BEIJING — China on Friday passed a sweeping privacy law aimed at banning companies from collecting sensitive personal information as the country faces a rise in internet fraud and Beijing targets tech giants, technology that siphons personal information.
Under the new rules, passed by China’s top legislature, government and private entities that process personal information must reduce data collection and seek user consent.
However, the Chinese state security apparatus retains access to large amounts of personal data.
The new rules are also expected to further shake up China’s tech sector, as companies like ride-hailing giant Didi and gaming giant Tencent have been in the crosshairs of regulators for misusing personal data in recent months.
Chinese tech stocks like Alibaba and Tencent tumbled after Friday morning’s announcement.
The law aims to protect those who have “strong concerns about the use of personal data for user profiling and through recommendation algorithms, or the use of big data to set [unfair] prices”, said a spokesman for the National People’s Congress.
This will prevent companies from setting different prices for the same service based on customers’ purchase history.
Tens of thousands of consumers have complained that they have to pay more to order a taxi with an iPhone than for a cheaper cellphone model or for tickets if they are profiled as business travellers, the agency of Chinese consumer protection said.
The law is inspired by the European Union’s General Data Protection Regulation, one of the world’s strictest internet privacy laws.
“China’s new privacy regime is one of the toughest in the world,” said Kendra Schaefer, a partner at Beijing-based consultancy Trivium China.
“China is not really looking at the short term with this law.”
Instead, she said, it aims to “lay the foundation for the digital economy over the next 40 or 50 years.”
The law, which comes into force on November 1, also stipulates that the personal data of Chinese nationals cannot be transferred to countries with lower data protection standards than China – a regulation that can cause problems for foreign companies.
Companies that fail to comply can face fines of up to 50 million yuan ($7.6 million), or 5% of their annual revenue.
The law states that sensitive personal information includes information that, if disclosed, could result in “discrimination…or a serious threat to the safety of any person”, including race, ethnicity, religion, biometrics or anyone.
