The current data protection directive dates back to 1995, but as European data protection supervisor (EDPS) Giovanni Buttarelli points out, in this day and age of constantly evolving technologies, "two decades is a century".
The European commission has been hard at work on a new data protection package since 2012, but parliament's rapporteur on the issue Jan Albrecht has warned that it was unlikely a resolution would be adopted "before the end of the year", as "council and parliament are heading in two completely different directions".
Unfortunately, coming up with a proposal that satisfies all parties involved is hardly straightforward. As Buttarelli explains, "this is an issue with a lot of meaningful details - each word changes everything". He says an acceptable text "implies innovative thinking, which will be a challenge for the lawyers".
Not only that, but any new data protection regulation will have to be "dynamic enough to be applied" and "have a flexible platform which is technologically neutral and robust enough to resist technological changes - we do not know if 15 years from now social networks will continue to exist".
"How much information you share about yourself publically is absolutely up to you. If someone decides to post nothing, then that is their decision. At the same time, someone can decide to put everything out there" - Jan Albrecht
And sadly, the challenges don't stop there. Once a regulation is adopted, there will be the question of how to enforce it. Albrecht believes "we have very well equipped and functioning data protection authorities in each member state. We know it is very important for citizens to talk to their own authorities in their own language and in their own legal culture".
However, he does concede that "all 28 different data protection authorities should act together to take common decisions, so that there is consistency in their approach."
In an ideal world, such authorities would not be needed, because companies would simply abide by the rules. But of course, in order for that to happen, strong incentives are needed.
Axel Voss explains that when it comes to possible sanctions, "parliament's compromise is a fine equal to five per cent of the company's revenue, which is more than the two per cent originally proposed by the commission. But in a hearing for the [US national security agency] enquiry committee, someone said we should impose a fine of 20 per cent so that the real global data collectors would truly feel its effects - but we haven't had the courage to do this."
Some observers have suggested that citizens themselves should be taught to be more careful when publishing private data online, as sharing and privacy settings on social networks can sometimes be hard to understand, for example. Voss believes "it is necessary to tell consumers what it means to be on the internet and use special tools".
But Albrecht disagrees, saying, "how much information you share about yourself publically is absolutely up to you. If someone decides to post nothing, then that is their decision. At the same time, someone can decide to put everything out there".
"The key thing is for citizens to really have the control over their personal data - it is important to let people empower themselves to decide which risks they want to take", he highlights.
Both MEPs insist the work they are doing on data protection is crucial. For Voss, "people should keep in mind that parliament is here to strengthen the rights of individuals - I think [this regulation] might help regain their trust in technology".
Meanwhile, Albrecht says, "we need a level playing field. Currently, EU companies are very often disadvantaged because some of their competitors don't follow EU rules to the full extent. Having one single regulation and a digital single market will mean fair competition".
Let's hope, then, that the institutions can reach an agreement soon, because, as the EDPS points out, "the world cannot wait for us".