It took four years, but the European Union Thursday approved tough new privacy rules that give citizens rights to control their data and hangs the prospect of significant fines on companies who do not comply.

The General Data Protection Regulation (GDPR), however, will be eased into effect over the next two years. It supplants the EU's existing Data Protection Directive (DPD).

The EU's 500 million citizens will have the right to tell companies to stop building profiles on them, to move their data from one provider to another, and have the "right to be forgotten."

Companies that collect and store data will face significant fines in case of misuse or breaches. Those fines will be up to 4 percent of the company's annual worldwide revenue or 20 million Euros; whichever is greater.

Viviane Reding, the former vice-president of the European Commission, said: "This is a historic day for Europe. This reform will restore trust in digital services today, thereby reigniting the engine for growth tomorrow." Reding proposed the GDPR changes in 2012.

Proponents say the regulations offer strong personal data protection for EU citizens along with benefits for businesses that encourage growth in the EU economy. Data sharing between EU members, proponents say, will help law enforcement. The regulations combine Privacy by Design concepts such as minimized data collection, deletion of aging data, restricted access and data lifecycle management. It's hardest line is perhaps its formula for fining those who violate the GDPR.

The question is can the new regulations create a new world standard. The EU faces a challenge in balancing its privacy directives while maintaining innovation and investment in the EU's tech market. Any global company doing business in the EU will be subject to the terms of the GDPR.

Concern with the new rules has come from groups including the Industry Coalition for Data Protection (ICDP), Interactive Advertising Bureau Europe (IAB), European Telecommunications Network Operators' Association (ETNO) and the Confederation of British Industry (CBI).

ICDP members include Google, Facebook, Amazon and IBM, all of which are concerned about chasing off investment in Europe's most innovative technologies.

EU officials have said companies will need to invest in new systems to accommodate GDPR directives and will need to establish management strategies to ensure compliance. The EU itself will work to align the legislation among its 28 member states.

As the two-year ramp up to the GDPR begins, the next step is to overhaul the EU's existing ePrivacy Directive to align it with changes brought by the GDPR.