Firms face big fines under new EU data protection law

The European Union has agreed on a sweeping overhaul of fragmented data protection laws that will force companies to report data breaches and face huge fines for misusing personal data.

The new law enables EU national authorities to levy fines of up to 4 percent of revenues on firms breaking the law, which could mean billions of dollars for big tech companies like Alphabet Inc's Google, Microsoft and Facebook.

Member states and EU lawmakers have been negotiating since June to reach a compromise on the reform, which was proposed by the executive European Commission almost four years ago to replace a patchwork of national laws dating back to the 1990s.

Politicians hailed what they called a "breakthrough."

"Today everything is digital so we need rules for an enormous amount of issues and those rules have to be applicable, they have to be sensitive, they have to understandable for every normal user," said Felix Braz, minister of justice of Luxembourg, which led the negotiations on behalf of member states.

Under the new data protection regulation, companies will face tighter restrictions on how they reuse Europeans' data, something that will be of concern particularly to tech companies that hold swathes of personal information and use it for advertising.

Privacy concerns over where data is stored and how it is used are rife in Europe, especially after former US National Security Agency contractor Edward Snowden revealed how US authorities harvested information directly from tech companies like Apple Inc and Microsoft.

Companies will have to report breaches that are likely to harm individuals to national authorities within 72 hours, something legal experts expect will reveal the true scale of data breaches in Europe.

Seeking to make operating across the 28-country EU easier for companies, the new law establishes a single regulator for multinationals in the country where they have their European headquarters, the so-called "one-stop-shop."

However, uncertainty over how national data protection authorities will be able to cooperate will lead to years of litigation, lawyers say.

"This will come, it cannot be avoided," said Jörg Hladjk, a lawyer at Hunton & Williams.

Australia is currently consulting with industry on how to introduce its own mandatory data breach reporting laws.

The current exposure draft requires organisations who suffer a serious breach to notify customers and the Privacy Commissioner as soon as they become aware of the incident, with potential fines for those who don't meet their obligations.

Right to be forgotten

EU businesses will have to get people's "explicit" consent to use their data - something they have said is unwieldy when dealing with huge sets of data - and appoint a data protection officer to oversee privacy issues.

The regulation also enshrines the "right to be forgotten", giving EU citizens the right to have obsolete information about them deleted from the web, an issue that generated heated debate last year when Google was ordered to scrub search results appearing under a person's name.

Teenagers under 16 wishing to sign up for social networks like Facebook and Twitter will be able to do so only with their parents' permission, unless individual countries opt out and lower the threshold to 13.

Today's agreement also includes a law protecting personal data shared between law enforcement authorities.

The agreement is subject to final endorsement by both the European Parliament and EU member states, expected by early next week.