Finally, after four years of negotiations and formalities, the European Union will have its tough new privacy rules, replacing two-decades-old legislation that was much more open to interpretation by individual countries.
Europeans will be able to tell companies to stop profiling them, they’ll have much greater control over what happens to their data, and they’ll find it easier to launch complaints about the misuse of their information. What’s more, the companies on the receiving end of those complaints face serious fines if they don’t toe the line.
All this is in the General Data Protection Regulation (GDPR), which gained the final approval of the European Parliament on Thursday. It will soon be officially published, becoming law 20 days later. Member states then have two years in which to start following the rules by building them into their national laws.
Get Data Sheet, Fortune’s technology newsletter.
“Today’s vote marks a historic achievement,” said the EU’s justice chief, Věra Jourová. “Our work in creating first-rate data protection rules providing for the world’s highest standard of protection is complete.”
The biggest deal here, in financial terms, is that companies face fines of up to 4% of their global turnover if they flagrantly break the rules. The era in which the likes of Google (GOOGL) can flout local privacy laws and shrug off the small-change fines is drawing to a close.
People will have the right to transfer their data from one service provider to another—between web mail providers, for example, or between social networks. Privacy terms and conditions will need to be in clear and understandable language.
Individuals will also have a right to know if their data has been hacked, and there’s a big change in liability too.
Take the example of a retailer outsourcing its database functions to a cloud provider. Currently, if there’s a data breach then it’s the retailer that’s liable for damages. Once the GDPR comes into force through national laws, that liability will be shared between the retailer and the cloud provider (or, in jargon-ese, the “controller” and the “processor” of the data).
Individuals will now be able to tell companies to stop using their personal data once they close their accounts—an extension of the so-called “right to be forgotten” that already exists in the current rules—and will also be able to make marketing companies stop compiling profiles of them based on their personal data.
For more on privacy, watch:
EU countries will have to set an age of consent for signing up to services such as Facebook (FB) and Instagram—anywhere between 13 and 16 years of age.
If people want to complain about a company violating their data-protection rights, they will be able to do so in their home country, even if the company in question is based in another EU country. In cases where different countries’ authorities disagree about what to do, a new European Data Protection Board will help adjudicate.
This will make it much easier for people to complain. Along with the other rules in this tough new package (and those in the new EU-U.S. Privacy Shield deal, if it ever becomes reality), Silicon Valley will need to be on its best behavior.
