The European Union is drafting legislation that would require tech companies operating in member states to surrender customer data upon request of the authorities, even if it is stored outside the EU, Reuters reported, citing two sources.

The new rules would also cover any individuals involved in a European investigation, regardless of nationality, one of the sources said.

The proposed legislation will be reviewed by lawmakers and member states by the end of March.

Meanwhile, EU's new General Data Protection Regulation, an initiative which began in 2010, will come into force May 25.

It will introduce a swathe of legislative changes strengthening rules around how EU citizens' data is stored, shared and managed.

Measures include fines of up to 4% of a company's global revenue for the most serious breaches of the new data privacy rules.

Facebook Inc. is stepping up its privacy measures ahead of the regulation. It recently published its privacy principles, addressing concerns including giving users control of their privacy and including privacy features in Facebook products, as well as efforts to ensure data security and improve privacy controls.