China passed a sweeping privacy law aimed at preventing businesses from collecting sensitive personal data Friday, as the country faces an uptick in internet scams and Beijing targets tech giants hoovering up personal data.
Under the new rules passed by China’s top legislative body, state and private entities handling personal information will be required to reduce data collection and obtain user consent.
The Chinese state security apparatus will maintain access to swathes of personal data, however. Beijing has long been accused of harnessing big tech to accelerate repression in the northwestern Xinjiang province and elsewhere.
The new rules are also expected to further rattle China’s tech sector, with companies like ride hailing giant Didi and gaming behemoth Tencent in regulators’ crosshairs in recent months over misuse of personal data.
Chinese tech stocks including Alibaba and Tencent dipped after Friday morning’s announcement.
The law aims to protect those who “feel strongly about personal data being used for user profiling and by recommendation algorithms or the use of big data in setting [unfair] prices,” a spokesman for the National People’s Congress told state news agency Xinhua earlier this week.
It will prevent companies from setting different prices for the same service based on clients’ shopping history.
Tens of thousands of consumers have complained about having to pay more for hailing a taxi using an iPhone than a cheaper mobile phone model or for tickets if they are profiled as a business traveller, China’s consumer protection watchdog said.
The law is modelled after the European Union’s General Data Protection Regulation, one of the world’s strictest online privacy protection laws.
“China’s new privacy regime is one of the toughest in the world,” said Kendra Schaefer, a partner at Beijing-based consulting firm Trivium China. “China is not really looking at the short term with this law.”
Instead, she said, it aims “to establish the foundations for the digital economy over the next 40 or 50 years.”
The law, which comes into effect on November 1, also stipulates that the personal data of Chinese nationals cannot be transferred to countries with lower standards of data security than China — rules which may present problems for foreign businesses.
Companies that fail to comply can face fines of up to 50 million yuan ($7.6 million) or five percent of their annual turnover.
The law says sensitive personal data includes information which if leaked can lead to “discrimination… or seriously threaten the safety of individuals” including race, ethnicity, religion, biometric data or a person’s whereabouts.
But Chinese cities across the country are peppered with surveillance cameras, some outfitted for facial recognition, collecting biometric information daily.
In the restive region of Xinjiang — home to most of China’s Uighur ethnic minority — rights groups say residents are forced to install software on their mobile phones that allow police to access their location, photos or text messages.