The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Regulation 4

SCHEDULE 2Amendments of the Data Protection Act 2018

Introduction

1.  The Data Protection Act 2018 is amended as follows.

Part 1 (preliminary)

2.—(1) Section 1 is amended as follows.

(2) In subsection (2), for “GDPR” substitute “UK GDPR”.

(3) In subsection (3), for “GDPR” to the end substitute “UK GDPR”.

(4) In subsection (4), omit “and implements the Law Enforcement Directive”.

3.  In section 2(1) and (2), for “GDPR, the applied GDPR” substitute “UK GDPR”.

4.—(1) Section 3 is amended as follows.

(2) In subsection (6), omit “Chapter 2 or 3 of” and “Chapter or”.

(3) In subsection (9)—

(a)for paragraph (a) substitute—

“(a)the UK GDPR,”;

(b)omit paragraph (b);

(c)in paragraph (e), for “the GDPR” substitute “the EU GDPR”.

(4) In subsection (10)—

(a)for “The GDPR” substitute “The UK GDPR”;

(b)for “(General Data Protection Regulation)” substitute “(United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)(1))”.

(5) After subsection (10) insert—

“(10A) “The EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law.”.

(6) Omit subsection (11).

(7) In subsection (14)—

(a)for paragraph (a) substitute—

“(a)references to the UK GDPR are to the UK GDPR read with Part 2;”;

(b)omit paragraph (b);

(c)in paragraphs (c) and (d), omit “Chapter 2 or 3 of”.

Part 2 (general processing) (other than Schedules 1 to 6)

5.—(1) Section 4 is amended as follows.

(2) In subsection (2)—

(a)for “Chapter 2 of this Part” substitute “This Part”;

(b)for “GDPR” (in each place) substitute “UK GDPR”.

(3) Omit subsection (3).

6.—(1) Section 5 is amended as follows.

(2) In subsection (1)—

(a)omit “Chapter 2 of”;

(b)for “GDPR” (in both places) substitute “UK GDPR”;

(c)for “Chapter 2 as” substitute “this Part as”.

(3) In subsection (2)—

(a)for “GDPR” (in each place) substitute “UK GDPR”;

(b)for “Chapter 2” substitute “this Part”.

(4) In subsection (3), for “Chapter 2” substitute “this Part”.

(5) Omit subsections (4), (5) and (6).

(6) In subsection (7)—

(a)omit “Chapter 2 or Chapter 3 of”;

(b)for “the Chapter” substitute “this Part”.

7.  For the heading of Chapter 2 substitute “The UK GDPR”.

8.  In the italic heading before section 6, for “GDPR” substitute “UK GDPR”.

9.  In section 6(1) and (2), for “GDPR” substitute “UK GDPR”.

10.—(1) Section 7 is amended as follows.

(2) In subsection (1)—

(a)for “GDPR” substitute “UK GDPR”;

(b)omit “under the law of the United Kingdom”.

(3) In subsections (2) and (4), for “GDPR” substitute “UK GDPR”.

11.  In section 8, for “GDPR” substitute “UK GDPR”.

12.  Omit section 9.

13.—(1) Section 10 is amended as follows.

(2) In subsections (1), (2) and (3), for “GDPR” substitute “UK GDPR”.

(3) In subsection (5), for “10 of the GDPR” substitute “10(1) of the UK GDPR”.

14.  In section 11, in subsection (1) (in both places) and in subsection (2), for “GDPR” substitute “UK GDPR”.

15.  In section 12(1)(a) and (b), for “GDPR” substitute “UK GDPR”.

16.  In section 13(2) and (3), for “GDPR” substitute “UK GDPR”.

17.—(1) Section 14 is amended as follows.

(2) In subsection (1)—

(a)for “GDPR” (in both places) substitute “UK GDPR”;

(b)for “authorised by law” substitute “required or authorised under the law of the United Kingdom or a part of the United Kingdom”.

(3) In subsections (3)(c), (5) and (6) (in both places), for “GDPR” substitute “UK GDPR”.

18.  For the italic heading before section 15 substitute “Exemptions etc”.

19.—(1) Section 15 is amended as follows.

(2) In subsection (1), for “GDPR” substitute “UK GDPR”.

(3) In subsection (2)(a)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(4) In subsection (2)(b)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(5) In subsection (2)(c)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(6) In subsection (2)(d)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(7) In subsection (2)(e)—

(a)for “, V and VII of the GDPR” substitute “and V of the UK GDPR”;

(b)for “, as allowed for by Article 85(2) of the GDPR” substitute “(of a kind described in Article 85(2) of the UK GDPR)”.

(8) In subsection (2)(f)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)omit “, as allowed for by Article 89(2) and (3) of the GDPR”.

(9) In subsection (3)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(10) In subsection (4) —

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(11) After subsection (4) insert—

“(4A) In connection with the manual unstructured processing of personal data held by an FOI public authority, see Chapter 3 of this Part (sections 21, 24 and 25).”.

(12) In subsection (5), for “and the exemption in section 26” substitute “(sections 26 to 28)”.

20.—(1) Section 16 is amended as follows.

(2) In subsection (1)—

(a)in the opening words, for “GDPR” substitute “UK GDPR”;

(b)in paragraph (a)—

(i)omit “for Member State law”;

(ii)for “GDPR” substitute “UK GDPR”;

(c)in paragraph (b), for “a legislative measure” substitute “provision”;

(d)in paragraph (c), for “GDPR” substitute “UK GDPR”.

