Proposed new data protection rules designed to cut red tape and save EU companies €2.3bn a year in administrative costs have met with a mixed reaction from UK lawyers.

Under a directive due to be published this week some businesses would be liable to fines of 5% of worldwide turnover for data protection offences. They would also have to inform all individuals within 24 hours that a storage device containing their personal data had been lost or hacked.

A spokesman for justice commissioner Viviane Reding said there would also be a reinforced ‘right to be forgotten’, ensuring that people may have data deleted if there are no legitimate grounds for retaining it.

Mark Watts, data protection partner at City firm Bristows, described the measures as ‘unworkable and business-unfriendly’.

However, Douwe Korff, professor of international law at London Metropolitan University, welcomed the plans. He said: ‘Data breach notification is crucial for the digital economy and for data subjects’ rights, but not much use if it doesn’t happen quickly; and the "right to be forgotten" is not intended to allow history to be rewritten, but to beef up the existing principle that personal data must be deleted when they are no longer needed for a legitimate purpose.’