The European Commission proposed today an overhaul of European Union privacy law, which would fine companies as much as 2 percent of their yearly global sales for losing customers’ personal data, Bloomberg reports. Under this update to the EU’s 17-year-old data protection policies, the power to punish these companies for mishandling personal information would rest with data protection agencies in each country.

The EU historically has had much more broadly defined privacy laws than the U.S., so the harsh sanctions this law proposes should come as no surprise. “The protection of personal data is a fundamental right for all Europeans,” EU Justice Commissioner Viviane Reding said in a statement. On this side of the pond, the Securities and Exchange Commission has recently released a guidance on cybersecurity disclosure, but it makes no real requirements of companies.

Violations of the new law, such as processing an individual’s sensitive data without their consent, would be punished with fines of as much as €1 million ($1.3 million), or 2 percent of a company’s yearly sales. The idea is that a tougher policy would help prevent such serious data breaches as Sony’s in April 2011.

Richard Thomas, the global strategy adviser to Hunton & Williams’Centre for Information Policy Leadership and the former U.K. information commissioner, says he thinks the policy is far from perfect, and may be difficult for companies to comply with. “The Commission’s wish to shift the focus is brave and welcome – away from paper-based, bureaucratic requirements and towards compliance in practice, genuine harmonization and individual empowerment,” Thomas says. “But there are real risks that new bureaucratic burdens will be created and that some proposals will be very difficult to implement in practice. The detail will require close scrutiny and more innovative solutions may be needed on some aspects.”