On 24 April 2026, Shanghai extended its data export negative list from the free trade zone to the entire city — the first city-level list of its kind in China. The practical effect: if the data you move isn't on the list, you may be able to take a simplified route and skip the CAC security assessment or standard contract altogether. This is an important update to the three-route framework we set out earlier — but it is an exemption route, not deregulation.
- On 24 April 2026 the Shanghai Cyberspace Administration and the Shanghai Municipal Data Bureau jointly issued the Administrative Measures for the Shanghai Data Export Negative List (Trial), the 2025 Shanghai Data Export Negative List, and implementation guidance.
- Scope widened from the FTZ / Lin-gang to the whole city. Any processor registered in Shanghai exporting data from Shanghai may rely on it.
- Data off the list → a simplified or exempt route, bypassing the CAC security assessment or standard contract.
- Still mandatory: important data, high-volume sensitive personal information, and CIIOs.
- Not waived by the list: notice and consent, PIPIA, technical measures, export logging, and annual reporting.
What actually changed on 24 April 2026
The Shanghai Cyberspace Administration and the Shanghai Municipal Data Bureau jointly released three instruments: administrative measures for the negative list (on a trial basis), the 2025 list itself, and guidance on implementation.
The headline is scope. Earlier negative lists operated inside the free trade zone and Lin-gang. This one applies across Shanghai — a first at city level in China. In practice, a processor registered in Shanghai and exporting data from Shanghai may rely on the list, rather than only those with an FTZ footprint.
The 2025 list covers four industries: reinsurance, international shipping, commerce and trade (including retail, catering and accommodation), and meteorology. The updated version sets out 9 business scenarios, 29 sub-categories and 109 data items. Compared with the 2024 version, it adds meteorology and refines international shipping.
Alongside it, the important-data identification guidance covers 13 domains and 40 sub-categories. Indicative thresholds include personal information of more than 10 million people; sensitive personal information of more than 1 million people; and more than 100,000 people in higher-sensitivity sectors such as banking, insurance and healthcare.
An exemption route, not deregulation
This is where foreign teams most often over-read the news. The negative list does not repeal the transfer framework — it carves a lane through it.
The mechanism traces back to the CAC's Provisions on Promoting and Regulating Cross-border Data Flows, effective 22 March 2024. Those provisions raised the personal-information volume thresholds that trigger compliance procedures, created exemptions for scenarios such as international trade, cross-border transport, HR administration and contract performance, extended the validity of a security assessment from two years to three, and — critically here — authorised free trade zones to define their own data export negative lists, with off-list data exempt from the procedures. Shanghai's move takes that authority and applies it city-wide.
So the question changes shape. It is no longer only "which of the three routes do we take?" but "do we need a route at all for this flow?" If your data sits outside the list, the answer may be no. If it sits inside — or is important data — you are back to the framework, and the three routes still govern. For how those routes work, see our earlier guide to the three legal routes for PIPL cross-border data transfer.
What still requires a security assessment
Three categories remain firmly on the hook, whatever the list says:
- Important data. If your data is identified as important data, the list does not rescue you — a security assessment remains the route.
- High-volume sensitive personal information. Volume and sensitivity still drive the outcome.
- Critical information infrastructure operators (CIIOs). Status alone triggers assessment.
This is why the important-data identification guidance matters as much as the list. Before you conclude a flow is off-list, you need a defensible view of whether any of it is important data in the first place.
What the list does not waive
Even where a transfer is exempt from the assessment or standard contract, the underlying obligations survive:
- Notice and consent to data subjects, including separate consent where required.
- A personal-information protection impact assessment (PIPIA).
- Technical and organisational measures protecting the data.
- Export logging — records of what left, when, and to whom.
- Annual reporting.
Reading "we're off the list" as "we have nothing to do" is the fastest way to turn a genuine relaxation into an enforcement finding.
Where this leaves your transfers
If you have a Shanghai-registered entity, the practical sequence is short. Map the flows that actually leave China from Shanghai. For each, ask whether any element is important data, whether volumes cross the sensitive-personal-information thresholds, and whether you are a CIIO — if yes to any, plan for a security assessment. If no, check the flow against the 2025 list's scenarios and data items; off-list flows may take the simplified route. Then, either way, keep the groundwork current: notice, consent, PIPIA, logging and the annual report.
One caution on timing: the measures are issued on a trial basis, and the list is versioned — it changed between 2024 and 2025, adding meteorology and refining international shipping. A conclusion you reach today is tied to the list as it stands today. Build a re-check into your compliance calendar rather than treating the answer as permanent.
Frequently asked questions
It applies to data processors registered in Shanghai that export data from Shanghai. Unlike earlier lists limited to the free trade zone and Lin-gang, the April 2026 measures extend across the whole city — the first city-level list in China. Whether it helps a specific flow depends on whether that data appears on the 2025 list.
Potentially yes — off-list data may take a simplified or exempt route, bypassing the security assessment or standard contract. But this does not apply to important data, high volumes of sensitive personal information, or critical information infrastructure operators, which still require assessment.
Four: reinsurance, international shipping, commerce and trade (including retail, catering and accommodation), and meteorology. The updated version contains 9 business scenarios, 29 sub-categories and 109 data items; compared with 2024 it adds meteorology and refines international shipping.
The accompanying identification guidance covers 13 domains and 40 sub-categories. Indicative thresholds include personal information of more than 10 million people, sensitive personal information of more than 1 million people, and more than 100,000 people in higher-sensitivity sectors such as banking, insurance and healthcare. Identification should be assessed against the guidance on your actual data.
Yes. The negative list affects the transfer mechanism, not the underlying obligations. Notice and consent, the personal-information protection impact assessment, technical measures, export logging and annual reporting all continue to apply.
Sources
- Shanghai municipal government — official document page
- China Briefing — Shanghai data export negative list update (26 May 2026)
- Reed Smith — Beijing and Shanghai relax cross-border data transfer policies
- China Briefing — CAC Provisions on Promoting and Regulating Cross-border Data Flows (effective 22 March 2024)
This article is general information for foreign companies, not legal advice on any specific matter. Rules and practice change; please take advice on your facts.
