The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Statutory Instruments

2019 No. 419

Exiting The European Union

Data Protection

Electronic Communications

The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019

Made

28th February 2019

Coming into force in accordance with regulation 1(2) and (3)

The Secretary of State makes these Regulations in exercise of the powers conferred by sections 8(1) and 23(1) of, paragraph 1(1) of Schedule 4 to and paragraph 21 of Schedule 7 to the European Union (Withdrawal) Act 2018(1), section 211(2) of the Data Protection Act 2018(2) and section 2(2) of the European Communities Act 1972(3).

In accordance with paragraph 3(1) of Schedule 4 to the European Union (Withdrawal) Act 2018, these Regulations are made with the consent of the Treasury.

The Secretary of State is a Minister designated for purposes of section 2(2) of the European Communities Act 1972 in respect of matters relating to electronic communications.

In accordance with paragraphs 1(1) and 12(1) of Schedule 7 to the European Union (Withdrawal) Act 2018, section 211(5) of the Data Protection Act 2018 and paragraph 2(2) of Schedule 2 to the European Communities Act 1972 a draft of this instrument has been laid before, and approved by a resolution of, each House of Parliament.

Citation, commencement and extent

1.—(1) These Regulations may be cited as the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

(2) Subject to paragraph (3), they come into force on exit day.

(3) Regulations 7 and 8 and Schedule 4 come into force on 29th March 2019.

(4) An amendment, repeal or revocation made by these Regulations has the same extent in the United Kingdom as the provision to which it relates.

Interpretation

2.  In these Regulations—

“the 2018 Act” means the Data Protection Act 2018;

“the UK GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018.

Amendment of the UK GDPR

3.  Schedule 1 amends the UK GDPR.

Amendment of the Data Protection Act 2018

4.  Schedule 2 amends the 2018 Act.

GDPR merger modifications

5.—(1) Schedules 1 and 2 include modifications (“the GDPR merger modifications”) that merge the provisions relating to the processing of personal data that, immediately before exit day, are found in the EU GDPR and the applied GDPR, read with the 2018 Act.

(2) Retained case law and retained general principles of EU law falling within paragraph (3) are not, by virtue of the GDPR merger modifications, to be treated as relevant to the UK GDPR or the 2018 Act as they apply to applied GDPR processing on and after exit day.

(3) Retained case law and retained general principles of EU law fall within this paragraph so far as they are, or are derived from, principles or decisions that are not relevant to any of the following immediately before exit day—

(a)the applied GDPR,

(b)the applied Chapter 2, or

(c)Parts 5 to 7 of the 2018 Act so far as they apply to applied GDPR processing,

having regard (among other things) to the limits of EU competence immediately before exit day.

(4) In this regulation—

“the applied Chapter 2” means Chapter 2 of Part 2 of the 2018 Act as applied by Chapter 3 of that Part immediately before exit day (see section 22 of that Act);

“the applied GDPR” means the EU GDPR as applied by Chapter 3 of Part 2 of the 2018 Act as it has effect immediately before exit day (see section 22 of that Act);

“applied GDPR processing” means the processing of personal data to which the applied GDPR applied immediately before exit day (see section 21 of the 2018 Act);

“the EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law immediately before exit day;

“retained case law” and “retained general principles of EU law” have the same meaning as in the European Union (Withdrawal) Act 2018 (see section 6(7) of that Act).

Consequential amendments of other legislation

6.  In Schedule 3—

(a)Part 1 revokes certain retained EU law;

(b)Part 2 contains amendments of primary legislation (as defined in section 211(7) of the 2018 Act) that are consequential on Schedules 1 and 2;

(c)Part 3 contains amendments of other legislation that are consequential on those Schedules;

(d)Part 4 contains modifications of legislation that are consequential on those Schedules;

(e)Part 5 contains supplementary provision.

Amendments consequential on provisions of the 2018 Act

7.  Schedule 4 contains amendments consequential on provisions of the 2018 Act.

Amendment of the Privacy and Electronic Communications Regulations 2003

8.—(1) Regulation 2 of the Privacy and Electronic Communications (EC Directive) Regulations 2003(4) is amended as follows.

