European Union negotiators have finally agreed on the text of a significant new data protection and privacy law after years of debate.

On Tuesday, the European Commission, the European Parliament, and the European Council came to a consensus on the language of the text, which has not yet been released in its entirety. (The most recent previous draft Ars was able to locate was dated November 27, 2015.)

Notably, the agreement sets the maximum corporate fine for violating user privacy to four percent of a company’s worldwide revenue—significantly more than the marginal sums that companies like Facebook and Google have paid in the past. For a company like Facebook, the new agreement would mean a potential maximum fine in the neighborhood of $500 million. For Google’s parent company, Alphabet, it would be about $2.5 billion.

Among other changes, the new law would require companies to more clearly explain to users what data is being collected and how it is used.

At present, each member country of the 28-member bloc has its own data protection and privacy laws; Germany’s are seen as the strictest. Assuming the text is approved by the European Parliament and each of the member countries in 2016, companies would have until 2018 to fully fall into compliance

Under the new Tuesday-approved text, each member country can set its own age of online consent, ranging from 13 to 16 (up from 13 at present).

"Unfortunately, member states could not agree to set a 13-year age limit for parental consent for children to use social media such as Facebook or Instagram," Jan Philipp Albrecht, a Green Party member of the European Parliament (MEP) from northern Germany, said in a statement. Albrecht is the “rapporteur,” or parliamentary liaison, between his Committee on Civil Liberties, Justice, and Home Affairs (LIBE) and the European Commission on this issue. The new text will formally be put forward before the LIBE on Thursday.

In a press release, The European Commission touted the following new advantages for Europeans: