I'd modify your list a little:
If a company is not compelled by law to surrender information, they are forbidden to volunteer it.
Instead, how about "Unless required by law not to disclose it, organizations are required to notify each person whose information they share. Said notification is required each time the information is shared, and must include the information shared, the party to whom it is disclosed, the purpose of disclosure, and the privacy commitments provided by the receiver, which must be at least as restrictive as those of the sharer. In the event of information shared in aggregated form, the notification must be delivered to a government agency whose responsibility it is to evaluate whether or not it may be possible to identify any individual included in the aggregate. If so, the organization that shared it is required to notify all identifiable individuals. Failure to notify results in steep and exponentially-increasing penalties."
Obviously the goal here is to address information sharing between all sorts of organizations, governmental and commercial, including company-to-company, company-to-government, government-to-company and even government-to-government... including US government to foreign government. Note also that there's nothing in there about "first to share"... the notification requirements exist at every step. Because this would be a dramatic, and in many cases expensive, change in notification burden, it should be phased in over time, but it should ultimately apply to all personally-identifiable information, even information which is currently considered public. Oh, non-commercial sharing by private individuals should be exempted, and "non-commercial" should be defined pretty loosely... posting a friend's wedding announcement on your blog shouldn't be a crime, even if you happen to have some ads on it. There are undoubtedly other adjustments that need to be made to the concept, even though I've tried to be as thorough as I can.
Your "forbidden to disclose" is pithier, but I'd like to leverage this to address commercial sharing as well, and I don't think flatly forbidding that is in society's best interest. I think instead making people aware of what is being done and allowing them to make decisions about who they interact with, based on different organizations' privacy policies (which should be legally binding... may need some language about that, too), allows the most flexibility for an information-driven society to evolve, but allows individuals to retain control.
Further, I'd limit the "disclosure restricted by law" bit. Restrictions on disclosure should be temporary, and their duration should be specified in the initial (court-reviewed) document, with reasonable justification. When the time expires, it should be the responsibility of both the agency that requested the information and the organization that provided to provide full disclosure to the target, including supporting documentation explaining the rationale. If, as the expiration approaches, the agency has reason to extend it, it can go back to court and justify the extension. Oh, and "because this would be embarrassing" should be specifically excluded as justification for restricting disclosure.