The legal action is part of proposals by European Union justice chief Viviane Reding to update the existing EU data privacy rules. Reding said web users have a "right to be forgotten", and websites based outside the EU must comply with the regulations.
"Any company operating in the EU market or any online product that is targeted at EU consumers must comply with EU rules," said Reding.
"To enforce EU law, national privacy watchdogs shall be endowed with powers to investigate and engage in legal proceedings against non-EU data controllers."
Reding added that websites "must prove that they need to keep the data, rather than individuals having to prove that collecting their data is not necessary".
"I am a firm believer in the necessity of enhancing individuals' control over their own data," Reding added.
Furthermore, websites must provide more information on what data is collected about each web user and for what purpose, while online accounts such as social networks should opt for "privacy by default".
"Privacy settings often require considerable operational effort in order to be put in place. Such settings are not a reliable indication of consumers' consent. This needs to be changed," she said.
Reding added the 'privacy by default' rule will be helpful in cases of unfair, unexpected or unreasonable processing of data - such as when data is used for purposes other than for what an individual had initially given his or her consent or permission, or when the data being collected is irrelevant.
"'Privacy by default' rules would prevent the collection of such data through, for example, software applications. The use of data for any other purposes than those specified should only be allowed with the explicit consent of the user or if another reason for lawful processing exists," said Reding.
Reding's proposals are expected to be officially announced before July. However, they will still need to be approved by EU governments and the European Parliament before they come into effect.