(3) In subsection (2)—

(a)omit “and” at the end of paragraph (a)(ii);

(b)after paragraph (b) insert—

“, and

(c)consequentially amend the UK GDPR by adding, varying or omitting a reference to section 15, Schedule 2, 3 or 4, this section or regulations under this section.”.

21.  For the italic heading before section 17 substitute “Certification”.

22.—(1) Section 17 is amended as follows.

(2) In subsection (1)(b), for “national accreditation body” substitute “UK national accreditation body”.

(3) In subsection (3), for “national accreditation body” substitute “UK national accreditation body”.

(4) In subsection (6)—

(a)for “national accreditation body” substitute “UK national accreditation body”;

(b)for “GDPR” substitute “UK GDPR”.

(5) In subsection (7)—

(a)for “national accreditation body” substitute “UK national accreditation body”;

(b)for “GDPR” substitute “UK GDPR”.

(6) In subsection (8)—

(a)for “GDPR” substitute “UK GDPR”;

(b)for “national accreditation body” (in both places) substitute “UK national accreditation body”.

23.  Before section 18 (but after the italic heading before it) insert—

“17A    Transfers based on adequacy regulations

(1) The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—

(a)a third country,

(b)a territory or one or more sectors within a third country,

(c)an international organisation, or

(d)a description of such a country, territory, sector or organisation.

(2) For the purposes of the UK GDPR and this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(3) Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).

(4) Article 45(2) of the UK GDPR makes provision about the assessment of the adequacy of the level of protection for the purposes of this section and section 17B.

(5) Regulations under this section—

(a)where they relate to a third country, must specify their territorial and sectoral application;

(b)where applicable, must specify the independent supervisory authority or authorities referred to in Article 45(2)(b) of the UK GDPR.

(6) Regulations under this section may, among other things—

(a)provide that in relation to a country, territory, sector, organisation or transfer specified, or falling within a description specified, in the regulations, section 17B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;

(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(c)confer a discretion on a person.

(7) Regulations under this section are subject to the negative resolution procedure.

17B    Transfers based on adequacy regulations: review etc

(1) For so long as regulations under section 17A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.

(2) Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.

(3) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 17A or to amend or revoke such regulations.

(4) Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 17A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5) Where regulations under section 17A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.

(6) The Secretary of State must publish—

(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 17A, and

(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.

(7) In the case of regulations under section 17A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—

(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and

(b)the lists published under subsection (6) must specify or describe the relevant transfers.

17C    Standard data protection clauses

(1) The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 119A).

(2) The Secretary of State must keep under review the standard data protection clauses specified in regulations under this section that are for the time being in force.

(3) Regulations under this section are subject to the negative resolution procedure.”.

24.—(1) Section 18 is amended as follows.

(2) In the heading, at the end insert “: public interest”.

(3) In subsection (1), for “GDPR” substitute “UK GDPR”.

(4) In subsection (2), for paragraph (a) (but not the final “and”) substitute—

“(a)the transfer cannot take place based on adequacy regulations (see section 17A),”.

25.  In section 19(2), for “GDPR” substitute “UK GDPR”.

26.  In section 20—

(a)for “this Chapter” (in both places) substitute “this Part”;

(b)for “GDPR” substitute “UK GDPR”.

27.  For the heading of Chapter 3 substitute “Exemptions for manual unstructured processing and for national security and defence purposes”.

28.  For the italic heading before section 21 substitute “Definitions”.

29.—(1) Section 21 is amended as follows.

(2) For the heading substitute “Definitions”.

(3) Omit subsections (1), (2), (3) and (4).

30.  Omit section 22 and the italic heading before it.

31.  Omit section 23.

32.—(1) Section 24 is amended as follows.

(2) In subsection (1)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”.

(3) In subsection (2)—

(a)in paragraphs (a), (b) and (c), for “the applied GDPR” substitute “the UK GDPR”;

(b)after paragraph (c) insert—

“(ca)in Part 2 of this Act, sections 17A, 17B and 17C (transfers to third countries);

(cb)in Part 5 of this Act, section 119A (standard clauses for transfers to third countries);”;

(c)for paragraph (d) substitute—

“(d)in Part 7 of this Act, sections 170 and 171 (offences relating to personal data).”.

(4) In subsection (3)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”.

(5) In subsection (5)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”;

(d)in paragraph (a), for “that Article” substitute “Article 15”.

33.—(1) Section 25 is amended as follows.

(2) In subsection (1)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”.

(3) In subsection (2)(a) and (b), omit “of the applied GDPR”.

34.—(1) Section 26 is amended as follows.

(2) In subsection (1)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”.

(3) In subsection (2)—

(a)in paragraphs (a), (b), (c) and (d), for “the applied GDPR” substitute “the UK GDPR”;

(b)in paragraph (e), for “the applied GDPR” (in both places) substitute “the UK GDPR”;

(c)in paragraph (f), for “the applied GDPR” substitute “the UK GDPR”;

(d)after paragraph (f) insert—

“(fa)in Part 2 of this Act, sections 17A, 17B and 17C (transfers to third countries);”;

(e)in paragraph (g)—

(i)in sub-paragraph (ii), for “the applied GDPR” substitute “the UK GDPR”;

(ii)after sub-paragraph (iii) insert—

“(iv)section 119A (standard clauses for transfers to third countries);”.

