EU-wide authorities may not able to properly enforce a new data protection regulation after May given lagging member state legislation.

The general data protection regulation is a massive overhaul of a two-decades old EU law with far-reaching implications for people's personal data and how it is processed by firms around the world.

Student or retired? Then this plan is for you.

"It is why there is a high operational and political pressure to have these laws voted before May," French privacy chief Isabelle Falque-Pierrotin told reporters in Brussels on Wednesday (7 February).

The European Commission in late January said 26 EU states, aside from Germany and Austria, have yet to pass all the laws needed to ensure that data protection authorities are both well resourced and independent.

This data overhaul includes a so-called 'consistency mechanism' intended to streamline cooperation between the data protection authorities on issues with implications for all of Europe.

It means a decision taken by a lead data protection authority in a case is then applied across every member state.

"If there is one authority that is not in a capacity to take part to the consistency mechanism once facing a transborder case, it means the whole system is stopped," warned Falque-Pierrotin.

Firms that break the new data rules face up to a €20 million fine or four percent of their annual turnover. Companies will, for instance, be required to rapidly inform people of any data hacks.

Hacking has hit media headlines, including a massive data breach cover-up by car-hailing app, Uber. The US giant is under investigation after details of some 57 million accounts went public in 2016.

Uber is not alone. UpGuard, a California-based cyber risk company, earlier this week revealed another breach. It said Octoly, a Paris-based brand marketing company, left an Amazon Web Services S3 cloud storage bucket configured for public access.

Working Party 29

Falque-Pierrotin on Wednesday also stepped down from her role as chair of the chair of the body representing national data protection supervisors, also known as the Working Party 29 (WP29).

She is being replaced by Austria's data protection authority Andrea Jelinek who told this website that the European commission and the WP29 will maintain pressure on the capitals.

"I hope they get in line and I think it is important that the Commission has an eye on it and that we have an eye on it," she said.

As the new chair, Jelinek is poised to also take the lead on the European data protection board. The board will replace the working party and will enforce the general data protection regulation once it goes live on 25 May.