China has passed a major new privacy law, in an effort to curb the power of big tech firms operating in the country.

The precise wording of the new Personal Information Protection Law (PIPL) has not yet been finalized. However, it to a large degree parallels the EU's General Data Protection Regulation (GDPR) and requires companies to limit their collection of personal data and obtain user consent for its use.

"At present, all aspects of society are highly concerned about new technologies and applications such as user portraits and algorithm recommendations, and have strongly responded to issues such as information harassment and 'big data killing' [big data analysis] in related products and services," says spokesperson Zang Tiewei.says spokesperson Zang Tiewei.

Companies may not refuse service to users that don't agree to data collection, unless it's impossible to provide those services without. Users can withdraw their consent at any time, and companies cannot invoke a "legitimate interest" defense. The personal data of children under 14, meanwhile, is subject to tighter laws.

There are also, as with GDPR, strict rules around the transfer of personal data outside the country, with fines for non-compliance.

"The provision of personal information overseas in accordance with the international treaties and agreements that my country has concluded or participated in, and the protection of personal information transferred overseas should not be lower than my country's protection standards," says Tiewei.