The Information Commissioner's Office could be facing a £42.8m shortfall that may have to be paid for by the taxpayer, MPs have warned.
The Justice Committee found changes to EU data protection laws could leave the taxpayer with a multi-million pound bill if the government does not find a new way to finance the commissioner.
The MPs said the new laws would mean his work would "expand dramatically".
The Commissioner said the large shortfall was a "worst-case scenario".
The Information Commissioner's Office (ICO) polices data protection laws in and is tasked with upholding information rights in the public interest.
The Justice Committee found that a proposed new EU regulation would remove the information commissioner's funding for data protection work through the notification fee payable to him by all those who process personal information.
Harsher penalties urged
This could leave the office struggling to fund its work at the same time as making other cutbacks to its budget.
The funding for freedom of information work has been cut by 23% and there is a planned further cut of 6% in 2013-14.
Chairman of the cross-party committee Lib Dem Sir Alan Beith said: "Taxpayers will have to pick up the tab for the information commissioner's vital data protection work when new EU rules come into force unless the government can find a way of retaining a fee-based self-financing system."
Information Commissioner Christopher Graham said the committee's report was helpful, but stressed the £42.8m figure was "very much a worst-case scenario, and is based on a proposed legislative framework that is ever changing".
"But sorting out an acceptable system for funding the ICO in the future now needs to be tackled," he added.
The committee also repeated an earlier recommendation that harsher penalties should be imposed for those who break data protection laws.
It highlighted the case of construction companies using an illegal blacklist, which prevented individuals from obtaining work because of their trade union links.
The £5,000 fine imposed on the company that compiled the blacklist showed the scale of data protection offences was not matched by the penalties available to courts, the committee said.
Sir Alan added: "We do not understand why the government has not adopted the recommendation made by us and other parliamentary committees that custodial sentences should be made available for breaches of section 55 of the Data Protection Act.
"This issue should not be lost in wider data protection enforcement questions arising from the Leveson Report."
The committee also reiterated its view that the information commissioner should be granted greater independence from the executive by being made directly responsible to, and funded by, Parliament.