These Regulations are made in exercise of the powers in sections 8(1) and 23(1) of, and paragraphs 21 of Schedule 7 and 1(1) of Schedule 4 to, the European Union (Withdrawal) Act 2018 (c.16) (“the EUWA 2018”), in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(a), (b), (d) and (g)) arising from the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”).

These Regulations also exercise powers in section 211(2) of the Data Protection Act 2018 (“the DPA 2018”) to make provision consequential to that Act, and in section 2(2) of the European Communities Act 1972 (c.68) for the purpose of implementing an EU obligation of the UK.

Regulations 1 and 2 cover citation, commencement, extent and interpretation.

Regulation 3 introduces Schedule 1, which amends Regulation (EU) 2016/679 of the European Parliament and of the Council (“the GDPR”) as it forms part of domestic law by virtue of section 3 of the EUWA 2018.

Regulation 4 introduces Schedule 2, which amends the DPA 2018.

Among other things, changes made by Schedules 1 and 2 have the effect of merging two pre-existing regimes for the regulation of the processing of personal data – namely that established by the GDPR as supplemented by Chapter 2 of Part 2 of the DPA 2018 as originally enacted, and that established in Chapter 3 of Part 2 of the DPA 2018 as originally enacted (“the applied GDPR”). The applied GDPR extended GDPR standards to certain processing out of scope of EU law and the GDPR.

Regulation 5 makes provision concerning interpretation in relation to processing that prior to exit day was subject to the applied GDPR.

Regulation 6 introduces Schedule 3, which makes amendments to other legislation. Part 1 of Schedule 3 revokes certain EU data protection law that forms part of domestic law by virtue of section 3 of the EUWA 2018. Parts 2 and 3 of Schedule 3 make amendments to other legislation consequential to the amendments made in Schedules 1 and 2. Part 4 of Schedule 3 makes general provision for references to the GDPR (that are not otherwise amended by Parts 2 or 3) to have effect as references to the UK GDPR on and after exit day. Part 5 of Schedule 3 makes supplementary provision in respect of Parts 2, 3 and 4.

Regulation 7 introduces Schedule 4 which makes amendments consequential to the DPA 2018 to the Anti-terrorism, Crime and Security Act 2001 (c.24) and to the Investigatory Powers Act 2016 (c.25). Related amendments appear in paragraphs 76 and 201 (respectively) of schedule 19 to the DPA but have not been commenced. Regulation 7 repeals those provisions.

Regulation 8 makes amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2002/2013) in light of provision made by the GDPR relating to the meaning of “consent”.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen.