On May 17, the Lingang New Area of the Shanghai Free Trade Zone released the first batch of cross-border scenario-based general data lists in China. The list covers 11 scenarios for intelligent networked vehicles, public funds, and biomedicine, and is applicable to data processors registered within the Shanghai Free Trade Zone and the Lingang Special Area and carrying out activities related to cross-border data flow in the Lingang Special Area. Following the principle of "from enterprises to industries, from cases to lists, and from positive to negative", the Lingang Special Area has launched a general data list of cross-border scenarios based on the real orientation of enterprises. As a pilot free trade zone, the Lingang Special Area has "explored new paths and tried out the system", opening the way to explore the cross-border data flow mechanism.
Lingang explores the path of cross-border data flow: from a positive list to a negative list
In 2022, the Cyberspace Administration of China (CAC) issued the Measures for Security Assessment of Cross-border Data Transfer, which clearly stipulates the cross-border assessment of important and sensitive data. In March 2024, the Cyberspace Administration of China (CAC) issued the Provisions on Promoting and Regulating Cross-border Data Flows, which stipulates that pilot free trade zones shall formulate their own "negative lists" for data exports. Unlike other pilot free trade zones, the Lingang Special Area explores the path of data export from a positive list to a negative list.
"At the beginning of the sprout, ready to move"
When the Lingang Special Area was established in 2019, there were no framework guidelines to refer to in China for exploring the mechanism of cross-border data flow, let alone the term "pilot free trade zones formulate their own negative lists". At that time, only the Cybersecurity Law was implemented in China. Article 37 proposes a security assessment system for the export of personal information and important data. In November 2021, the Shanghai Municipal Data Regulations were promulgated. Among them, it is clearly required that Lingang explore the formulation of a low-risk cross-border flow data catalog. At that time, the Measures for the Security Assessment of Cross-border Data Transfers had not yet been promulgated, and there was no "negative list" in China. In this context, the Lingang Data Office and cross-border digital technology companies came up with the idea of exploring a "low-risk cross-border data catalog", which also includes data that does not have the risk of leaving the country in the list for reference when enterprises registered in the Lingang Special Area carry out cross-border data activities.
"Crossing the river by feeling the stones"
The cross-border transfer of data is an extremely complex activity. Data transmission is not only invisible and intangible, but also prone to unexpected accidents in the process. At the same time, the export of data has a strong scenario, and the reasonableness, legitimacy, and necessity of the same field in different scenarios are also different. Based on the complexity, professionalism and scenario-based characteristics of data export, the Lingang Data Office and Cross-border Digital Technology led the team to assess and demonstrate the risks of scenario-based data export. On the one hand, based on the needs of regional and urban development. The Lingang Special Area does not start with the compilation of a list of all fields, but focuses on the five key development areas in Shanghai to respond to the real outbound needs of enterprises in the process of business development in specific scenarios. The Lingang Data Office convened experts to take the lead in conducting risk assessments of data export in some scenarios for enterprises in the three industries of intelligent connected vehicles, biomedicine and public funds. If there is no risk, scenarios, data categories, and fields are included in the General Data List. On the other hand, respond to the need for a "actionable" checklist. The positive list released this time covers a total of 11 scenarios, 64 data categories, and more than 600 data fields in the above three industries. The granularity of the list is fine, which is convenient for enterprises to benchmark. Taking the intelligent connected car as an example, the list involves four scenarios: multinational manufacturing, global R&D and testing, global after-sales service, and global trade of used cars, with a total of 23 data categories and 158 data fields. This effectively solves the real needs of car companies for data export in the main links of the whole process from production and manufacturing to after-sales circulation.
"Walking on two legs"
Since the release of the "Regulations", the industry has been exploring its own important data catalog. Until the industry's important data catalog is published, the path from a positive list to a negative list is desirable. On the one hand, the positive list with fine granularity and strong operability can accumulate more scenario cases and is in the process of dynamic update. Enterprises benchmark positive lists in practice. If the data in the same scenario is exported abroad, it can be exempted from declaration. If the scenario or transmitted data fields change, the experts will reassess the risk of the data export scenario. This exploration keeps the positive list dynamically updated. On the other hand, the positive list of scenarios is constantly updated to accumulate experience for the release of a negative list with a reasonable scope, evidence, and operability. Whether it's a positive or negative list, the logic and purpose are the same. The logic is to take the scenario-based export of enterprise data as the entry point, and the purpose is to assess the risks arising from the export of data in order to judge whether to allow the export. The ultimate goal of exploring positive lists is to publish negative lists. In the process of "walking on two legs", Lingang not only provides enterprises with better perception, but also creates a better business environment.