35.  In section 27(5), for “the applied GDPR” substitute “the UK GDPR”.

36.—(1) Section 28 is amended as follows.

(2) In the heading, for “applied GDPR” substitute “UK GDPR”.

(3) In subsections (1) and (2)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”.

(4) In subsection (3), for “the applied GDPR” substitute “the UK GDPR”.

(5) After subsection (4) insert—

“(5) The functions conferred on the Commissioner in relation to the UK GDPR by Articles 57(1)(a), (d), (e), (h) and (u) and 58(1)(d) and (2)(a) to (d) of the UK GDPR (which are subject to safeguards set out in section 115) include functions in relation to subsection (3).”.

Part 3 (law enforcement processing) (other than Schedules 7 and 8)

37.  In section 33(7), for “other than a member State” substitute “outside the United Kingdom”.

38.  In section 48, omit subsection (8).

39.  In section 67, omit subsection (8).

40.—(1) Section 73 is amended as follows.

(2) In subsection (1)(b), omit “other than the United Kingdom”.

(3) In subsection (3)—

(a)in paragraph (a) for “an adequacy decision (see section 74)” substitute “adequacy regulations (see section 74A)”;

(b)in paragraphs (b) and (c), for “an adequacy decision” substitute “adequacy regulations”.

(4) In subsection (5)(a), omit “a member State or”.

41.  Omit section 74.

42.  After section 74 insert—

“74A    Transfers based on adequacy regulations

(1) The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—

(a)a third country,

(b)a territory or one or more sectors within a third country,

(c)an international organisation, or

(d)a description of such a country, territory, sector or organisation.

(2) For the purposes of this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, and

(b)in the case of an international organisation, the organisation,

and such a transfer does not require specific authorisation.

(3) Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).

(4) When assessing the adequacy of the level of protection for the purposes of this section or section 74B, the Secretary of State must, in particular, take account of—

(a)the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is transferred,

(b)the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers, for assisting and advising data subjects in exercising their rights and for cooperation with the Commissioner, and

(c)the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

(5) Regulations under this section—

(a)where they relate to a third country, must specify their territorial and sectoral application;

(b)where applicable, must specify the independent supervisory authority or authorities referred to in subsection (4)(b).

(6) Regulations under this section may, among other things—

(a)provide that, in relation to a country, territory, sector, organisation or territory specified, or falling within a description specified, in the regulations, section 74B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;

(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(c)confer a discretion on a person.

(7) Regulations under this section are subject to the negative resolution procedure.

74B    Transfers based on adequacy regulations: review etc

(1) For so long as regulations under section 74A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.

(2) Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.

(3) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 74A or to amend or revoke such regulations.

(4) Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 74A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5) Where regulations under section 74A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.

(6) The Secretary of State must publish—

(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 74A, and

(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.

(7) In the case of regulations under section 74A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—

(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and

(b)the lists published under subsection (6) must specify or describe the relevant transfers.”.

43.  In section 76(1)(c), omit “a member State or”.

44.  Section 77(8), for “member States” substitute “the United Kingdom”.

45.—(1) Section 78 is amended as follows.

(2) In subsection (4), omit “other than the United Kingdom”.

(3) In subsection (5)(a), omit “a member State or”.

46.—(1) Section 80 is amended as follows.

(2) In subsection (1), for “an EU recipient or a non-EU recipient” substitute “a non-UK recipient”.

(3) In subsection (2)—

(a)omit the definition of “EU recipient”;

(b)for “non-EU recipient” substitute “non-UK recipient”.

(4) In subsection (4), for “the EU recipient or non-EU recipient” substitute “the non-UK recipient”.

(5) Omit subsections (5), (6) and (7).

Part 5 (Information Commissioner) (other than Schedules 12 to 14)

47.—(1) Section 115 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) Omit subsection (1).

(4) In subsection (2)—

(a)in paragraphs (a) and (b), for “GDPR” substitute “UK GDPR”;

(b)after “section 2” insert “and section 28(5)”.

(5) In subsections (3) and (4), for “GDPR” substitute “UK GDPR”.

(6) In subsection (5), for “GDPR” (in both places) substitute “UK GDPR”.

(7) In subsection (6), for “GDPR” substitute “UK GDPR”.

(8) In subsection (7), for “GDPR” (in both places) substitute “UK GDPR”.

(9) In subsection (8)(a) and (b), for “GDPR” substitute “UK GDPR”.

(10) In subsections (9) and (10), for “GDPR” substitute “UK GDPR”.

48.—(1) Section 116 is amended as follows.

(2) Before subsection (1) insert—

“(A1) The Commissioner is responsible for monitoring the application of Part 3 of this Act, in order to protect the fundamental rights and freedoms of individuals in relation to processing by a competent authority for any of the law enforcement purposes (as defined in Part 3) and to facilitate the free flow of personal data.”.

(3) In subsection (1), omit paragraph (a) (including the final “and”).

(4) In subsection (2), for “GDPR” substitute “UK GDPR”.

49.—(1) Section 117 is amended as follows.

(2) After “this Act” insert “or the UK GDPR”.

(3) Omit “(and see also Article 55(3) of the GDPR)” (and the comma before those words).

50.—(1) Section 118 is amended as follows.

(2) For the heading substitute “Co-operation between parties to the Data Protection Convention”.

(3) Omit subsections (1), (2), (3) and (4).

51.  After section 119 insert—

“119A    Standard clauses for transfers to third countries etc

(1) The Commissioner may issue a document specifying standard data protection clauses which the Commissioner considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 17C).

