The plans are being considered by EU Ministers, who are trying to agree on a single set of new data protection rules before entering into negotiations with the European Parliament over a final version of the text. The Parliament is itself in the midst of a parallel process for agreeing on a version of the reforms.
"Each Member State may lay down the rules on whether and to what extent administrative fines may be imposed on public authorities and bodies established in that Member State," draft rules contained in a leaked document sent from the Irish Presidency of the Council of Ministers to the Working Party on Information Exchange and Data Protection (DAPIX) said.
The Council of Ministers is currently in the process of trying to agree on a set of revisions to the draft General Data Protection Regulation initially put forward by the European Commission last year to update EU data protection laws. Both the Council of Ministers and European Parliament must agree on a single text if reforms are to be delivered.
Under the Commission's plans, data protection authorities (DPAs) would have had the power to fine businesses up to 2% of their annual global turnover for serious breaches of the Regulation. Organisations not engaged in economic activity could have been fined up to €1 million for serious breaches, under the Commission's proposals.
However, the latest leaked document, published by Statewatch, has highlighted EU Ministers' moves to place conditions on the imposition of fines by DPAs under a reformed regime.
Under the proposals, DPAs would not be obliged to issue businesses that breach the rules with a fine. Instead, the watchdogs could serve companies with a warning, order them to remedy any infringement, or force them to undertake a data protection audit, among other things.
If DPAs decide that a fine should be imposed against organisations that infringe the rules, they would be obliged to ensure that the fine is "effective, proportionate and dissuasive".
The precise level of penalty would have to be calculated following consideration of a number of factors, including "the nature, gravity and duration" of the breach, whether an infringement was intentional or negligent, how many individuals are affected and what the "level of damage suffered by them" was. Previous infringements by organisations would also have to be taken into account.
The leaked document has omitted some details about the proposed administrative fines regime. The upper limit for any fine has not been finalised, according to the document.