(2) In paragraph (1), at the appropriate place, insert—

“consent” by a user or subscriber corresponds to the data subject’s consent in the GDPR (as defined in section 3(10) of the Data Protection Act 2018);(5).

(3) Omit paragraph (3).

We consent to the making of these Regulations

Paul Maynard

Jeremy Quin

Two of the Lords Commissioners of Her Majesty’s Treasury

27th February 2019

Margot James

Minister of State

Department for Digital, Culture, Media and Sport

28th February 2019

Regulation 3

SCHEDULE 1Amendments of the UK GDPR

Introduction

1.  The UK GDPR is amended as follows.

2.  In the title of the Regulation, for “, and repealing Directive 95/46/EC (General Data Protection Regulation)”(6) substitute “(United Kingdom General Data Protection Regulation)”.

Chapter 1 (general provisions)

3.  In Article 1, omit paragraph 3.

4.—(1) Article 2 is amended as follows.

(2) For paragraph 1 substitute—

1.  This Regulation applies to the automated or structured processing of personal data, including—

(a)processing in the course of an activity which, immediately before exit day, fell outside the scope of EU law, and

(b)processing in the course of an activity which, immediately before exit day, fell within the scope of Chapter 2 of Title 5 of the Treaty on European Union (common foreign and security policy activities).

1A.  This Regulation also applies to the manual unstructured processing of personal data held by an FOI public authority..

(3) For paragraph 2 substitute—

2.  This Regulation does not apply to—

(a)the processing of personal data by an individual in the course of a purely personal or household activity;

(b)the processing of personal data by a competent authority for any of the law enforcement purposes (see Part 3 of the 2018 Act);

(c)the processing of personal data to which Part 4 of the 2018 Act (intelligence services processing) applies..

(4) Omit paragraph 3.

(5) In paragraph 4, for “Directive 2000/31/EC”(7) to the end substitute “the Electronic Commerce (EC Directive) Regulations 2002(8), in particular the provisions about mere conduits, caching and hosting (see regulations 17 to 19 of those Regulations).”.

(6) After paragraph 4 insert—

5.  In this Article—

(a)‘the automated or structured processing of personal data’ means—

(i)the processing of personal data wholly or partly by automated means, and

(ii)the processing otherwise than by automated means of personal data which forms part of a filing system or is intended to form part of a filing system;

(b)‘the manual unstructured processing of personal data’ means the processing of personal data which is not the automated or structured processing of personal data;

(c)‘FOI public authority’ has the same meaning as in Chapter 3 of Part 2 of the 2018 Act (see section 21(5) of that Act);

(d)references to personal data ‘held’ by an FOI public authority are to be interpreted in accordance with section 21(6) and (7) of the 2018 Act;

(e)‘competent authority’ and ‘law enforcement purposes’ have the same meaning as in Part 3 of the 2018 Act (see sections 30 and 31 of that Act)..

5.—(1) Article 3 is amended as follows.

(2) In paragraph 1, for “the Union” (in both places) substitute “the United Kingdom”.

(3) In paragraph 2—

(a)before “processing” (in the first place) insert “relevant”;

(b)for “the Union” (in each place) substitute “the United Kingdom”.

(4) After paragraph 2 insert—

2A.  In paragraph 2, “relevant processing of personal data” means processing to which this Regulation applies, other than processing described in Article 2(1)(a) or (b) or (1A)..

(5) In paragraph 3—

(a)for “the Union” substitute “the United Kingdom”;

(b)for “Member State law” substitute “domestic law”.

6.—(1) Article 4 is amended as follows.

(2) Before paragraph (1) insert—

(A1) ‘the 2018 Act’ means the Data Protection Act 2018;

(A2) ‘domestic law’ means the law of the United Kingdom or of a part of the United Kingdom;

(A3) ‘the Commissioner’ means the Information Commissioner (see section 114 of the 2018 Act);.

