The new rules will require all 28 member states to replace and update their data protection laws, most of which pre-date social media, smartphones and e-shopping. And the rules will apply to all foreign companies that are doing business in the EU.
“Today’s agreement is a major step towards a digital single market. It will remove barriers and unlock opportunities,” said EU vice president Andrus Ansip. “The digital future of Europe can only be built on trust. With solid common standards for data protection, people can be sure they are in control of their personal information.”
Justice commissioner Věra Jourová added: “Citizens and businesses will profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation in a European digital single market.”
Under the new rules, individuals will have more information on how their data is processed and this information should be available in a clear and understandable way, said the European Commission.
It will be easier for people to transfer their personal data between service providers, and there will be a right to be forgotten, when they no longer want their data to be processed. Data will be have to be deleted if there are no legitimate grounds for retaining it.
Companies and organisations must notify the national supervisory authority of serious data breaches as soon as possible so that users can take appropriate measures.
The new rules have been agreed by the elected European Parliament with the Council of Ministers – representing government ministers in member states – and the European Commission, the administrative arm of the EU.
The final texts of the new rules will be formally adopted by the European Parliament and Council at the beginning of 2016 and will become applicable two years later.