The reforms proposed by the EC's justice commissioner Viviane Reding envisage a sliding scale of fines, which would start at €250,000 or up to 0.5% of global turnover for less serious offences.
The proposals count processing sensitive data without an individual's consent as a serious violation and charging a fee for requests from a user for their data as a less serious offence.
UK users would be able to complain to the national data watchdog, the Information Commissioner, no matter where in the world their data is sent, processed or stored.
The proposals also state that where consent is required for data to be processed, it will have to be given explicitly.
People should have easier access to their own data, including the ability to transfer it from one service provider to another and the right to be forgotten – the ability to request their data is deleted if there are no legitimate reasons for retaining it.
Companies would have to notify the Information Commissioner of serious data breaches within 24 hours if feasible.
The Direct Marketing Association is claiming a victory in that today's official draft text does not include the move towards an opt-in-only regime for offline direct marketing, but it warned that the regulation "poses a severe threat to the ability for UK businesses to use data to market their goods and services to consumers".
The proposals will now go to the European Parliament and EU member states (meeting in the council of ministers) for discussion. Once the new regulation has been finalised, it will be enforceable in all member states after two years.
Chris Combemale, executive director of the DMA, said: "This is just the start of a long process before the regulation comes into law. We'll be conducting research to assess the economic impact of the regulation on the multibillion-pound direct marketing industry, so that we can put a strong case to the lawmakers at every stage to ensure that there are no detrimental consequences for the industry.
"We fully appreciate the need for data protection rules to be in place to build consumer trust in sharing their information with companies, but getting this balance wrong will have terrible financial consequences to UK plc."
One of the DMA's concerns is that the current draft is unclear on the point that the use of suppression files, which are used to allow consumers to opt-out of the use of their data for marketing purposes, will be exempt from the "right to be forgotten".
Eduardo Ustaran, partner and head of the European data protection team at law firm Field Fisher Waterhouse, said: "The proposed legislation is the most radical global attempt ever to regulate the increasing exploitation of personal information.
"The extra-territorial reach of the new law is clearly targeted at companies operating on the internet and interacting with EU residents and is aimed at shaking up the way in which they tackle privacy issues. In particular, technology service providers outside the EU will face a whole range of new obligations.
"However, this is by no means the end of the road. My expectation is that 2012 will be a crucial year to influence the outcome of the new law, and policy makers will be looking for input from all key stakeholders."
James Mullock, head of data privacy at law firm Osborne Clarke, questioned Reding's claim that the new rules would save EU companies €2.3bn (by replacing a patchwork of rules in 27 countries).
He said: "Data privacy is an important individual freedom, and clearly it is important that the current law is updated. But it is fatuous that complying with the rules will actually save companies money. On the contrary, these measures are likely to cost EU businesses billions to implement and even more to maintain on an ongoing basis."
Follow Daniel Farey-Jones on Twitter @danfareyjones
This article was first published on marketingmagazine.co.uk