23. Before section 18 (but after the italic heading before it) insert—
(1) The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—
(a)a third country,
(b)a territory or one or more sectors within a third country,
(c)an international organisation, or
(d)a description of such a country, territory, sector or organisation.
(2) For the purposes of the UK GDPR and this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—
(a)in the case of a third country, the country or a relevant territory or sector within the country, or
(b)in the case of an international organisation, the organisation.
(3) Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).
(4) Article 45(2) of the UK GDPR makes provision about the assessment of the adequacy of the level of protection for the purposes of this section and section 17B.
(5) Regulations under this section—
(a)where they relate to a third country, must specify their territorial and sectoral application;
(b)where applicable, must specify the independent supervisory authority or authorities referred to in Article 45(2)(b) of the UK GDPR.
(6) Regulations under this section may, among other things—
(a)provide that in relation to a country, territory, sector, organisation or transfer specified, or falling within a description specified, in the regulations, section 17B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;
(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;
(c)confer a discretion on a person.
(7) Regulations under this section are subject to the negative resolution procedure.
(1) For so long as regulations under section 17A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.
(2) Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.
(3) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 17A or to amend or revoke such regulations.
(4) Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 17A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.
(5) Where regulations under section 17A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.
(6) The Secretary of State must publish—
(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 17A, and
(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.
(7) In the case of regulations under section 17A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—
(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and
(b)the lists published under subsection (6) must specify or describe the relevant transfers.
(1) The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 119A).
(2) The Secretary of State must keep under review the standard data protection clauses specified in regulations under this section that are for the time being in force.
(3) Regulations under this section are subject to the negative resolution procedure.”.