The European Commission, Parliament and Council late on Tuesday reached a deal paving the way for a uniform set of data protection rules to be rolled out across the EU.
Originally proposed in 2012, the legislation is designed to give consumers greater control over how their personal information is used, and to give businesses clarity about how they should treat customer information. The rules apply to companies in the EU and those based further afield but which offer services within the EU.
"We should not see privacy and data protection as holding back economic activities. They are, in fact, an essential competitive advantage. Today’s agreement builds a strong basis to help Europe develop innovative digital services," said Andrus Ansip, EU vice president for the Digital Single Market, in a statement.
One of the powers given to consumers will be the right to be forgotten, which will enable consumers to request that their personal information is deleted in cases where there are no legitimate grounds for retaining it. It will also be easier to transfer personal data from one service provider to another.
Companies must also obtain explicit consent before processing customer data. And if a company is hacked, they are required to notify the authorities and affected customers as soon as possible, or face penalties including fines of up to 4% of their annual turnover.
"Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation," said Vera Jourová, EU commissioner for justice, consumers and gender equality.
In addition, the new legislation is designed to help law enforcement authorities in member states exchange information to aid investigations and improve cooperation in a bid to counter terrorism and serious crime.
However, one analyst warned that some aspects of the EU’s new rules may already be outdated.
"Unambiguous consent…might be incredibly difficult to obtain in a few years’ time, when IoT applications will have become more widespread and will originate an almost uncontrolled flow of personal data," warned Luca Schiavoni, senior analyst, regulation at Ovum, in a research note on Wednesday.
He also pointed out that individual markets will still be responsible for enforcing the minimum age under which parental consent will be required for the use of services like Facebook, for example.
"This is likely to be disruptive for both online companies and young users," he said.
The final tex t of the EU’s data protection rules are due to be adopted at the beginning of 2016 and will become applicable in 2018.
