The MEPs, by a count of 621 votes to 10, gave their support to proposals for a new General Data Protection Regulation. A spokesperson for the Parliament confirmed to Out-Law.com that the proposals supported in the full plenary vote are the same as those outlined in a report of the Parliament's Civil Liberties, Justice and Home Affairs (LIBE) Committee in October last year.
A second vote was also held on plans for a new EU Directive on data protection which, if introduced, would separately set rules around personal data processing by law enforcement bodies. A majority of 371 MEPs voted to support the new Directive, with 276 against the plans.
Under the LIBE Committee's proposals, businesses could face fines of up to 5% of their annual global turnover, or €100 million if greater, if they breach the new data protection laws. However, under the plans businesses would be able to obtain a certification from data protection authorities that their processing of personal data is compliant with the Regulation. Businesses that are issued with a valid 'European Data Protection Seal' would face immunity from fines for breaches of the Regulation unless the breach was "intentional" or involved "negligent incompliance".
Under the LIBE plans now backed by the full Parliament, the processing of personal data would be governed by a complicated legal framework. Strict rules around the processing of health data, as well as other 'special categories' of data, would be created. Separate rules would also apply if the personal data involved belonged to a child.
The plans include new rules around obtaining individuals' consent to the processing of their personal data, which some groups in the science sector in the UK previously expressed concern with.
The LIBE proposals, if introduced, would also update existing rules that govern transfers of personal data outside of the European Economic Area (EEA). Companies would be required to obtain regulatory approval to transfer personal data outside of the EEA to countries that have not been approved as having adequate data protection measures in place. A number of legal mechanisms and safeguards could be adopted to permit the transfer to take place without the need for approval, however.
A new 'one stop shop' regulatory regime would also be established, under the plans, which would allow businesses to engage with just one data protection authority (DPA) – the one based in the country of their main establishment – instead of each DPA in every EU country in which they operate.
However, reforms to the data protection regime cannot happen unless both the European Parliament and the EU's Council of Ministers, which is made up of representatives of individual member states, both agree on a single set of proposals.
The Council of Ministers has so far been unable to reach a consensus amongst its members on what a new data protection framework in the EU should look like. A number of different views have been expressed in particular over how the 'one stop shop' regulatory regime should work in practice. The UK government has also expressed concern about the suitability of proposed rules governing data transfers for the digital age.
In a statement, rapporteur for the Parliament on the General Data Protection Regulation Jan Phillip Albrecht said it would be "irresponsible" of the Council to further postpone reform.
"The citizens of Europe expect us to deliver a strong EU wide data protection regulation," Albrecht said. "If there are some member states which do not want to deliver after two years of negotiations, the majority should go ahead without them."
In a separate development, MEPs also voted to support a report the LIBE Committee published on their findings into the allegations of mass surveillance by the US' National Security Agency (NSA).
In a press conference, UK MEP Claude Moraes confirmed that the final report backed by the Parliament, in a vote of 544 MEPs to 78, was slightly amended from the one which he had drafted previously. However, he confirmed that the "digital bill of rights" which had been supported did call for the suspension of the EU-US Safe Harbour scheme on data transfers. It also called for the US to recognise EU citizens' rights to redress over the misuse of their data by a US company.
The Parliament's vote also confirmed MEPs' support for the suspension of the Terrorist Finance Tracking Programme (TFTP) agreement until there is clarity on allegations that US authorities gained access to EU citizens' payments data outside of the procedures outlined in the agreement.
The TFTP allows, in accordance with certain protocols, US law enforcement bodies access to European data held by the Society for Worldwide Interbank Financial Telecommunications (SWIFT). SWIFT co-ordinates payments between financial institutions based across the world.