(3) In paragraph (7), for “; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law” substitute “(but see section 6 of the 2018 Act)”.

(4) In paragraph (9), for “Union or Member State law” substitute “domestic law”.

(5) After paragraph (10) insert—

(10A) ‘public authority’ and ‘public body’ are to be interpreted in accordance with section 7 of the 2018 Act and provision made under that section;.

(6) Omit paragraph (16).

(7) In paragraph (17), for “the Union” substitute “the United Kingdom”.

(8) In paragraph (20), for “on the territory of a Member State” substitute “in the United Kingdom”.

(9) Omit paragraph (21).

(10) After paragraph (21) insert—

(21A) ‘foreign designated authority’ means an authority designated for the purposes of Article 13 of the Data Protection Convention (as defined in section 3 of the 2018 Act) by a party, other than the United Kingdom, which is bound by that Convention;.

(11) Omit paragraphs (22), (23) and (24).

(12) In paragraph (25), at the end insert “as it has effect immediately before exit day”.

(13) After paragraph (26) insert—

(27) ‘third country’ means a country or territory outside the United Kingdom;

(28) references to a fundamental right or fundamental freedom (however expressed) are to a fundamental right or fundamental freedom which continues to form part of domestic law on and after exit day by virtue of section 4 of the European Union (Withdrawal) Act 2018, as the right or freedom is amended or otherwise modified by domestic law from time to time on or after exit day..

Chapter 2 (principles)

7.—(1) Article 6 is amended as follows.

(2) Omit paragraph 2.

(3) In paragraph 3—

(a)in the first subparagraph, for points (a) and (b) (and the colon before them) substitute “domestic law”;

(b)in the second subparagraph, for “The Union or Member State law” substitute “The domestic law”.

(4) In paragraph 4—

(a)for “a Union or Member State law” substitute “domestic law”;

(b)after “safeguard” insert “national security, defence or any of”.

8.—(1) Article 8 is amended as follows.

(2) In paragraph 1—

(a)for “16 years old” substitute “13 years old”;

(b)for “of 16 years” substitute “of 13 years”;

(c)omit the second subparagraph.

(3) In paragraph 3, for “of Member States” substitute “as it operates in domestic law”.

(4) After paragraph 3 insert—

4.  In paragraph 1, the reference to information society services does not include preventive or counselling services..

9.—(1) Article 9 is amended as follows.

(2) In paragraph 2(a), for “Union or Member State law provide” substitute “domestic law provides”.

(3) In paragraph 2(b)—

(a)for “Union or Member State law” substitute “domestic law”;

(b)for “to Member State law” substitute “to domestic law”.

(4) In paragraph 2(g), for “Union or Member State law” substitute “domestic law”.

(5) In paragraph 2(h), for “Union or Member State law” substitute “domestic law”.

(6) In paragraph 2(i), for “Union or Member State law” substitute “domestic law”.

(7) paragraph 2(j)—

(a)after “Article 89(1)” insert “(as supplemented by section 19 of the 2018 Act)”;

(b)for “Union or Member State law” substitute “domestic law”.

(8) In paragraph 3, for “Union or Member State law” (in both places) substitute “domestic law”.

(9) After that paragraph insert—

3A.  In paragraph 3, ‘national competent bodies’ means competent bodies of the United Kingdom or a part of the United Kingdom..

(10) Omit paragraph 4.

(11) After that paragraph insert—

5.  In the 2018 Act—

(a)section 10 makes provision about when the requirement in paragraph 2(b), (g), (h), (i) or (j) of this Article for authorisation by, or a basis in, domestic law is met;

(b)section 11(1) makes provision about when the processing of personal data is carried out in circumstances described in paragraph 3 of this Article..

10.—(1) Article 10 is amended as follows.

(2) The existing text becomes paragraph 1.

(3) In that paragraph, for “Union or Member State law” substitute “domestic law”.

(4) After that paragraph insert—

2.  In the 2018 Act—

(a)section 10 makes provision about when the requirement in paragraph 1 of this Article for authorisation by domestic law is met;

(b)section 11(2) makes provision about the meaning of “personal data relating to criminal convictions and offences or related security measures”..

