The European Union agreed on a sweeping overhaul of fragmented data protection laws on Tuesday that will force companies to report data breaches and face huge fines for misusing personal data.
The new law enables EU national authorities to levy fines of up to 4 percent of revenues on firms breaking the law, which could mean billions of dollars for big tech companies like Alphabet Inc.'s Google, Microsoft Corp. and Facebook Inc.
Member states and EU lawmakers have been negotiating since June to reach a compromise on the reform, which was proposed by the executive European Commission almost four years ago to replace a patchwork of national laws dating back to the 1990s.
Politicians hailed what they called a "breakthrough."
"Today everything is digital so we need rules for an enormous amount of issues and those rules have to be applicable, they have to be sensitive, they have to understandable for every normal user," said Felix Braz, minister of justice of Luxembourg, which holds the rotating EU presidency and therefore led the negotiations on behalf of member states.
Under the new data protection regulation, companies will face tighter restrictions on how they reuse Europeans' data, something that will be of concern particularly to tech companies that hold swathes of personal information and use it for advertising.
Privacy concerns over where data is stored and how it is used are rife in Europe, especially after former U.S. National Security Agency contractor Edward Snowden revealed how U.S. authorities harvested information directly from tech companies like Apple Inc and Microsoft.
Companies will have to report breaches that are likely to harm individuals to national authorities within 72 hours, something legal experts expect will reveal the true scale of data breaches in Europe.
Seeking to make operating across the 28-country EU easier for companies, the new law establishes a single regulator for multi-nationals in the country where they have their European headquarters, the so-called "one-stop shop."
However, uncertainty over how national data protection authorities will be able to cooperate will lead to years of litigation, lawyers say.
"This will come, it cannot be avoided," said Jörg Hladjk, a lawyer at Hunton & Williams.
Right to be forgotten
Businesses will have to get people's "explicit" consent to use their data -- something they have said is unwieldy when dealing with huge sets of data -- and appoint a data-protection officer to oversee privacy issues.
The regulation also enshrines the "right to be forgotten" giving EU citizens the right to have obsolete information about them deleted from the web, an issue that generated heated debate last year when Google was ordered to scrub search results appearing under a person's name.
Teenagers under 16 wishing to sign up for social networks like Facebook and Twitter Inc. will be able to do so only with their parents' permission, unless individual countries opt out and lower the threshold to 13.
Tuesday's agreement also includes a law protecting personal data shared between law enforcement authorities.
The agreement is subject to final endorsement by both the European Parliament and EU member states, expected by early next week.
(Additional reporting by Alissa de Carbonnel in Strasbourg, France; Editing by Barbara Lewis, Susan Thomas, Larry King and Lisa Shumaker)