational guidelines and establishing a robust legal foundation for cross-border data security.