Chapter 3 (rights of the data subject)

11.—(1) Article 12 is amended as follows.

(2) In paragraph 4, for “a supervisory authority” substitute “the Commissioner”.

(3) After paragraph 6 insert—

6A.  The Commissioner may publish (and amend or withdraw)—

(a)standardised icons for use in combination with information provided to data subjects under Articles 13 and 14;

(b)a notice stating that other persons may publish (and amend or withdraw) such icons, provided that the icons satisfy requirements specified in the notice as to the information to be presented by the icons and the procedures for providing the icons.

6B.  The Commissioner must not publish icons or a notice under paragraph 6A unless satisfied (as appropriate) that the icons give a meaningful overview of the intended processing in an easily visible, intelligible and clearly legible manner or that the notice will result in icons that do so..

(4) In paragraph 7—

(a)for “The information” substitute “If standardised icons are published as described in paragraph 6A (and not withdrawn), the information”;

(b)for “standardised” to “processing” substitute “the icons”.

(5) Omit paragraph 8.

12.—(1) Article 13 is amended as follows.

(2) In paragraph 1(f), for “an adequacy decision by the Commission” substitute “relevant adequacy regulations under section 17A of the 2018 Act(9)”.

(3) In paragraph 2(d), for “a supervisory authority” substitute “the Commissioner”.

13.—(1) Article 14 is amended as follows.

(2) In paragraph 1(f), for “an adequacy decision by the Commission” substitute “relevant adequacy regulations under section 17A of the 2018 Act”.

(3) In paragraph 2(e), for “a supervisory authority” substitute “the Commissioner”.

(4) In paragraph 5(c), for “Union or Member State law to which the controller is subject and” substitute “a provision of domestic law”.

(5) In paragraph 5(d), for “Union or Member State law” substitute “domestic law”.

14.  In Article 15(1)(f), for “a supervisory authority” substitute “the Commissioner”.

15.—(1) Article 17 is amended as follows.

(2) In paragraph 1(e), for “in Union or Member State law to which the controller is subject” substitute “under domestic law”.

(3) In paragraph 3(b), for “by Union or Member State law to which the controller is subject” substitute “under domestic law”.

16.  In Article 18(2), omit “of the Union or of a Member State”.

17.  In Article 21(5)—

(a)omit “and notwithstanding Directive 2002/58/EC(10),”;

(b)at the end insert “, notwithstanding domestic law made before exit day implementing Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector”(11).

18.—(1) Article 22 is amended as follows.

(2) In paragraph 2(b), for “authorised by Union or Member State law to which the controller is subject and” substitute “required or authorised by domestic law”.

(3) After paragraph 3 insert—

3A.  Section 14 of the 2018 Act, and regulations under that section, make provision to safeguard data subjects’ rights, freedoms and legitimate interests in cases that fall within point (b) of paragraph 2 (but not within point (a) or (c) of that paragraph)..

19.—(1) Article 23 is amended as follows.

(2) In paragraph 1—

(a)for “Union or Member State law to which the data controller or processor is subject may restrict by way of legislative measure” substitute “The Secretary of State may restrict”;

(b)omit points (a) and (b);

(c)in point (e)—

(i)omit “of the Union or of a Member State” in the first place it occurs;

(ii)for “of the Union or of a Member State”, in the second place it occurs, substitute “of the United Kingdom”.

(3) In paragraph 2, for “any legislative measure referred to in” substitute “provision made in exercise of the power under”.

(4) After that paragraph insert—

3.  The Secretary of State may exercise the power under paragraph 1 only by making regulations under section 16 of the 2018 Act..

Chapter 4 (controller and processor)

20.  In Article 26(1), for “Union or Member State law to which the controllers are subject” substitute “domestic law”.

21.—(1) Article 27 is amended as follows.

(2) In the heading, for “the Union” substitute “the United Kingdom.

(3) In paragraph 1, for “the Union” substitute “the United Kingdom.

(4) Omit paragraph 3.

