On August 30, 2024, the Beijing Municipal Internet Information Office, Beijing Municipal Commerce Bureau and Beijing Municipal Government Services and Data Administration Bureau (“Regulator”) jointly issued the Data Export Management List (Negative List) of China (Beijing) Pilot Free Trade Zone (Version 2024) (“Negative List”) and the Administrative Measures for the Negative List (“Administrative Measures”).
The Administrative Measures propose rules referencing 13 categories and 41 subcategories of data and for uniform identification of important data. The Negative List lists five industries – automotive, pharmaceutical, retail, civil aviation and artificial intelligence – which are more important in practice for cross-border data transfers and outlines 23 business scenarios and 198 data elements for these industries. In certain of these scenarios, the Negative List relaxes the thresholds triggering the need for the security assessment, filing of the standard contract for cross-border transfers (“SC”) and certification of protection of personal information. The Regulator will update the Negative List over time as needed.
Applicable Entities
The Administrative Measures and Negative List apply to data handlers registered in the Beijing Municipal Pilot Free Trade Zone.
Important Data
If a data handler registered in the Beijing Pilot Free Trade Zone holds the following data, such data would be treated as “important data” and subject to stricter regulation:
- personal information of more than 10 million individuals (excluding sensitive personal information);
- sensitive personal information of more than one million individuals;
- certain sensitive personal information of more than 100,000 individuals (g., relating to personal bank accounts, personal insurance accounts, personal registration accounts, personal diagnostic and treatment data);
- personal information of more than 100,000 individuals held by operators recognized by the State as critical information infrastructure (“CII”);
- high-value sensitive data related to industry competitiveness and industry production safety collected and generated during the R&D and design process, production and manufacturing process, and operation and management process;
- data related to the supply chain involving national security;
- parameters of automatic control systems and control, operation and maintenance, and test data; and
- other important data in certain industries and fields.
Procedure for Cross-border Transfer by Application to the Negative List
If the data handler intends to rely on the Negative List for its data export activities, it must submit specified documentation through the Facilitated Service Platform of Beijing Municipal Data Cross-border Transfer (“Platform”) to the competent department of the Pilot Free Trade Zone in the district where it is registered (“Department”). The Department must publish the conclusion of its review on the Platform within 5 five business days after submission of the application documents. After passing the review, the data handlers must submit a filing for the data export activities. The Department must inform the data handler of the preliminary review opinion on whether its data export activities fall into the Negative List within 5 five working days after receipt of the filing documents. Upon completion of review of the filing, the Department must issue the filing notice. If the Department determines that the data export activities fall outside of the Negative List, the data handler may carry out the data export freely pursuant to the Administrative Measures. If the data export activities fall within the Negative List, the data handler must conduct the security assessment, file the SC or certify protection of personal information.
Negative List for the Retail and Modern Service Industry
The Negative List, in addition to identifying covered personal information and sensitive personal information, relaxes the thresholds triggering the need for the security assessment, filing of the SC or certification of protection of personal information only for the membership management scenario. In particular, the Negative List clarifies the scope of membership personal information, which includes but is not limited to name, nickname, contact information, gender/designation, region, address (including zip code, only if consumers choose international logistics or door-to-door after-sales service), user ID, member account number (other network identification information can be used) or number, nationality, age, date of birth, order number, serial number of the product identification code, members’' preferences (limited to the type of product, the number of digits, the preference language, the points redemption), title, and employer, transaction and consumption records that do not directly reflect personal property information (including the name of the product, time of purchase, purchase records, total price, type of transaction, member payment points, balance of member points, currency type), etc.
Also, the Negative List provides that the following personal information is sensitive personal information:
- personal Internet browsing records (activity booking records, software lists, etc.), commonly used device information (MAC address and device serial number only), and member login verification information.
Scenario 1: Membership management
The data handler must conduct the security assessment for:
- cross-border transfer of more than five million (previously one million) individual customers’ membership personal information (excluding sensitive personal information) from January 1 of this year; or
- cross-border transfer of more than one million (previously 10,000) individual customers’ membership sensitive personal information from January 1 of this year.