(2) The Commissioner may issue a document that amends or withdraws a document issued under subsection (1).

(3) A document issued under this section—

(a)must specify when it comes into force,

(b)may make different provision for different purposes, and

(c)may include transitional provision or savings.

(4) Before issuing a document under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)trade associations;

(b)data subjects;

(c)persons who appear to the Commissioner to represent the interests of data subjects.

(5) After a document is issued under this section—

(a)the Commissioner must send a copy to the Secretary of State, and

(b)the Secretary of State must lay it before Parliament.

(6) If, within the 40-day period, either House of Parliament resolves not to approve the document then, with effect from the end of the day on which the resolution is passed, the document is to be treated as not having been issued under this section (so that the document, and any amendment or withdrawal made by the document, is to be disregarded for the purposes of Article 46(2)(d) of the UK GDPR).

(7) Nothing in subsection (6)—

(a)affects any transfer of personal data previously made in reliance on the document, or

(b)prevents a further document being laid before Parliament.

(8) The Commissioner must publish—

(a)a document issued under this section, and

(b)a notice identifying any document which, under subsection (6), is treated as not having been issued under this section.

(9) The Commissioner must keep under review the clauses specified in a document issued under this section for the time being in force.

(10) In this section, “the 40-day period” means—

(a)if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or

(b)if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.

(11) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.

(12) In this section, “trade association” includes a body representing controllers or processors.”.

52.—(1) Section 120 is amended as follows.

(2) In subsection (2), for “GDPR” (in each place) substitute “UK GDPR”.

(3) After subsection (2) insert—

“(2A) The Commissioner may contribute to the activities of international organisations with data protection functions.”.

(4) In subsection (6), in the definition of “third country”, for “that is not a member State” substitute “outside the United Kingdom”.

53.  In section 123(7), for “GDPR” (in both places) substitute “UK GDPR”.

54.  In section 129(1), for “GDPR” substitute “UK GDPR”.

55.  In section 132(2), omit paragraph (d).

56.  In section 135(4), for “GDPR” substitute “UK GDPR”.

57.  In section 136(1)(b), for “GDPR” substitute “UK GDPR”.

58.  In section 139(2), for “GDPR” substitute “UK GDPR”.

Part 6 (enforcement) (other than Schedules 15 to 17)

59.  In section 142(9)—

(a)for “GDPR” (in both places) substitute “UK GDPR”;

(b)for “the European Union” substitute “the United Kingdom”.

60.  In section 143(9), for “GDPR” substitute “UK GDPR”.

61.  In section 149(2)(a), (b), (c) and (e), (3) and (4)(b) and (c), for “GDPR” substitute “UK GDPR”.

62.  In section 151(1)(b) and (8)(a), for “GDPR” substitute “UK GDPR”.

63.  In section 155(2)(a), for “GDPR” (in both places) substitute “UK GDPR”.

64.—(1) Section 157 is amended as follows.

(2) In subsection (1), for “GDPR” (in both places) substitute “UK GDPR”;

(3) In subsection (2)(a), omit “74,”.

(4) In subsection (5), for “20 million Euros” (in both places) substitute “£17,500,000”.

(5) In subsection (6), for “10 million Euros” (in both places) substitute “£8,700,000”.

(6) Omit subsection (7).

65.  In section 159(1) and (2), for “GDPR” substitute “UK GDPR”.

66.—(1) Section 165 is amended as follows.

(2) In subsection (1), for “GDPR” (in both places) substitute “UK GDPR”.

(3) In subsection (5)(b), for “another supervisory authority or” substitute “a”.

(4) Omit subsection (6).

(5) In subsection (7), omit the definition of “supervisory authority”.

67.  In section 166(1), for “GDPR” substitute “UK GDPR”.

68.  In section 167(4), for “GDPR” substitute “UK GDPR”.

69.—(1) Section 168 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In subsections (1) and (2), for “GDPR” substitute “UK GDPR”.

70.  In section 169(1), for “GDPR” substitute “UK GDPR”.

71.  In section 170(7), for “GDPR” substitute “UK GDPR”.

72.  In section 171(8)(a), for “GDPR” substitute “UK GDPR”.

73.  In section 173(2)(a) and (b), for “GDPR” substitute “UK GDPR”.

74.  In section 174(2)(a) and (b), for “GDPR” substitute “UK GDPR”.

75.  In section 180(2)(d) and (e), for “GDPR” substitute “UK GDPR”.

76.  In section 181, in the definition of “representative”, for “GDPR” (in both places) substitute “UK GDPR”.

Part 7 (supplementary and final provision) (other than Schedules 18 to 20)

77.  In section 182(3), omit paragraph (a).

78.—(1) Section 183 is amended as follows.

(2) In subsection (2)(d), for “processing of personal data to which Chapter 3 of Part 2 or Part 4 of this Act applies” substitute “relevant processing of personal data”.

(3) After subsection (2) insert—

“(2A) In subsection (2)(d), “relevant processing of personal data” means—

(a)processing of personal data described in Article 2(1)(a) or (b) or (1A) of the UK GDPR, and

(b)processing of personal data to which Part 4 of this Act applies.”.

79.  In section 185(4)(a) and (b), for “GDPR” substitute “UK GDPR”.

80.—(1) Section 186 is amended as follows.

(2) In subsection (2)(a), for “GDPR” substitute “UK GDPR”.

