Firms such as Google and Microsoft will face stiffer fines if they violate Europe’s “right to be forgotten” online rules, according to a draft text agreed by European Union ambassadors on Wednesday (20 May), diplomatic sources said.

EU member states are negotiating an overhaul of the bloc’s outdated privacy laws in a bid to make them more harmonised and relevant for the rise of the Internet.

A draft proposal from Latvia, which holds the EU’s rotating presidency, suggests three levels of fines for companies breaching the rules, ranging from 0.5% to 2% of a firm’s annual worldwide turnover, depending on the gravity of the data breach.

Failure to “erase personal data in violation of the right to erasure and ‘to be forgotten'” falls under the second category which foresees maximum fines of one percent of a firm’s annual global turnover, according to the draft.

>>Read: Google leans towards EU-only ‘right to be forgotten’

EU ambassadors endorsed the fines on Wednesday, three diplomatic sources said.

Once all parts of the reform proposal have been agreed, EU ministers should endorse the whole text in mid-June. Following that, member states representatives can begin discussions with the European Parliament – which wants fines of up to 5% of global turnover – to find a final compromise.

The fines would give data protection authorities a much bigger stick in ensuring that EU data privacy rules are respected.

Under the current regime not all privacy watchdogs have the power to levy fines, and where they do, the amount is often negligible for big firms.

>>Read: EU watchdogs to apply ‘right to be forgotten’ rule on Web worldwide

Google, for example, has refused to bow to EU regulators’ demands that it implement the “right to be forgotten” across all its websites, including Google.com.

Last year the European Union’s supreme court ordered it to remove outdated or irrelevant information from its name-search results but it is only applying the ruling across its European domains, such as Google.de in Germany, arguing that it automatically redirects users to their local website anyway.

Social network Facebook has also come under fire from several EU regulators for its new privacy policy, although it maintains that only the Irish data protection commissioner can police it since it has its European headquarters in Dublin.