The European Commission has proposed an overhaul of the EU's data protection rules that could cost violators up to 2% of global annual revenues.
The rules apply to personal data handled by companies abroad that are "active in the EU market" or offer services in EU countries.
The rules will apply to both domestic and cross-border transfers of data, the EC says.
Among the new requirements are that companies that do business in the EU market must notify a supervisory authority of "serious" data breaches, if feasible, within 24 hours.
The U.S. Congress has been looking at how domestic policy should dovetail with the EU privacy protection regime, which some have criticized as balkanized and inconsistently enforced.
The EC has a broad definition of personal data, which includes names, photos, email addresses, financial records, social network posts, medical info and IP addresses. The EU Charter of Fundamental Rights says "everyone has the right to personal data protection in all aspects of life: at home, at work, whilst shopping, when receiving medical treatment, at a police station or on the Internet."
The U.S. is currently contemplating how best to protect personal data online and what should fall under that definition.