(3) In subsection (3)(b), omit “23,”.

81.—(1) Section 187 is amended as follows.

(2) In subsection (1), in the opening words, for “GDPR applies” insert “UK GDPR applies, Article 80(1) of the UK GDPR (representation of data subjects)”.

(3) In subsection (1)(a)—

(a)omit “Article 80(1) of the GDPR (representation of data subjects)”;

(b)for “that Article” substitute “subsections (3) and (4)”;

(c)for “GDPR” (in the second place) substitute “UK GDPR”.

(4) In subsection (1)(b)—

(a)for “a data subject may also authorise” substitute “also authorises”;

(b)for “GDPR” substitute “UK GDPR”.

(5) In subsection (2)—

(a)for “GDPR” substitute “UK GDPR”;

(b)in paragraph (a), for “, (4)(d) and (6)(c)” substitute “and (4)(d)”.

(6) In subsection (5), for “GDPR” substitute “UK GDPR”.

82.  In section 188(2), for “GDPR” substitute “UK GDPR”.

83.—(1) Section 189 is amended as follows.

(2) In subsection (2), for “GDPR” (in each place) substitute “UK GDPR”.

(3) In subsection (4)(c) and (d), for “GDPR” substitute “UK GDPR”.

84.  In section 190(1), for “GDPR” (in each place) substitute “UK GDPR”.

85.—(1) Section 205 is amended as follows.

(2) In subsection (1), in the definition of “enactment”—

(a)omit “and” at the end of paragraph (d);

(b)after paragraph (e) insert—

“and

(f)any retained direct EU legislation;”.

(3) In subsection (1), in the definition of “international obligation of the United Kingdom”, omit paragraph (a).

(4) After subsection (1) insert—

“(1A) In this Act, references to a fundamental right or fundamental freedom (however expressed) are to a fundamental right or fundamental freedom which continues to form part of domestic law on and after exit day by virtue of section 4 of the European Union (Withdrawal) Act 2018, as the right or freedom is amended or otherwise modified by the law of the United Kingdom, or of a part of the United Kingdom, from time to time on or after exit day.”.

(5) In subsection (2)—

(a)before paragraph (a) insert—

“(za)section 119A(10) and (11);”;

(b)omit “Chapter 2 or 3 of”.

(6) Omit subsection (3).

(7) After subsection (3) insert—

“(4) In the definition of “the UK GDPR” in section 3(10)—

(a)the reference to Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 is to be treated as a reference to that Regulation as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the 2019 Regulations”), but

(b)nothing in the definition or in paragraph (a) determines whether, where Regulation (EU) 2016/679 is modified on or after exit day by the law of England and Wales, Scotland or Northern Ireland (other than by Schedule 1 to the 2019 Regulations), the reference to Regulation (EU) 2016/679 is then to be read as a reference to that Regulation as modified.

(5) Subsection (4) is not to be read as implying anything about how other references to Regulation (EU) 2016/679 or references to other retained EU law are to be interpreted.”.

86.—(1) The Table in section 206 is amended as follows.

(2) Omit the entries for “the applied Chapter 2” and “the applied GDPR”.

(3) After the entry for “enforcement notice” insert—

(4) Omit the entry for “the GDPR”.

(5) In the entries for “public authority” and “public body”, for “GDPR” substitute “UK GDPR”.

(6) At the end insert—

87.—(1) Section 207 is amended as follows.

(2) In subsection (1), for “(2) and (3)” substitute “(1A) and (2)”.

(3) After subsection (1) insert—

“(1A) In the case of the processing of personal data to which Part 2 (the UK GDPR) applies, it applies to the types of such processing to which the UK GDPR applies by virtue of Article 3 of the UK GDPR.”.

(4) In subsection (2), for “It applies to the processing of personal data” substitute “In the case of the processing of personal data to which Part 2 does not apply, it applies where such processing is carried out”.

(5) Omit subsection (3).

(6) In subsection (4), for “Subsections (1) to (3)” substitute “Subsections (1), (1A) and (2)”.

(7) Omit subsection (6).

(8) In subsection (7), omit the words after paragraph (d).

88.  In section 209(2), (3) and (4), for “GDPR” substitute “UK GDPR”.

89.  In section 210(2) and (3), for “GDPR” substitute “UK GDPR”.

90.—(1) Section 213 is amended as follows.

(2) In subsection (2), for “GDPR” substitute “EU GDPR”.

(3) At the end insert—

“(4) Schedule 21 contains further transitional, transitory and saving provision made in connection with the amendment of this Act and the UK GDPR by regulations under section 8 of the European Union (Withdrawal) Act 2018.”.

Schedules

91.—(1) Schedule 1 is amended as follows.

(2) In paragraph 2(3), for “GDPR” substitute “UK GDPR”.

(3) In paragraph 4(b), for “GDPR” substitute “UK GDPR”.

(4) In paragraph 39(a), for “GDPR” substitute “UK GDPR”.

(5) In paragraph 41, for “GDPR” (in both places) substitute “UK GDPR”.

92.—(1) Schedule 2 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In the heading of Part 1, for “based on” substitute “as described in”.

(4) In the italic heading before paragraph 1, for “GDPR” (in the first place) substitute “UK GDPR”.

(5) In paragraph 1—

(a)in sub-paragraph (a), for “GDPR” (in both places) substitute “UK GDPR”;

(b)in sub-paragraph (b), for “GDPR” (in both places) substitute “UK GDPR”.

