The European Parliament has given final approval to new General Data Protection Regulation (GDPR) legislation, which aims to update and harmonise procedures across the continent.
Lawmakers voted through the proposals on Thursday, four years after work to overhaul EU data protection rules began.
The GDPR replaces the current data protection directive, which dates back to 1995.
There are several key changes, including the introduction of a user’s right to be forgotten, the need for "clear and affirmative consent" to the processing of private data by the person concerned and privacy policies that are explained in “clear and understandable language”.
Users now have the right to know when their data has been hacked as well as the right to transfer data to another service provider.
Companies must appoint a data protection officer, while those who break the rules are liable to fines that can be up to four percent of total worldwide annual turnover.
Jan Philipp Albrecht, who steered the legislation through Parliament, said: "The general data protection regulation makes a high, uniform level of data protection throughout the EU a reality.
“This is a great success for the European Parliament and a fierce European 'yes' to strong consumer rights and competition in the digital age.”
The regulation will enter into force 20 days after its publication in the EU Official Journal, with Member States required to add it their national laws within two years.
There are three exceptions.
The rules will only apply “to a limited extent” in the UK and Ireland due to their special status regarding justice and home affairs legislation.
Denmark has six months after the final adoption of the directive to decide if it wants to implement the regulation in its national law.
John Giusti, Chief Regulatory Officer of the GSMA, welcomed the decision but warned: “It is now up to European data privacy regulators to work together to ensure that the GDPR rules are implemented in a way that supports economic growth and improved competitiveness.
“Regulators will need to exercise particular care in interpreting GDPR requirements – around consent, profiling, pseudonymous data, privacy impact assessments and transfers of data to third countries – to avoid stifling innovation in the digital and mobile sectors.”
Giusti and others also warned that the 2002 e-Privacy Directive, which is part of the GDPR, needs more reform.
This Directive concerns the processing of data to prevent, investigate, detect or prosecute criminal offences or enforce criminal penalties.
The European Telecoms Network Operators Association said: “Provisions overlapping with the GDPR should be removed and we should promote a consistent set of protection standards for consumers, while ensuring that all players can innovate.”