Bloomberg) -- Companies from banks to U.S. technology giants risk fines of as much as 4 percent of their global annual sales if they fail to protect their customers’ data, under a European Union deal to beef up the powers of privacy regulators across the 28-nation bloc.

EU negotiators in Strasbourg, France, on Tuesday sealed the historic deal almost four years after the first proposals to overhaul the bloc’s 1995 data-protection law. Once the agreement is rubber-stamped by lawmakers and EU governments, the rules are expected to take effect from 2018.

Measures to regulate the use of personal data in law enforcement and criminal prosecutions also won approval, despite calls for a suspension of the talks shortly after the Nov. 13 suicide attacks in Paris that claimed the lives of 130 people.

“These new pan-European rules are good for citizens and good for businesses,” EU Justice Commissioner Vera Jourova said in a statement. They will “profit from clear rules that are fit for the digital age, that give strong protection and at the same time create opportunities and encourage innovation.”

Terrorists, Hackers

Tuesday’s breakthrough follows years of haggling among legislators who clashed over how to strike a balance between citizens’ rights and the obligations of companies without hindering efforts to fight the growing ranks of cyber-criminals and terrorists.

The pact will plug gaping holes in the way privacy breaches are handled in the EU. While some watchdogs can fine as much as 1 million euros ($1.01 million), others aren’t able to levy penalties at all.

Under Tuesday’s deal, companies will also be obliged to disclose breaches, such as hacking into corporate databases. The growing threat to companies that control a treasure trove of client data was underscored by recent cyber attacks on the U.K.’s TalkTalk Telecom Group Plc and Hong Kong electronic-toy maker VTech Holdings Ltd.

Cross-Border Cases

Business groups have criticized the sanctions proposals and a so-called one-stop-shop mechanism, aimed at making one of the EU’s 28 regulators the lead in cross-border cases.

Luxembourg made it a priority when it took over the rotating six-month EU presidency in July to get an agreement before the end of the year. Justice Minister Felix Braz last week conceded that the discussions “have not been easy.”

Revelations by former U.S. National Security Agency contractor Edward Snowden about U.S. government surveillance activities and mass data collection shattered trust among citizens, wary of how their private details would be used and abused.

A 15-year-old accord that smoothed the way for companies to transfer data across the Atlantic was struck down by the EU’s top court, partly on fears that EU citizens would be powerless to protest about U.S. spies gaining access to their private details.

Jourova said last week that one of her goals was rebuilding a “deep trust” among citizens. Jourova, who inherited the proposals from predecessor Viviane Reding, rejected fears the plans would stymie law enforcement agencies as counter-terrorism takes center stage.

“On the contrary, it gives them more clarity and legal certainty when exchanging data cross-border,” she said.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access