The European Commission has put forward the suggestion as part of a new directive and regulation.
The new rules include users' "right to be forgotten" and an obligation on organisations to report data breaches "as soon as possible".
The boss of one tech-focused organisation described the proposals as a "tax" on firms holding customer data.
The Justice Commissioner, Viviane Reding, said it was important for EU citizens - particularly teenagers - to be in control of their online identities.
"My proposals will help build trust in online services because people will be better informed about their rights and more in control of their information," she said.
The commission says that key changes to the 1995 data protection rules include:
People will have easier access to their own data, and will find it easier to transfer it from one service provider to another.
Users will have the right to demand that data about them be deleted if there are no "legitimate grounds" for it to be kept.
Organisations must notify the authorities about data breaches as early as possible, "if feasible within 24 hours".
In cases where consent is required organisations must explicitly ask for permission to process data, rather than assume it.
Companies with 250 or more employees will have to appoint a data protection officer.
The rules would apply to data handled outside the EU if the companies involved offered services to citizens living in the 27-nation zone.
The commissioner said that by simplifying the current "patchwork" of rules and cutting red tape, businesses could expect to save a total of 2.3bn euros ($3bn; £1.9bn) a year.
However, organisations which break the rules face penalties.
The commissioner suggested that companies that charged a user for a data request be fined up to 0.5% of their global turnover. She said that sum should double if a firm refused to hand over data or failed to correct bad information.
She added that companies responsible for more serious violations could be fined up to 2% of their turnover. The sum is capped at 1m euros for other bodies.Cost worries
One lawyer told the BBC that the benefits would be outweighed by the new burdens placed on businesses.
"The one bit of a good news is that they result in harmonisation across Europe which is better than the existing situation with 27 different national laws, but the content of some these proposals is very onerous," said Marc Dautlich, head of information law at Pinsent Masons.
"These are all going to involve costs and resource. And in a difficult economic climate."
Adam Malik, organiser of the Digital London conference, said that he accepted that customers had a moral right to ask for data deletion, but the new rules - as he understood them - could place some enterprises in jeopardy.
"This is just an additional tax on all businesses which hold electronic customer records," he said.
"Also we need clarity on what is personalised data. Lots of lawyers will be happy about this directive for years to come - meanwhile innovation is discouraged."
Security company FireEye also expressed concern about the suggested data loss demands.
"Reporting within 24 hours of discovery is admirable but if the company wasn't aware of the breach for 24 days then where do all involved stand?" asked its director of European operations, Paul Davis.
But others were more positive about the proposals.
"Businesses can either see it as a glass half-empty or a glass half-full," said Alan Mitchell, strategy director of Ctrl-Shift, a technology consultancy whose clients include the UK government.
"This legislation will enable UK and EU business to lead this growing market and develop new technologies and businesses."
The rules need to be approved by the EU's member states and ratified by the European Parliament before they can come into effect.
That could take two or more years, during which time they may be amended or rejected outright.