(5) In paragraph 4, for “supervisory authorities” substitute “the Commissioner”.

22.—(1) Article 28 is amended as follows.

(2) In paragraph 3—

(a)in the opening words, for “Union or Member State law” substitute “domestic law”;

(b)in point (a), for “Union or Member State law to which the processor is subject” substitute “domestic law”;

(c)in point (g), for “Union or Member State law” substitute “domestic law”;

(d)in the second subparagraph, for “other Union or Member State data protection provisions” substitute “other domestic law relating to data protection”.

(3) In paragraph 4, “for Union or Member State law” substitute “domestic law”.

(4) In paragraph 6, for “paragraphs 7 and 8” substitute “paragraph 8”.

(5) Omit paragraph 7.

(6) In paragraph 8—

(a)for “A supervisory authority” substitute “The Commissioner”;

(b)omit “and in accordance with the consistency mechanism referred to in Article 63”.

23.  In Article 29, for “Union or Member State law” substitute “domestic law”.

24.—(1) Article 30 is amended as follows.

(2) In paragraph 1(g), after “Article 32(1)” insert “or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act”.

(3) In paragraph 2(d), after “Article 32(1)” insert “or, as appropriate, the security measures referred to in section 28(3) of the 2018 Act”.

(4) In paragraph 4, for “the supervisory authority” substitute “the Commissioner”.

25.—(1) Article 31 is amended as follows.

(2) In the heading, for “the supervisory authority” substitute “the Commissioner”.

(3) For “the supervisory authority in the performance of its tasks” substitute “the Commissioner in the performance of the Commissioner’s tasks”.

26.  In Article 32(4), for “Union or Member State law” substitute “domestic law”.

27.—(1) Article 33 is amended as follows.

(2) In the heading, for “the supervisory authority” substitute “the Commissioner”.

(3) In paragraph 1—

(a)for “the supervisory authority competent in accordance with Article 55” substitute “the Commissioner”;

(b)for “the notification to the supervisory authority” substitute “the notification under this paragraph”.

(4) In paragraph 5, for “the supervisory authority” substitute “the Commissioner”.

28.  In Article 34(4), for “the supervisory authority” substitute “the Commissioner”.

29.—(1) Article 35 is amended as follows.

(2) In paragraph 4—

(a)in the first sentence, for “The supervisory authority” substitute “The Commissioner”;

(b)omit the second sentence.

(3) In paragraph 5—

(a)in the first sentence, for “The supervisory authority” substitute “The Commissioner”;

(b)omit the second sentence.

(4) Omit paragraph 6.

(5) For paragraph 10 substitute—

10.  In the case of processing pursuant to point (c) or (e) of Article 6(1), paragraphs 1 to 7 of this Article do not apply if a data protection impact assessment has already been carried out for the processing as part of a general impact assessment required by domestic law, unless domestic law provides otherwise..

30.—(1) Article 36 is amended as follows.

(2) In paragraph 1, for “the supervisory authority” substitute “the Commissioner”.

(3) In paragraph 2—

(a)in the first sentence, for “the supervisory authority” (in both places) substitute “the Commissioner”;

(b)in the third sentence, for “The supervisory authority” substitute “The Commissioner”;

(c)in the last sentence, for “the supervisory authority has obtained information it” substitute “the Commissioner has obtained information the Commissioner”.

(4) In paragraph 3—

(a)in the opening words, for “the supervisory authority” (in both places) substitute “the Commissioner”;

(b)in point (f), for “the supervisory authority” substitute “the Commissioner”.

(5) In paragraph 4—

(a)for “Members States shall consult the supervisory authority” substitute “The relevant authority must consult the Commissioner”;

(b)for “a national parliament” substitute “Parliament, the National Assembly for Wales, the Scottish Parliament or the Northern Ireland Assembly”.

