The European Union is about to propose new rules on data protection, according to several sources. Among the proposals will be the possibility of levying stiff fines on companies for losing customers’ data, and a so-called “right to be forgotten” (the same one I wrote about last year). Not everyone is happy about the proposed legislation, and we can expect to see a debate drag on though the legislative process.

In one corner is Viviane Reding, vice president of the European Commission. It’s her belief that users are not properly protected under current laws (one example: the fact that Sony waited six days before informing their customers of a massive data breach). “We need individuals to be in control of their information,” Reding said at a recent conference in Munich.

In the other corner is just about the entirety of the tech industry. At that same conference, for instance, Sheryl Sandberg of Facebook gently hinted that impeding the flow of data in the social network could be bad for business, and included some impressive numbers of the economic impact of Facebook. “[T]he charming Ms. Sandberg was … giving a warning to Ms. Reding,” opines the Wall Street Journal’s Ben Rooney. “See that €15.3 billion in economic impact, see those 232,000 jobs? Do you really want to jeopardize that? Do you really think that giving people the right to be forgotten, or any of those other tricky data protection rules you are thinking about bringing in are worth the risk?”

Much as with SOPA and PIPA, tech companies large and small are rallying to say that while they applaud (some of) the EU’s goals, the legislation may be overreaching. In fact, it’s the small tech companies that may be hit hardest by some of the legislation’s requirements—for instance, the obligation to have a data protection officer on staff. “[T]hese measures are likely to cost EU businesses billions to implement and even more to maintain on an ongoing basis,” James Mullock, head of data privacy at the law firm Osborne Clarke, told Reuters.

The most colorful assertion of the EU legislation is the so-called “right to be forgotten.” Some question whether anyone really has the power to erase all traces of data, even if a user wants them to. “[A]re we really responsible for going to find every cached copy that may have filtered out there?” Microsoft’s Ronald Zink wondered aloud. “What is the obligation beyond our set of properties? It’s hard to know how you would pull back all the copies of a given piece of content.” Zink has been making the rounds, also telling FT, for instance, that the proposals may be “too prescriptive.”

Others had wondered whether the “right to be forgotten” could be used as a form of censorship, if applied to members of the press. But Reding has since addressed that concern, stating, “The archives of a newspaper are a good example. It is clear that the right to be forgotten cannot amount to a right of the total erasure of history.”

Data security is hugely important: too important not to legislate, while too important to rush into legislation. Perhaps it’s a good thing, then, that the EU’s legislative process reportedly might last up to two years.