Capping four years of negotiations, officials of the European Parliament (EP) and the European Council of Ministers reached agreement Tuesday on a data protection directive for European Union (EU) member states that gives consumers greater control over the use of personal information collected through digital platforms.  The accord, in the words of one EP member, also gives businesses “legal certainty by creating one common data protection standard across Europe.”

Online service and technology firms that are based in the U.S. and that do business in the EU will be impacted by the directive.  Previously, the rules at the heart of Tuesday’s directive had been applied on a piecemeal basis by individual EU member governments.  The new law establishes an EU-wide national data privacy regulator that would serve as a single point of contact for affected businesses.  In addition to prescribing the conditions under which online firms may collect and share personal information gathered from users, the new law also (1) expands the rights of individuals to access and manage personal data online, (2) codifies the “right to be forgotten,” or the right of consumers to ask online firms to remove personal data that is outdated or no longer relevant, (3) forbids online firms from divulging personal data without express consumer consent, and (4) requires companies to notify national authorities of any reported data breach within three days.  Companies that violate these policies could be subject to fines of up to four percent of their global annual revenues. 

Jan Phillip Albrecht, the lead EP negotiator on the data directive, heralded the agreement as “a major step forward for consumer protection and competition” that “returns control over citizens’ personal data to citizens.”  Pending final EP approval, the rules are expected to go into effect by early 2017.