(6) After that paragraph insert—

4A.  In paragraph 4, “the relevant authority” means—

(a)in relation to a legislative measure adopted by Parliament, or a regulatory measure based on such a legislative measure, the Secretary of State;

(b)in relation to a legislative measure adopted by the National Assembly for Wales, or a regulatory measure based on such a legislative measure, the Welsh Ministers;

(c)in relation to a legislative measure adopted by the Scottish Parliament, or a regulatory measure based on such a legislative measure, the Scottish Ministers;

(d)in relation to a legislative measure adopted by the Northern Ireland Assembly, or a regulatory measure based on such a legislative measure, the relevant Northern Ireland department..

(7) Omit paragraph 5.

31.—(1) Article 37 is amended as follows.

(2) In paragraph 4, omit “or, where required by Union or Member State law shall,”.

(3) In paragraph 7, for “the supervisory authority” substitute “the Commissioner”.

32.  In Article 38(5), for “Union or Member State law” substitute “domestic law”.

33.—(1) Article 39 is amended as follows.

(2) In paragraph 1(a) and (b), for “other Union or Member State data protection provisions” substitute “other domestic law relating to data protection”.

(3) In paragraph 1(d) and (e), for “the supervisory authority” substitute “the Commissioner”.

34.—(1) Article 40 is amended as follows.

(2) In paragraph 1, for “The Member States, the supervisory authorities, the Board and the Commission” substitute “The Commissioner”.

(3) In paragraph 2(i), for “supervisory authorities” substitute “the Commissioner”.

(4) In paragraph 3, omit “and having general validity pursuant to paragraph 9 of this Article”.

(5) In paragraph 4, for “supervisory authorities competent pursuant to Article 55 or 56” substitute “the Commissioner”.

(6) In paragraph 5—

(a)for “the supervisory authority which is competent pursuant to Article 55. The supervisory authority” substitute “the Commissioner, who”;

(b)for “it finds” substitute “the Commissioner finds”.

(7) In paragraph 6, for “and where the code of conduct concerned does not relate to processing activities in several Member States, the supervisory authority” substitute “the Commissioner”.

(8) Omit paragraphs 7, 8, 9, 10 and 11.

35.—(1) Article 41 is amended as follows.

(2) In paragraph 1, for “the competent supervisory authority” (in both places) substitute “the Commissioner”.

(3) In paragraph 2(a) and (d), for “the competent supervisory authority” substitute “the Commissioner”.

(4) Omit paragraph 3.

(5) In paragraph 4, for “the competent supervisory authority” (in both places) substitute “the Commissioner”.

(6) In paragraph 5, for “The competent supervisory authority” substitute “The Commissioner”.

36.—(1) Article 42 is amended as follows.

(2) In paragraph 1—

(a)for “The Member States, the supervisory authorities, the Board and the Commission” substitute “The Commissioner”;

(b)omit “, in particular at Union level,”.

(3) In paragraph 4, for “the supervisory authorities which are competent pursuant to Article 55 or 56” substitute “the Commissioner”.

(4) In paragraph 5—

(a)for “the competent supervisory authority” substitute “the Commissioner”;

(b)for “that competent supervisory authority” substitute “the Commissioner”;

(c)omit “or by the Board pursuant to Article 63” and the second sentence.

(5) In paragraph 6, for “the competent supervisory authority” substitute “the Commissioner”.

(6) In paragraph 7, for “the competent supervisory authority” substitute “the Commissioner”.

(7) In paragraph 8, for “The Board” substitute “The Commissioner”.

37.—(1) Article 43 is amended as follows.

(2) In paragraph 1—

(a)in the opening words—

(i)for “the competent supervisory authority” substitute “the Commissioner”;

(ii)for “the supervisory authority” substitute “the Commissioner”;

(iii)for “Members States shall ensure that those certification bodies are” substitute “In accordance with section 17 of the 2018 Act, those certification bodies may only be”;

(b)for point (a) substitute—

(a)the Commissioner;;

(c)in point (b)—

(i)for “the national accreditation body” substitute “the UK national accreditation body”;

(ii)for “the supervisory authority which is competent pursuant to Article 55 or 56” substitute “the Commissioner”.

