The forthcoming pan-European data protection law may be watered down after “substantial concerns” about it were raised at a European Council of Ministers' meeting last week.

The draft law, which is passing through the European Parliament, currently stipulates that companies who fail to protect personal data or report data breaches could be fined up to €100 million (approximately £83.8 million) or five percent of their turnover. It also rules that companies processing the personal data of more than 5,000 individuals a year must appoint a data protection officer (DPO).

The cost of these new regulations could be over £75,000 a year per company, according to a recent survey by the Federation of Small Businesses and the British Bankers Association.

But perhaps reflecting these concerns, the new law got bogged down in debate last Friday, with justice ministers from EU member states running the rule over all details. In particular, they paid close attention to the draft law's ‘one-stop-shop' principle, which means companies operating across Europe need only report to one regulator in their main country of operation.

One observer, speaking anonymously to SCMagazineUK.com, called the arguments “delaying tactics” while Viviane Reding, the EU Justice Commissioner pushing through the new law, openly told Justice Ministers they were “going round and round in circles”.

“Instead of moving forward, we have moved back. We are effectively re-opening questions which had been agreed in October,” she said.

But a spokesperson for UK privacy watchdog the Information Commissioner's Office (ICO) told SCMagazineUK.com that: “The Council of Ministers' discussion last week shows that there are substantial concerns from a significant number of EU member states that remain to be addressed in the EU data protection reform.”

The ICO believes the arguments may not necessarily delay adoption of the new law – which observers believe will be some time between spring and summer 2014, leading to the regulations becoming law in this country two years later.

But the watchdog suggested the price of progress may be further compromises that reduce the law's burden on business.

“Agreement is still possible ahead of the EU elections. The Greek Government, which takes over the EU Presidency from January, will surely try its best to find a solution both for effective data protection for individuals and a regime that does not unnecessarily burden businesses,” said the spokesperson.

The continued debate over the law comes despite growing momentum elsewhere for protecting personal data privacy. Earlier this week, eight US technology companies – including Apple, Google and Microsoft – reacted to the recent revelations of mass electronic surveillance by America's NSA intelligence agency by calling on President Obama and Congress to “ensure that government surveillance efforts are clearly restricted by law, proportionate to the risks, transparent and subject to independent oversight".

Meanwhile, in the wider public, 500 leading authors from 81 countries, including five Nobel prize winners, have condemned the scale of state surveillance revealed by whistleblower Edward Snowden and urged the United Nations to create an international bill of digital rights that enshrines the protection of civil rights in the internet age.