(6) In paragraph 2—

(a)in sub-paragraph (1), for “GDPR” (in the second place) substitute “UK GDPR”;

(b)in sub-paragraph (3), for “GDPR” substitute “UK GDPR”.

(7) In paragraph 3—

(a)in sub-paragraph (1), for “GDPR” substitute “UK GDPR”;

(b)in sub-paragraph (3), for “GDPR” (in each place) substitute “UK GDPR”.

(8) In paragraph 4—

(a)in sub-paragraph (1), for “GDPR” substitute “UK GDPR”;

(b)in sub-paragraph (2), in the opening words (but not the words following paragraph (g)), for “GDPR” (in each place) substitute “UK GDPR”;

(c)in sub-paragraph (4), for “GDPR” substitute “UK GDPR”.

(9) In the heading of Part 2, for “based on” substitute “as described in”.

(10) In the italic heading before paragraph 6, for “GDPR” (in the first place) substitute “UK GDPR”.

(11) In paragraph 6, for “GDPR” (in the second and third places) substitute “UK GDPR”.

(12) In paragraph 13, for “GDPR” (in the second place) substitute “UK GDPR”.

(13) In the heading of Part 3, for “based on Article 23(1):” substitute “for the”.

(14) In paragraph 16(1), for “GDPR” (in both places) substitute “UK GDPR”.

(15) In the heading of Part 4, for “based on” substitute “as described in”.

(16) In the italic heading before paragraph 18, for “GDPR” (in the first place) substitute “UK GDPR”.

(17) In paragraph 18, for “GDPR” (in the second and third places) substitute “UK GDPR”.

(18) In paragraph 20(3), for “GDPR” substitute “UK GDPR”.

(19) In paragraph 25—

(a)in sub-paragraph (2), for “GDPR” (in both places) substitute “UK GDPR”;

(b)in sub-paragraph (3), for “GDPR” substitute “UK GDPR”.

(20) In the heading of Part 5, omit “based on Article 85(2)”.

(21) In paragraph 26(9)—

(a)in the opening words, for “GDPR” (in the second and third places) substitute “UK GDPR”;

(b)in paragraphs (a), (b), (c) and (d), for “GDPR” substitute “UK GDPR”;

(c)omit paragraph (e).

(22) In the heading of Part 6, omit “based on Article 89”.

(23) In paragraph 27—

(a)in sub-paragraph (1), for “sub-paragraph (3)” substitute “sub-paragraphs (3) and (4)”;

(b)in sub-paragraph (2), for “GDPR (the rights in which may be derogated from by virtue of Article 89(2) of the GDPR)” substitute “UK GDPR”;

(c)in sub-paragraph (3)(a), for “GDPR” substitute “UK GDPR”;

(d)after sub-paragraph (3) insert—

“(4) Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.”.

(24) In paragraph 28—

(a)in sub-paragraph (1), for “sub-paragraph (3)” substitute “sub-paragraphs (3) and (4)”;

(b)in sub-paragraph (2), for “GDPR (the rights in which may be derogated from by virtue of Article 89(3) of the GDPR)” substitute “UK GDPR”;

(c)in sub-paragraph (3), for “GDPR” substitute “UK GDPR”;

(d)after sub-paragraph (3) insert—

“(4) Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph.”.

93.—(1) Schedule 3 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In the heading of Part 1, for “GDPR” substitute “UK GDPR”.

(4) In paragraph 1, for “GDPR” (in the second and third places) substitute “UK GDPR”.

(5) In paragraph 2(2), for “GDPR” substitute “UK GDPR”.

(6) In the italic heading before paragraph 5, for “GDPR” substitute “UK GDPR”.

(7) In paragraph 5(1), for “GDPR” substitute “UK GDPR”.

(8) In the italic heading before paragraph 6, for “GDPR” substitute “UK GDPR”.

(9) In paragraph 6(1), for “GDPR” substitute “UK GDPR”.

(10) In paragraph 7(2), for “GDPR” substitute “UK GDPR”.

(11) In the italic heading before paragraph 11, for “GDPR” substitute “UK GDPR”.

(12) In paragraph 11, for “GDPR” substitute “UK GDPR”.

(13) In the italic heading before paragraph 12, for “GDPR” substitute “UK GDPR”.

(14) In paragraph 12(1)(a) and (3), for “GDPR” substitute “UK GDPR”.

(15) In paragraph 17(2), for “GDPR” substitute “UK GDPR”.

(16) In the italic heading before paragraph 19, for “GDPR” substitute “UK GDPR”.

(17) In paragraph 19, for “GDPR” substitute “UK GDPR”.

(18) In the italic heading before paragraph 20, for “GDPR” substitute “UK GDPR”.

(19) In paragraph 20(1)(a) and (3), for “GDPR” substitute “UK GDPR”.

(20) In the italic heading before paragraph 21, for “GDPR” substitute “UK GDPR”.

(21) In paragraph 21(2), for “GDPR” substitute “UK GDPR”.

94.—(1) Schedule 4 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In the italic heading before paragraph 1, for “GDPR” (in the first place) substitute “UK GDPR”.

(4) In paragraph 1, for “GDPR” (in the second and third places) substitute “UK GDPR”.

95.  In Schedule 5, in the following provisions, for “national accreditation body” substitute “UK national accreditation body”—

(a)paragraph 1(2) (in both places);

(b)paragraph 4(4) (in both places);

(c)paragraph 6(4).