A replicable and scalable "port path": enriching the global data governance toolbox
Data is the new factor of production in the digital age. Facilitating the cross-border flow of data not only enhances the vitality of the global economy, but also promotes scientific and technological innovation and enhances the digital well-being of global citizens. These conveniences are achieved under the premise of ensuring the security of cross-border data flows. The "dynamic" and "systematic" aspects of cross-border data are a major contradiction in data governance. At present, governments are still in the exploration stage of how to establish a balanced, coordinated and sustainable data governance mechanism. The security assessment of cross-border data transfer is proposed by China and has become an important part of the Chinese model of cross-border data flow.
Based on a large number of cases, Lingang has built a systematic process through declaration services, evidence storage and backup, and security supervision chain. From institutional mechanisms, to landing services, to supervision, with scenario-based whitelists and green channels for service centers, the cross-border data flow needs of enterprises in the process of business development have been systematically solved in Lingang. Transitioning from a dynamically scrolling positive list to a limited-scope, reliable negative list, the "port path" explored by the cross-border data flow model can be replicated and promoted, and may become China's contribution to global data governance in the future. As a rising digital economy power, China's pilot free trade zone represented by Lingang is the first to explore and build a new model of cross-border data management for the country, which is of great practical significance for the mainland to win the first opportunity in international negotiations and international governance in the field of data.
Related link: Global map of cross-border data flows
The European Union (EU) is the first international actor to establish a legal system for cross-border data flows. In 2018, the European Union implemented the General Data Protection Regulation (GDPR). It provides for the free cross-border flow of data between the EU and third countries on the whitelist. The eligibility of a third country to enter the EU white list is subject to an assessment by the European Commission. Currently, there are 15 economies on the European Commission's white list. If a third country is not whitelisted, companies in that country may transfer data to the EU, for example, using Standard Contractual Clauses or Binding Corporate Rules. Third-country companies are required to provide documentation that meets EU requirements to demonstrate their ability to protect the data transferred.
Compared with the stricter regulatory policies of the European Union, the United States advocates the free flow of data across borders, and the domestic government mainly adopts an industry self-discipline model to assist in more relaxed government supervision for data protection. At the same time, the United States has successively promulgated the Foreign Investment Risk Assessment Modernization Act and the Export Control Regulations to take restrictive measures on the export of data in key areas.
The cross-border data flow system in mainland China is being explored. The Cybersecurity Law implemented in 2017, the Data Security Law and the Personal Information Protection Law implemented in 2021 basically constitute the legal system for cross-border data flows, and clarify three types of data export that need to be subject to supervision: security assessment by the cyberspace administration, filing of standard contracts for personal information export, and personal information protection certification. Of these, the latter two have similar provisions in EU law. The security assessment of cross-border data transfer is proposed by China and has become an important part of the Chinese model of cross-border data flow.
In August 2023, the "Opinions of the State Council on Further Optimizing the Foreign Investment Environment and Increasing the Efforts to Attract Foreign Investment" pointed out that it is necessary to explore a convenient security supervision mechanism for cross-border data flows, support Shanghai and other places to pilot the formation of a general data list that can flow freely, build service platforms, and provide compliance services for cross-border data flows. In December 2023, the "Overall Plan for Promoting High-level Institutional Opening-up in the China (Shanghai) Pilot Free Trade Zone in Comprehensively Aligning with International High-standard Economic and Trade Rules" pointed out that the Shanghai Pilot Free Trade Zone will be supported to take the lead in formulating important data catalogs in accordance with the data classification and hierarchical protection system. In March 2024, the Provisions on the System for Promoting and Regulating Cross-border Data Flows authorizes pilot free trade zones to formulate their own data lists (hereinafter referred to as negative lists) that need to be included in the security assessment of data exports, standard contracts for cross-border personal information transfer, and personal information protection certification management within the framework of the national data classification and hierarchical protection protection system.
(The author is a professor at the Institute of Foreign-related Rule of Law at East China University of Political Science and Law, and a researcher at the Shanghai Association of Artificial Intelligence and Social Development)
