Addressing the second annual European Data Protection and Privacy Conference, Viviane Reding said: "People are sharing more and more personal information online and it is now important to ensure their rights.
"For this reason, the reform of EU data protection rules will include easier access to one’s own data, and better data portability so that it is simple for users to transfer their data between providers.
"I also want to establish the famous right to be forgotten, which will build on existing rules to better cope with privacy risks online.
"I believe this right is very important in a world of increasing connectivity and the unlimited search and storage. If users no longer want their data to be stored, and if there is no good reason to keep it online anymore, the data should be removed."
What exactly the "right to be forgotten" involves has caused concern at the Direct Marketing Association, which has been involved in the consultation process for the proposed revisions to the directive.
Caroline Roberts, director of legal and public affairs at the DMA, said: "While consumers need to be protected by the right to not be contacted for marketing purposes by companies, eradicating their entire data is completely impractical because it prevents companies from meeting their legal obligations to suppress their data if they choose to opt out."
The UK data protection watchdog, the Information Commissioner’s Office, has expressed the view that the new framework "should not introduce a stand-alone "right to be forgotten", which could mislead individuals and falsely raise their expectations, and be impossible to implement and enforce in practice".
The European Commission’s proposals for the new legislation are set to be published at the end of January, although observers believe the process may take longer as the Justice department needs to confer with other EC departments.
According to a Financial Times report yesterday, the proposals currently include fines of up to 5% of global turnover for businesses breaching rules, a deadline of 24-hours for notifying data protection authorities and affected parties, and for a requirement for all companies with more than 250 employees to dedicate staff to data protection issues.
Follow Daniel Farey-Jones on Twitter @danfareyjones