The data handler must conduct the filing of the SC or certification of protection of personal information for:
- cross-border transfer of between 500,000 and 5 million (previously between 100,000 and 1 million) individual customers’ membership personal information (excluding sensitive personal information) from January 1 of this year; or
- cross-border transfer of between 100,000 and 1 million (previously less than 10,000) individual customers’ membership sensitive personal information from January 1 of this year.
The thresholds in all other scenarios in the retail and modern service industry remain unchanged.
Negative List for the Automobile Industry
Important data
In the automobile industry, the Negative List does not relax the thresholds triggering the need for the security assessment, filing of the SC or certification of protection of personal information but provides that the following data is important data in the automobile industry:
- geographic information, staff flow, vehicle flow and other data involving military administration zones, national defense science and industry units, and important and sensitive areas such as party and governmental offices at or above the county level; and the inappropriate disclosed information generated in the process of providing car networking information services to governmental organs, military industrial enterprises and other sensitive and important institutions;
- data of vehicle traffic, logistics, etc. reflecting economic performance;
- data that can reflect the operation of the network of charging facilities for vehicles in a certain region;
- out-of-vehicle video and image containing face information, plate information, street sign information, etc.;
- key Telematics data including vehicle remote control, vehicle operating conditions, etc.;
- contains online upgrading data such as vehicle control; contains aftermarket data such as electronic control units;
- data related to cyber-attacks that may be exploited to implement disruptions to the supply chain of critical equipment and system components of the Internet of Vehicles in order to launch high and persistent threats; data that may reflect to a certain extent the cybersecurity protection of critical information infrastructures (CII) in the transportation, traffic, and other industries and that may be exploited to implement cyber-attacks against the CII of the Internet of Vehicles; data related to the CII involved in the Internet of Vehicles' information services.
The Negative List is applicable to automobile manufacturers, parts and software suppliers, dealers, maintenance enterprises, and mobility service enterprises, etc. but not to autonomous driving enterprises. Sensitive personal information in the automobile industry includes vehicle tracking, audio, video, image and biometric information
Negative List for the Medical Industry
Important data
In the medical industry, the Negative List specifies that the following data are important data:
- diagnosis and treatment, health and physiological conditions, medical rescue and protection data, and experimental data on specific medicines for groups at or above a certain size;
Examples: Diagnosis and treatment data in the medical field involving more than 100,000 individuals, such as medical records, images, pathology, blood tests, genetic tests, etc., which are related to the life, health and safety of the people, the database of electronic medical records of more than 100,000 individuals and the database of health records of more than 100,000 individuals, as well as the results of mining and analysis of the above data, etc.; the data on the production, supply and protection of major medical supplies, such as important vaccines and strategically important basic medicines, etc.; and pharmaceutical experimental data, and experimental data related to the pharmaceutical manufacturing process and manufacturing facilities, which are related to national security.
- biometric data and medical resource data above a certain size in specific fields, groups and regions (note that biometric data includes physical, physiological or behavioral data, and medical resource data includes the number of medical and healthcare institutions, the number of beds, the number of medical and healthcare personnel, etc.);
- data subject to export control or technology export administration; and
- certain genetic data, including genetic data up to the scale or accuracy provided by the relevant State departments (note transfer of this type of data also requires for approval/filing by the National Health Commission other than the security assessment by Cyberspace Administration of China (the “CAC”). Clinical data, image, protein data and metabolic data are not considered to be genetic data.).
Cross-border Transfer of Personal Information
Scenario 1: Clinical trial and pharmaceutical development
In cases of cross-border transfer of an individual's basic personal information, medical treatment and health and physiological information, cumulative transfer of more than 50,000 (previously 10,000) individuals from January 1 of this year triggers the need for the security assessment and cumulative transfer of between 10,000 and 50,000 (previous less than 10,000) individuals from January 1 of this year triggers the need to file the SC.
Scenario 2: Pharmacovigilance, product complaints and medical inquiry
In cases of cross-border transfer of an individual’s basic personal information, medical treatment and health and physiological information, cumulative transfer of more than 100,000 (previously 10,000) individuals from January 1 of this year triggers the need for the security assessment and cumulative transfer of between 10,000 and 100,000 (previous less than 10,000) individuals from January 1 of this year triggers the need to file the SC.
Please note the above relaxed thresholds are not applicable to the following data:
- the patient's real name and contact information; the patient’s diagnosis and treatment and health and physiological information including medical history, allergy history, living habits, information or description of adverse reaction events, diagnosis and treatment records, medication records, test and examination reports, hospitalization records.
Scenario 3: Clinical trial, pharmaceutical development, healthcare professionals administration, pharmacovigilance, product complaints and medical inquiry
In cases of cross-border transfer of personal information of medical healthcare professionals, clinical trial researchers, and non-patient reporters of adverse reactions, product complainants, and medical inquirers, cumulative transfer of more than 200,000 individuals’ personal information (including sensitive personal information) from January 1 of this year, the data handler is subject to the security assessment.
Scenario 4: Clinical trial, pharmaceutical development, healthcare professionals administration, pharmacovigilance, product complaints and medical inquiry
In cases of cross-border transfer of sensitive personal information of medical healthcare professionals, clinical trial researchers, and non-patient reporters of adverse reactions, product complainants, and medical inquirers, cumulative transfer of more than 100,000 (previously 10,000) individuals from January 1 of this year triggers the need for the security assessment and cumulative transfer of between 10,000 and 100,000 (previous less than 10,000) individuals from January 1 of this year triggers the need to file the SC.
Negative List for the Civil Aviation Industry
Important data
In the civil aviation industry, important data include flight data recorder data, voice recorder data and aircraft health condition monitoring data in the civil aircraft incident and the data subject to export control or technology export administration.
Cross-border transfer of personal data
Scenario 1: customer service
The data handler shall conduct the security assessment for the following cross-border transfer activities:
- cross-border transfer of more than five million (previously one million) individuals’ personal information (excluding sensitive personal information) from January 1 of this year; and
- cross-border transfer of more than 100,000 (previously 10,000) individuals’ sensitive personal information from January 1 of this year.
The data handler shall conduct the filing of the SC or certification of protection of personal information for the following cross-border transfer activities:
- cross-border transfer of between 50,000 and five million (previous between 100,000 and one million) individuals’ personal information (excluding sensitive personal information) from January 1 of this year; and
- cross-border transfer of between 100,000 and one million (previous less than 10,000) individuals’ sensitive personal information from Jan one of this year.
Thresholds in all the other scenarios in the civil aviation industry remain unchanged.
Negative List for the AI Industry
Important data
In the AI industry, important data includes:
- high-value sensitive data related to industry competitiveness collected and generated during the R&D design process;
- content involving audio, image and text that may endanger national security, economic operation, social stability and public health and security once tampered with, damaged, leaked, illegally obtained and illegally used; and
- data subject to export control or technology export administration.
Cross-border transfer of personal information
Scenario 1: model training, algorithm development and product testing
The data handler shall conduct security assessment for the following cross-border transfer activities:
- cross-border transfer of more than 50,000 (previously 10,000) individuals’ sensitive personal information that is voice data from January 1 of this year;
- cross-border transfer of more than 50,000 (previously 10,000) individuals’ sensitive personal information that is image data from January 1 of this year; and
- cross-border transfer of more than 100,000 (previously 10,000) individuals’ sensitive personal information that is text data from January 1 of this year.
The data handler shall conduct filing of the SC or certification of protection of personal information for the following cross-border transfer activities:
- cross-border transfer of between 10,000 and 50,000 (previous less than 10,000) individuals’ personal information that is voice data from January 1 of this year;
- cross-border transfer of between 100,000 and one million (previous less than 10,000) individuals’ sensitive personal information that is image data from January 1 of this year;
- cross-border transfer of between 10,000 and 100,000 (previously less than 10,000) individuals’ sensitive personal information that is text data from January 1 of this year.
Thresholds for all the other scenarios in the AI industry remain unchanged.