China passed a sweeping privacy law aimed at preventing businesses from collecting sensitive personal data Friday, as the country faces an uptick in internet scams, leaks and concerns about tech giants abusing clients' personal information.
Under the new rules passed by China's top legislative body, state-run and private companies handling personal information will be required to reduce data collection and obtain user consent.
The Chinese state security apparatus will maintain access to swathes of personal data, however, and Beijing has long been accused of harnessing big tech to accelerate repression in the northwestern Xinjiang province and elsewhere.
The new rules are also expected to further rattle China's tech sector, with companies like ride hailing giant Didi and gaming behemoth Tencent in regulators' crosshairs in recent months over misuse of personal data.
The law aims to protect those who "feel strongly about personal data being used for user profiling and by recommendation algorithms or the use of big data in setting [unfair] prices," a spokesman for the National People's Congress told state news agency Xinhua earlier this week.
It will prevent companies from setting different prices for the same service based on clients' shopping history, a common practice among Chinese online businesses.
The law is modelled after one of the world's strictest online privacy protection laws — the European Union's General Data Protection Regulation.
"China's new privacy regime is one of the toughest in the world," said Kendra Schaefer, a partner at Beijing-based consulting firm Trivium China. "China is not really looking at the short term with this law."
Instead, she said, it aims "to establish the foundations for the digital economy over the next 40 or 50 years."
The law also stipulates that the personal data of Chinese nationals cannot be transferred to countries with lower standards of data security than China — rules which may present problems for foreign businesses.
"The thing we're all on tenterhooks over is the issue of data transfer," Schaefer said.
"It poses a very interesting geopolitical conundrum, which is the US does not have a national privacy law."
Companies that fail to comply can face fines of up to 50 million yuan ($7.6 million) or five percent of a company's annual turnover.
Serious violators run the risk of losing their business licenses and being forced to shut down.