When the Hainan FTP went fully operational as a separate customs zone in December 2025, Beijing hailed it as a milestone in its opening-up strategy. But this has sparked a sharper question: can Hainan’s new status ease Beijing’s tight control on cross-border data flows? For firms grappling with rising compliance costs under PRC data rules, the answer shapes daily operations and long-term strategy.
PRC data rules vs. Hainan flexibility
Outbound data transfers from the PRC have, since 2021, operated under a dense web of security assessments and reporting requirements; large companies must justify transfers via exhaustive documentation. The resulting compliance burden reshapes MNC management and ‘games of interest’ between headquarters and local PRC entities.
Beijing responded with carefully bounded experiments. Following release in March 2024 of ‘provisions on promoting and regulating cross-border data flows’, (the new data export regulations), FTZ authorities are allowed to apply negative lists to control data export. Varying from place to place, this is more flexible than national-level audits: data not deemed ‘sensitive’ in the FTZ may flow freely; other categories are subject to review.
how is Hainan different?
In this set-up, Hainan’s ‘Cross-border data transfer policy’ commands attention. The island province is strategically positioned, an autonomous entity approaching the level of a special district. No standard port, it functions as a distinct locus of political and economic liberalisation.
Regulatory autonomy is undergirded by the Law of the PRC on the Hainan Free Trade Port. This legitimates exploring global data transfer region by region, and provincial pilots in data-related policy.
Hainan’s orientation toward ASEAN and RCEP markets comes into play, enabling seamless cross-border movement of logistics, supply chain, and management data. Insularity and weak linkage to core mainland industrial corridors make it well-suited for regulatory pilots. These traits allow Beijing to grant space for globally embedded firms, lowering systemic risks associated with data liberalisation.
Hainan’s negative lists
Hainan FTP officially issued its negative list for data exports in February 2025. Only data transfers in this list merit heightened cross-border compliance procedures (security assessment, standard contract filing, or certification), while other transfers remain subject to general data governance rules (including restrictions on important, core, and public-sector data, data collection obligation, etc). Specific domains (subdivided into 14 business scenarios) require prior approval and include clear definitions of data subcategories, attributes, scope, and management requirements.
deep sea
resource and environmental data: regarding marine exploration, seabed minerals, exclusive economic zone surveys, and deep-sea environmental monitoring (hydrology, chemistry, ecosystems)
infrastructure: operational data regarding subsea cables, communication networks, and navigation positioning
exemption: for basic research data generated by scientific institutions, unless national security is at stake
aerospace
remote sensing: high-resolution observation data of foreign territories, sensitive areas, or data received outside China.
technical cooperation: data generated by international collaborations, e.g., tech parameters, reliability analyses, and experiment results.
seed industry
genetic resources: data on crop/livestock germplasm, genetic sequencing, and molecular markers
R&D and tech: proprietary data on new variety breeding, processing techniques, and storage technologies (e.g. specific temperature/humidity parameters)
core operational data from major seed enterprises, including sales networks and strategic client information.
tourism and duty-free retail
(separately regulated domains subject to substantially similar personal information thresholds)
restrictions in these sectors focus entirely on the volume and sensitivity of Personal Information (PI) exported annually.
high restriction (Security Assessment Required)
exporting non-sensitive PI of over 1 million individuals/year
exporting sensitive PI (e.g. biometrics, IDs, financial details, travel tracks) of over 10,000 individuals/year
medium restriction (standard contract/certification required)
exporting non-sensitive PI of 100,000 to 1 million individuals/year
exporting sensitive PI of less than 10,000 individuals/year
While Tianjin, Beijing, Shanghai, and Zhejiang operate under wide negative lists—ranging from 46 to 134 restricted items—Hainan streamlines them to just 14 scenarios, a distinct approach to ‘managed openness.‘
In major hubs like Shanghai or Zhejiang, dense and highly granular restrictions are preferred, easing ambiguity and risk across industrial ecosystems. Hainan, by contrast, fixes oversight on a narrow set of sensitive areas. Most commercial data still circulate with low intervention. Routine business is insulated from national security issues.
FDI gains vs. maturity gaps
For foreign-invested firms, this offers operational advantages. The negative-lists follow a ‘permitted unless prohibited‘ logic. Restrictions are limited to national security and public interest categories. Firms engaged in re-export, advanced manufacturing, and other globally integrated activities are attracted.
Beyond rules, Hainan is building enabling infrastructure, e.g. global data-centre services and dedicated cross-border transmission, aimed at reducing practical frictions.
Yet structural constraints remain. Hainan’s foreign-invested economy is young and limited, lacking experience or the many precedent cases found in the likes of Shanghai. As outbound data cases mount, regulatory adjustment and operational uncertainty are likely to persist. While the overall policy direction is unlikely to alter, firms should expect deployment practice to evolve.
data engineers
Hong Yanqing 洪延青 | Beijing Institute of Technology professor
Authorising FTZs to create negative lists is a shift from strict ‘security first‘ to ‘balancing security and development,‘ explains Professor Hong: beyond ‘tightening the fence‘, it lowers compliance costs. Such pilots are ‘stress tests‘ for aligning with high-standard global rules: facilitating data flow, building experience in negotiation on duty-free electronic transmission, and co-recognition of privacy standards.
Cybersecurity pundit Hong is a member of the National Information Security Standardisation Technical Committee (TC260), drafting national standards in privacy and cross-border data flows. Previously with the Cybersecurity Administration of China and now teaching at BIT and PKU, he is a member of the Ministry of Commerce’s Legal Working Group on Free Trade Agreements and often represents the PRC in talks with Europe and the US. He heads the Data Security Group for the Beijing Pilot FTZ’s Expert Working Group on the Digital Economy.
Dong Xuegeng 董学耕 | former director of Hainan Big Data Administrative Bureau
Hainan’s cross-border data regime stands out for its industry-focused rules and streamlined oversight through negative lists. By prioritising sectors such as aerospace, deep-sea tech, tourism and modern services, it shifts from heavy pre-approval to stronger in-process and post-event supervision—allowing compliant firms to export non-sensitive data more efficiently while reducing regulatory uncertainty.
Dong highlights Hainan’s pioneering legislation on international data centres and its ‘three-mode’ framework for cross-border data flows. Matched with greater openness and alignment with global standards such as DEPA and CPTPP, these measures are set to enable overseas-oriented data processing, regulated data exports and rule mutual recognition—positioning Hainan as a regional digital hub.
A technocrat with a PhD in theoretical physics from Lanzhou University, Dong enjoys the rank of senior engineer. He has served in multiple senior posts in Hainan since 2011, with senior Party roles in the Department of Industry and Information Technology, the Big Data Administration, and the Business Environment Construction Department.