The new rules still need to be approved by the European Parliament, which could push for changes, but a final agreement is expected by the end of the year.
One of the issues could be the level of fines. The deal endorsed by member states on Monday sets penalties of up to 2 percent of annual turnover for companies breaking the rules. However EU lawmakers voted last year for a ceiling of 5 percent of annual turnover.
“Today we take a big step forward in making Europe fit for the digital age,” said Vera Jourova, Commissioner for Justice, Consumers and Gender Equality.
Among the key planks of the reform will be the so-called “one stop shop”, a system designed to avoid businesses operating across the bloc having to deal with 28 different regulators and possible conflicting decisions.
Under the new system companies with activities in more than one country will only have to deal with the regulator in the country where they have their main EU base, even if a data protection issue arises which affects citizens in another member country.
However, over the past year the “one stop shop” system has been watered down following concerns from some member states who did want to see their policing powers reduced over companies such as Apple and Facebook, which have declared Ireland to be their European bases.
As a result, any “concerned” data protection authority will now be able to object to a particular ruling, triggering a referral to a still-to-be-created board of all 28 EU regulators which could then take binding decisions.
The reform will also formalise citizens’ “right to be forgotten”, giving them a chance to request that outdated or irrelevant information be removed from online search results.