Shanghai data exit negative list latest interpretation

I. What is the negative list for data exit

Data exit negative list refers to the data list that needs to be included in the management scope of [Data exit security assessment, Personal information exit standard contract, personal information protection certification] according to relevant policies and regulations, hereinafter referred to as the negative list.

II. Background introduction on the negative list for data exit

(1) Release of the negative list for data exit

The Regulations on Promoting and Regulating Cross-border Data Flows, which came into effect on March 22, 2024, give the pilot trade zones the right to regulate cross-border data flows within their pilot zones in the form of negative lists. After the implementation of the Regulations on Promoting and Regulating Cross-border Data Flows, Tianjin, Beijing and Shanghai successively issued negative lists of their free trade zones. The details are as follows:

(2) The release of the "positive list" (general data list) of data exit
In addition to the negative list of the three compliance paths of data exit security assessment, standard contract filing and protection certification before departure listed above, Shanghai and Fujian have also issued a general data list (also known as the "positive list"). The "positive list" (general data list) is the concept corresponding to the "negative list", which means that there is no need to perform the three compliance paths of exit safety assessment, standard contract filing and protection certification, and under the condition of filing with the administrative committee and meeting the relevant management requirements, you can leave the country freely.

III. the specific content of the negative list of Shanghai data exit
(1) The scope of application of the negative list of Shanghai data exit
The Shanghai Data Outbound Negative List applies to data processors registered in the Shanghai Pilot Free Trade Zone and Lingang New Development Zone who carry out data outbound activities in the China (Shanghai) Pilot Free Trade Zone and Lingang New Development Zone. The List does not apply to operators of critical information infrastructure.
The Shanghai Data exit negative list only applies to the life insurance reinsurance scenario and property insurance reinsurance scenario in the field of reinsurance; Water transport services and port operation and production related scenarios, crew management scenarios in the field of international shipping; Membership management scenarios in the business sector. The data of industries and fields not involved shall be executed in accordance with relevant laws and regulations such as the Regulations on Network Data Security Management, the Measures for Data Exit Security Assessment, the Measures for Personal Information Exit Standard Contracts, and the Regulations on Promoting and Regulating cross-border Data Flow.
(2) The specific contents of the negative list of Shanghai data exit
1. Reinsurance data

In-depth interpretation:
(1) Clarify that policy number, amount insured, premium, claim number and claim amount data in reinsurance business are sensitive personal information.
Prior to the introduction of the negative list, according to the Personal Information Classification examples in Appendix B of the Data Security Technical Data Classification and Classification Rules (GB/T 43697-2024) implemented on October 1, 2024, insurance policy information and claim information are typical examples in the second-level category "Personal transaction Information" under the first-level category "Personal property Information" of personal information, You can only judge the relevant information as personal information according to the above provisions, but you cannot directly judge the policy number, insurance amount, premium, claim number, claim amount as sensitive personal information.
(2) Relax the regulations on outbound underwriting and claim personal information in reinsurance business scenarios, and further promote the cross-border flow of underwriting and claim personal information [1] in reinsurance business scenarios.

2. International shipping data

In-depth interpretation:
(1) Clarify the identification of important data in the field of international shipping.
Up to now, the specific rules for the identification of important data in China are not clear. The "Rules for the Classification and Classification of Data Security Technical Data" implemented on October 1, 2024 provides for the definition of important data and specific factors for the identification of important data, but it is only a general conceptual provision. The negative list describes the basic characteristics of important data in the scenarios related to water transport services and port operations and production. For example, it clarifies the internal decision-making data of international shipping companies as important data and further refines the identification of important data.
In addition, enterprises in the shipping field include port management companies, shipping companies, freight forwarders, shipping companies, shipping digital companies, third-party business service platforms, data service platforms, etc.
(2) Relax regulations on crew personal information in crew management business scenarios, and further promote the cross-border flow of crew personal information [4] in crew management business scenarios.
Note: Crew management scenario refers to the scenario in which shipping companies conduct identity identification, qualification review and other related operations on crew members before international shipping for the purpose of international seafarer service and seafarer's assignment abroad, combined with the entry and exit administration requirements of various countries.

3. Business sector (retail and catering, accommodation) data

In-depth interpretation:

(1) Retail enterprises, catering enterprises and accommodation enterprises do not involve important data that need to carry out data exit security assessment, and do not need to take the initiative to fulfill the legal obligations of important data processors such as identifying and reporting important data, clarifying the data security responsible person and management agency, and regularly carrying out risk assessment.

(2) Relax regulations on personal information leaving the country under the membership management scenario [5] in the retail, catering and accommodation industries, and further promote the cross-border flow of personal information under the membership management scenario in the retail, catering and accommodation industries.

Iv. Specific procedures for the use of the negative list for outbound data from Shanghai

IIv. Contact information of cross-border data services
For legal, policy, technical and other problems encountered in the use of the negative list, data processors can consult and seek support from institutions such as the local cross-border data service center. Contact information of the cross-border data Service Center:

footnote

[1] Underwriting and claims personal information includes de-identified personal information such as name, gender, age, nationality, occupation type, etc.

[2] If the contents of the Provisions on Promoting and Regulating Cross-border Data Flow are inconsistent with the Measures for Data Exit Security Assessment, the Provisions on Promoting and Regulating Cross-border Data Flow shall prevail.

[3] In case of inconsistency between the Provisions on Promoting and Regulating Cross-border Data Flow and the Standard Contractual Measures for the Departure of Personal Information, the Provisions on Promoting and Regulating Cross-border Data Flow shall prevail.

[4] Personal information of crew members includes name, gender, date of birth, place of birth, nationality, validity period, date of issue, issuing authority, issuing country code, signature of holder, navigation area, class, position, function, issuing officer, date of issue, etc.

Sensitive personal information of seafarers includes seamen's card number, certificate of competency number, bank card number, medical report and other data.

[5] Member management scenario refers to a management activity that enhances customer loyalty by collecting and analyzing customer information and providing personalized services and offers.