PRC DATA COMPLIANCE ALERT｜Shanghai Launches Latest CBDT Negative List

 

On 9 May 2026, the Shanghai Cyberspace Administration and the Shanghai Data Administration jointly issued the Administrative Measures for the Negative List of Cross-Border Data Transfers (Trial), the 2025 Shanghai Negative List of Cross-Border Data Transfers, and the Implementation Guide for the Negative List of Cross-Border Data Transfers (collectively, the “Negative List”). The Negative List establishes a citywide mechanism for cross-border data transfers (“CBDT”), superseding the previous 2024 framework, which was limited to the Shanghai Free Trade Zone and Lingang Special Area.

 

For industries covered by the Negative List, the CBDT mechanism is built on a straightforward logic: data exports falling outside the Negative List — i.e., data not covered by the listed scenarios or thresholds — may proceed without triggering the three principal CBDT mechanisms, namely CAC security assessment, SCC filing, or personal information protection certification.

 

Even where exported data falls within the Negative List, companies may still benefit from more relaxed compliance pathways and thresholds as specifically provided under the framework.

 

 

The Negative List currently covers four sectors: reinsurance, international shipping (including port operations and seafarer management), commercial trade (retail, food and beverage, and accommodation), and meteorological services. Sectors not yet covered remain subject to the general PRC cross-border data transfer framework.

 

For retail companies, under the general national framework, transferring the personal information of 100,000 or more individuals overseas, or the sensitive personal information of 10,000 or more individuals, generally requires SCC filing or personal information protection certification, while transfers involving more than one million individuals trigger a mandatory CAC security assessment requirement.

 

The Negative List, however, introduces a more favorable threshold structure for membership management scenarios.

 

For transfers of non-sensitive personal information, a CAC security assessment is required only where the volume of transferred personal information exceeds 10 million individuals. SCC filing or certification applies where the volume is between one million and 10 million individuals, while transfers involving fewer than one million individuals may proceed through a simplified registration mechanism.

 

For sensitive personal information (such as account passwords and partial credit card information), the corresponding thresholds are more than one million individuals for CAC security assessment, between 100,000 and one million individuals for SCC filing or certification, and fewer than 100,000 individuals for simplified registration and free cross-border transfer.

 

Importantly, for data export scenarios outside the membership management context of retail enterprises, the Negative List no longer requires CAC security assessment, SCC filing, or personal information protection certification.

 

 

One important question raised by many companies is whether the Shanghai framework is mandatory and whether companies must rely on the Negative List mechanism.

 

Based on current regulatory understanding, the Shanghai framework should primarily be viewed as a facilitative and burden-reduction mechanism operating within the existing PRC legislative framework, rather than as a standalone mandatory regulation. In other words, eligible companies may choose to rely on the Negative List framework and its simplified compliance pathways. However, companies may also continue to comply with the general compliance obligations under the Provisions on Promoting and Regulating Cross-border Data Flows and other applicable rules without relying on the Negative List mechanism.

 

Importantly, a company would not be penalized merely because it chooses not to rely on the Negative List framework. However, failure to comply with the underlying PRC laws and regulations — including the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and relevant cross-border data transfer regulations — may still expose companies to regulatory enforcement risks.