Government issues draft data protection legislation to deal with Brexit
The draft legislation, The data protection, privacy and electronic communications (amendments etc) (EU exit) regulations 2019, have been prepared to ensure that the UK data protection legal framework continues to function correctly after Brexit.
The instrument amends the Privacy and Electronic Communications Regulations 2003 (PECR), UK GDPR and the DP Act 2018.
The Brexit Withdrawal Agreement retains the GDPR as part of UK domestic law. This instrument establishes transitional provisions in the DP Act 2018 in relation to adequacy decisions, standard contractual clauses and binding corporate rules. The use of Standard Contractual Clauses that have previously been issued by the European Commission will continue to be an effective basis for international data transfers from the UK to third countries after exit day. For the purposes of the PECR, the GDPR definition of consent will apply.
“The DP Act 2018 extended GDPR standards to general processing activities that were outside the scope of EU law via the ‘applied GDPR’. As the GDPR will no longer apply directly in the UK, this instrument introduces a single regime for general processing activities known as the UK GDPR. It is necessary to make changes throughout the DP Act 2018, and to other legislation, as a result of this,” the government says.
This instrument will remove references in the UK GDPR, for example, to EU Member States, Union law and the European Commission; replacing them, where appropriate, with references that will operate correctly in domestic law. The functions that are assigned to the European Commission in the GDPR will be transferred to the Secretary of State or the Information Commissioner.
The draft legislation
There has not been a public consultation on this instrument but the government has worked closely with the ICO. Keeling schedules, showing the amendments which this instrument makes to the retained GDPR and DP Act 2018, will be available later this month.