96.  Omit Schedule 6.

97.—(1) Schedule 13 is amended as follows.

(2) In paragraph 1(1)—

(a)in paragraph (e), omit “LED supervisory authorities and”;

(b)in paragraph (f), omit “LED supervisory authorities and” and “the Law Enforcement Directive and”;

(c)in paragraph (g), omit “an LED supervisory authority,”;

(d)omit paragraph (i).

(3) In paragraph 3, omit the definition of “LED supervisory authority”.

98.  In Schedule 14, omit Part 1.

99.—(1) Schedule 18 is amended as follows.

(2) In paragraph 1(2), for “section 21(2)” substitute “Article 2(1A) of the UK GDPR”.

(3) In paragraph 5(a) and (b), for “GDPR” substitute “UK GDPR”.

100.—(1) Schedule 19 is amended as follows.

(2) In paragraph 431(3), for “the GDPR or the applied GDPR” substitute “the UK GDPR”.

(3) In paragraph 432(5)(a), for “the GDPR or the applied GDPR” substitute “the UK GDPR”.

101.—(1) Schedule 20 is amended as follows.

(2) In the heading of Part 3, for “GDPR” substitute “UK GDPR”.

(3) In the italic heading before paragraph 12, for “GDPR” (in both places) substitute “UK GDPR”.

(4) In paragraph 18—

(a)in sub-paragraphs (2)(b) and (6)(b), for “applied GDPR” substitute “UK GDPR”;

(b)after sub-paragraph (7) insert—

“(8) In this paragraph, references to the UK GDPR do not include the EU GDPR as it was directly applicable to the United Kingdom before exit day (see paragraph 2 of Schedule 21).”.

(5) In paragraph 50, for “GDPR” substitute “UK GDPR”.

102.  After Schedule 20 insert—

Section 213

“SCHEDULE 21Further transitional provision etc

Part 1Interpretation

The applied GPDR

1.  In this Schedule, “the applied GDPR” means the EU GDPR as applied by Chapter 3 of Part 2 before exit day.

Part 2Continuation of existing acts etc

Merger of the directly applicable GDPR and the applied GDPR

2.—(1) On and after exit day, references in an enactment to the UK GDPR (including the reference in the definition of “the data protection legislation” in section 3(9)) include—

(a)the EU GDPR as it was directly applicable to the United Kingdom before exit day, read with Chapter 2 of Part 2 of this Act as it had effect before exit day, and

(b)the applied GDPR, read with Chapter 3 of Part 2 of this Act as it had effect before exit day.

(2) On and after exit day, references in an enactment to, or to a provision of, Chapter 2 of Part 2 of this Act (including general references to this Act or to Part 2 of this Act) include that Chapter or that provision as applied by Chapter 3 of Part 2 of this Act as it had effect before exit day.

(3) Sub-paragraphs (1) and (2) have effect—

(a)in relation to references in this Act, except as otherwise provided;

(b)in relation to references in other enactments, unless the context otherwise requires.

3.—(1) Anything done in connection with the EU GDPR as it was directly applicable to the United Kingdom before exit day, the applied GDPR or this Act—

(a)if in force or effective immediately before exit day, continues to be in force or effective on and after exit day, and

(b)if in the process of being done immediately before exit day, continues to be done on and after exit day.

(2) References in this paragraph to anything done include references to anything omitted to be done.

Part 3Transfers to third countries and international organisations

UK GDPR: adequacy decisions and adequacy regulations

4.—(1) On and after exit day, for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(2) Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).

(3) The Secretary of State may by regulations—

(a)repeal sub-paragraphs (1) and (2) and paragraph 5;

(b)amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).

(4) Regulations under this paragraph may, among other things——

(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(b)confer a discretion on a person.

(5) Regulations under this paragraph are subject to the negative resolution procedure.

(6) Sub-paragraphs (1) and (2) have effect in addition to section 17A(2) and (3).

5.—(1) The following are specified for the purposes of paragraph 4(1)—

(a)an EEA state;

(b)Gibraltar;

(c)a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;

(d)an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;

(e)a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before exit day, had been repealed or was suspended;

(f)a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before exit day on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before exit day, had been repealed or was suspended.

(2) The decisions mentioned in sub-paragraph (1)(e) are the following—

(a)Commission Decision 2000/518/EC(2) of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;

(b)Commission Decision 2002/2/EC(3) of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;

(c)Commission Decision 2003/490/EC(4) of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;

(d)Commission Decision 2003/821/EC(5) of 21st November 2003 on the adequate protection of personal data in Guernsey;

(e)Commission Decision 2004/411/EC(6) of 28th April 2004 on the adequate protection of personal data in the Isle of Man;

(f)Commission Decision 2008/393/EC(7) of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;

(g)Commission Decision 2010/146/EU(8) of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;

(h)Commission Decision 2010/625/EU(9) of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;

(i)Commission Decision 2011/61/EU(10) of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;

(j)Commission Implementing Decision 2012/484/EU(11) of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;

(k)Commission Implementing Decision 2013/65/EU(12) of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;

(l)Commission Implementing Decision (EU) 2016/1250(13) of 12th July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

(3) Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).

(4) The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before exit day, subject to sub-paragraphs (5) and (6).

(5) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(6) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—

(a)transfers from the European Union (or the European Community) or the European Economic Area, or

(b)transfers to which the EU GDPR applies,

it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).

