The Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 have been laid before the UK Parliament.
The regulations are introduced under the European Union (Withdrawal) Act 2018. The Withdrawal Act grants powers to correct deficiencies in UK legislation that will arise as a result of Brexit.
The regulations introduce a large number of technical amendments to UK law. The main amendments are made to:
- the General Data Protection Regulation 2016/679 (GDPR) as retained by UK law;
- the Data Protection Act 2018 (DPA 2018); and
- The Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR).
When the United Kingdom (UK) leaves the European Union (EU), the UK will no longer be subject to obligations under GDPR (except for processing still caught by the GDPR’s extra-territorial scope). However, the Withdrawal Act provides that the text of the GDPR will form part of UK domestic law after Brexit (UK GDPR). As a result, the text of UK GDPR must be amended to remedy potential deficiencies for when the UK is no longer part of the EU. The text of the DPA 2018 must also be amended to implement UK GDPR.
In addition to the general correcting of deficiencies, amendments include:
- UK GDPR is introduced under the DPA 2018 as a single regime for general processing activities. This amendment was necessary as the DPA 2018 was originally drafted to supplement the GDPR.
- The concept of GDPR extra-territorial application is retained under UK GDPR. Non-UK controllers and processors that sell into the UK or monitor UK residents’ behaviour online will have to comply with UK GDPR.
- Non-UK controllers and processors will be required, in certain circumstances, to designate a representative in the UK.
- EU decisions on adequacy, which allow for international transfers of personal data to non-European Economic Area (EEA) countries, are revoked. However, the UK will transitionally deem EEA countries, EU and EEA institutions, and Gibraltar as having adequacy decisions.
- The Information Commissioner will be responsible for adopting standard contractual clauses to facilitate the export of personal data from the UK. The Information Commissioner will not be required to seek European Commission approval, and will continue to be able to authorise new binding corporate rules.
- The Information Commissioner will be responsible for any tasks previously undertaken by other EEA supervisory authorities for processing of personal data of UK residents.
The amendments introduced by the regulations are largely functional. They will not result in substantial changes to the current UK data protection regime. However, the fact that they have been promulgated by the UK government should focus minds on the fact that Brexit is fast approaching. As things currently stand, the UK will leave the EU on 29 March 2019.
The regulations must now be approved by a resolution of each house of the UK Parliament before they can come into force.