On April 24, 2026, the Shanghai Cyberspace Administration and the Shanghai Data Administration jointly issued the Shanghai Data Export Negative List Management Measures (Trial), the accompanying 2025 negative list, and an implementation guide. The headline change is reach: a negative-list regime that since February 2025 applied only inside the China (Shanghai) Pilot Free Trade Zone and the Lingang Special Area now covers any data processor registered anywhere in Shanghai.
The mechanism matters more than the map. A negative list inverts the default. Under China's standing cross-border rules, an outbound transfer is presumed to require a compliance hurdle — a regulator security assessment, a filed standard contract, or certification. The negative list flips that presumption: if a data activity does not appear on the list, the processor may use simplified procedures or skip the Cyberspace Administration of China (CAC) security assessment and standard-contract filing altogether. The current list spans four sectors — reinsurance, international shipping, commercial trade, and meteorology — broken into nine business scenarios, 29 data sub-categories, and 109 specific data items.
The case for the wall China built
It is worth stating the strongest version of the regime this loosens, because it is not frivolous. China's data-localisation architecture — the 2017 Cybersecurity Law, the 2021 Data Security Law, and the 2021 Personal Information Protection Law (PIPL) — was built to do three things a serious state cares about: keep citizens' personal information from being harvested abroad, hold "important data" with national-security implications inside the country, and retain leverage over how foreign firms handle Chinese data. The CAC's security-assessment track, governed by the July 2022 Measures for Security Assessment of Data Export, is the most demanding of three transfer mechanisms. For genuinely sensitive flows — bulk sensitive personal data, critical-infrastructure datasets — a meaningful pre-transfer review is a defensible policy choice, not mere protectionism. Plenty of democracies impose their own export controls on sensitive data categories.
Why the negative list is the better instrument
The problem was never that China reviewed sensitive transfers. It was that the default treated every transfer as suspect until cleared. A multinational reconciling global payroll, a container line routing a cargo manifest, a reinsurer pricing a treaty across borders — all were swept toward the same assessment pipeline designed for the genuinely risky cases. The result was high fixed compliance cost, long lead times, and a chilling effect on routine business data that posed no security question at all.
The negative-list model is the proportionate correction. It front-loads the hard analytical work — naming the data that is actually sensitive — and then lets everything else move. This is the same logic the CAC itself adopted nationally in the March 22, 2024 Provisions on Promoting and Regulating Cross-Border Data Flows, which exempted outbound transfers of fewer than 100,000 individuals' non-sensitive personal information and carved out data needed for international trade, cross-border human-resources management, and contract performance. Shanghai is extending that logic one step further: from numerical thresholds to enumerated whitelists tied to concrete business scenarios. For a foreign-invested enterprise, "is my activity on the list?" is a far cheaper question to answer than "will my assessment pass?"
This is the right direction for an open digital economy. Cross-border data flow is not a loophole to be tolerated; it is the substrate of modern trade, research, and supply-chain coordination. A regime that defaults to permission and reserves friction for the demonstrably sensitive is more pro-growth than one that defaults to suspicion — and, crucially, it is no less protective of the data that genuinely warrants protection.
What is genuinely new — and what to watch
The 2025 list does real work beyond the geographic expansion. It adds meteorology as a covered sector and refines the international-shipping category with more granular classifications. It also pairs the list with a reference framework for identifying "important data" across 13 major sectors and 40 sub-categories, with quantitative triggers — datasets covering more than 10 million individuals' personal information, or more than one million individuals' sensitive personal information, can constitute important data. Clarity is itself a pro-innovation good: firms have spent three years guessing what "important data" means, and a concrete reference framework reduces the guesswork that paralyses compliance teams.
Three caveats keep this short of a clean win. First, the measures are explicitly a "Trial," which signals reversibility and leaves firms planning around rules that could tighten. Second, off-list does not mean unregulated — the Network Data Security Management Regulations and the underlying PIPL duties still bind, and a curated whitelist is still a state-curated whitelist. Third, the reform is Shanghai-specific, though the national "one place establishes, multiple places apply" principle (一地创新、多地复用) is designed to let other free-trade zones replicate validated lists, which is how a city pilot becomes a national norm.
The bottom line
Shanghai has not abandoned data localisation; it has made the regime smarter. By naming the sensitive categories and freeing the rest, the citywide negative list moves China's cross-border framework closer to the proportionate ideal — burden the risky, liberate the routine. The open question is whether Beijing treats Shanghai as a template to scale or a contained experiment. For firms operating in China, and for anyone arguing that data security and open data flows are compatible, the April 24 measures are the most encouraging signal in years.