6.—(1) In the provisions listed in sub-paragraph (2)—

(a)references to regulations made under section 17A (other than references to making such regulations) include the provision made in paragraph 5;

(b)references to the revocation of such regulations include the repeal of all or part of paragraph 5.

(2) Those provisions are—

(a)Articles 13(1)(f), 14(1)(f), 45(1) and (7), 46(1) and 49(1) of the UK GDPR;

(b)sections 17B(1), (3), (6) and (7) and 18(2) of this Act.

UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

7.—(1) Subject to paragraph 8, the appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after exit day as described in this paragraph.

(2) The safeguards may be provided for by any standard data protection clauses included in an arrangement which, if the arrangement had been entered into immediately before exit day, would have provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.

(3) The safeguards may be provided for by a version of standard data protection clauses described in sub-paragraph (2) incorporating changes where—

(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and

(b)none of the changes alters the effect of the clauses.

(4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—

(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;

(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.

(5) In the case of a transfer of personal data made under arrangements entered into before exit day, the safeguards may be provided for on and after exit day by standard data protection clauses not falling within sub-paragraph (2) which—

(a)formed part of the arrangements immediately before exit day, and

(b)at that time, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.

(6) The Secretary of State and the Commissioner must keep the operation of this paragraph under review.

(7) In this paragraph, “adequacy decision” means a decision made on the basis of—

(a)Article 45(3) of the EU GDPR, or

(b)Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

(8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

8.—(1) Paragraph 7 does not apply to the extent that it has been disapplied by—

(a)regulations made by the Secretary of State, or

(b)a document issued by the Commissioner.

(2) Regulations under this paragraph are subject to the negative resolution procedure.

(3) Subsections (3) to (8) and (10) to (12) of section 119A apply in relation to a document issued by the Commissioner under this paragraph as they apply to a document issued by the Commissioner under section 119A(2).

UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules

9.—(1) The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after exit day as described sub-paragraphs (2) to (4), subject to sub-paragraph (5).

(2) The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before exit day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.

(3) The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—

(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and

(b)none of the changes alters the effect of the rules.

(4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—

(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;

(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.

(5) Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after exit day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).

(6) The Commissioner must keep the operation of this paragraph under review.

(7) In this paragraph—

“adequacy decision” means a decision made on the basis of—

“binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.

(8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

Part 3 (law enforcement processing): adequacy decisions and adequacy regulations

10.—(1) On and after exit day, for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(2) Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).

(3) The Secretary of State may by regulations—

(a)repeal sub-paragraphs (1) and (2) and paragraph 11;

(b)amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).

(4) Regulations under this paragraph may, among other things—

(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(b)confer a discretion on a person.

(5) Regulations under this paragraph are subject to the negative resolution procedure.

(6) Sub-paragraphs (1) and (2) have effect in addition to section 74A(2) and (3).

11.—(1) The following are specified for the purposes of paragraph 10(1)—

(a)a member State;

(b)Gibraltar;

(c)a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before exit day on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before exit day, had been repealed or was suspended.

(2) Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).

(3) The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before exit day, subject to sub-paragraphs (4) and (5).

(4) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(5) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—

(a)transfers from the European Union (or the European Community) or the European Economic Area, or

(b)transfers to which the Law Enforcement Directive applies,

it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).

12.  In section 74B(1), (3), (6) and (7)—

(a)references to regulations made under section 74A (other than references to making such regulations) include the provision made in paragraph 11;

(b)references to the revocation of such regulations include the repeal of all or part of paragraph 11.

Part 4Repeal of provisions in Chapter 3 of Part 2

Applied GDPR: power to make provision in consequence of GDPR regulations

13.—(1) Regulations made under section 23 before exit day continue in force until they are revoked, despite the repeal of that section by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

(2) The provisions listed in section 186(3) include regulations made under section 23 before exit day (and not revoked).

(3) Sub-paragraphs (1) and (2) do not have effect so far as otherwise provided by the law of England and Wales, Scotland or Northern Ireland.

Applied GDPR: national security certificates

14.—(1) This paragraph applies to a certificate issued under section 27 of this Act which has effect immediately before exit day.

(2) A reference in the certificate to a provision of the applied GDPR has effect, on and after exit day, as it if were a reference to the corresponding provision of the UK GDPR or this Act.

Part 5The Information Commissioner

Confidentiality of information

15.  The repeal of section 132(2)(d) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 has effect only in relation to a disclosure of information made on or after exit day.

Part 6Enforcement

GDPR: maximum amount of penalties

16.  In relation to an infringement, before exit day, of a provision of the EU GDPR (as it was directly applicable to the United Kingdom) or the applied GDPR—

(a)Article 83(5) and (6) of the UK GDPR and section 157(5)(a) and (b) of this Act have effect as if for “£17,500,000” there were substituted “20 million Euros”;

(b)Article 83(4) of the UK GDPR and section 157(6)(a) and (b) of this Act have effect as if for “£8,700,000” there were substituted “10 million Euros”;

(c)the maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given under section 155 of this Act.

GDPR: right to an effective remedy against the Commissioner

17.—(1) This paragraph applies where—

(a)proceedings are brought against a decision made by the Commissioner before exit day, and

(b)the Commissioner’s decision was preceded by an opinion or decision of the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63 of the EU GDPR.

(2) The Commissioner must forward the Board’s opinion or decision to the court or tribunal dealing with the proceedings.”.