(3) In paragraph 2—

(a)in point (a), for “the competent supervisory authority” substitute “the Commissioner”;

(b)in point (b), for “the supervisory authority” to the end substitute “the Commissioner”;

(c)in point (e), for “the competent supervisory authority” substitute “the Commissioner”.

(4) In paragraph 3, for “the supervisory authority which is competent pursuant to Article 55 or 56 or by the Board pursuant to Article 63” substitute “the Commissioner”.

(5) In paragraph 5, for “the competent supervisory authorities” substitute “the Commissioner”.

(6) In paragraph 6—

(a)for “the supervisory authority” substitute “the Commissioner”;

(b)omit from “The supervisory authorities” to the end.

(7) In paragraph 7, for “the competent supervisory authority or the national accreditation body” substitute “the Commissioner or the UK national accreditation body”.

(8) Omit paragraphs 8 and 9.

Chapter 5 (transfers of personal data to third countries or international organisations)

38.—(1) Article 45 is amended as follows.

(2) In paragraph 1, for “where the Commission” to the end of the first sentence substitute “where it is based on adequacy regulations (see section 17A of the 2018 Act)”.

(3) In paragraph 2—

(a)for “, the Commission” substitute “for the purposes of sections 17A and 17B(12) of the 2018 Act, the Secretary of State”;

(b)in point (b), for “the supervisory authorities of the Member States” substitute “the Commissioner”.

(4) Omit paragraphs 3, 4, 5 and 6.

(5) In paragraph 7, for “A decision pursuant to paragraph 5 of this Article” substitute “The amendment or revocation of regulations under section 17A of the 2018 Act”.

(6) Omit paragraphs 8 and 9.

39.—(1) Article 46 is amended as follows.

(2) In paragraph 1, for “a decision pursuant to Article 45(3)” substitute “adequacy regulations under section 17A of the 2018 Act”.

(3) In paragraph 2—

(a)for “a supervisory authority” substitute “the Commissioner”;

(b)for paragraph (c) substitute—

(c)standard data protection clauses specified in regulations made by the Secretary of State under section 17C(13) of the 2018 Act and for the time being in force;;

(c)for paragraph (d) substitute—

(d)standard data protection clauses specified in a document issued (and not withdrawn) by the Commissioner under section 119A(14) of the 2018 Act and for the time being in force;.

(4) In paragraph 3, for “Subject to the authorisation from the competent supervisory authority” substitute “With authorisation from the Commissioner”.

(5) Omit paragraphs 4 and 5.

40.—(1) Article 47 is amended as follows.

(2) In paragraph 1—

(a)for “The competent supervisory authority” substitute “The Commissioner”;

(b)omit “in accordance with the consistency mechanism set out in Article 63”.

(3) In paragraph 2(e), for “the competent supervisory authority and before the competent courts of the Member States in accordance with Article 79” substitute “the Commissioner and before a court in accordance with Article 79 (see section 180 of the 2018 Act)”.

(4) In paragraph 2(f)—

(a)for “established on the territory of a Member State” substitute “established in the United Kingdom”;

(b)for “not established in the Union” substitute “not established in the United Kingdom”.

(5) In paragraph 2(j), for “the competent supervisory authority” substitute “the Commissioner”.

(6) In paragraph 2(k), for “the supervisory authority” substitute “the Commissioner”.

(7) In paragraph 2(l), for “the supervisory authority” (in both places) substitute “the Commissioner”.

(8) In paragraph 2(m), for “the competent supervisory authority” substitute “the Commissioner”.

(9) Omit paragraph 3.

41.  Omit Article 48.

42.—(1) Article 49 is amended as follows.

(2) In paragraph 1—

(a)in the opening words, for “an adequacy decision pursuant to Article 45(3)” substitute “adequacy regulations under section 17A of the 2018 Act”;

(b)in point (g), for “Union or Member State law” (in both places) substitute “domestic law”;

(c)in the second subparagraph, for “the supervisory authority” substitute “the Commissioner”.

(3) In paragraph 4, for “shall be recognised in Union law or in the law of the Member State to which the controller is subject” substitute “must be public interest that is recognised in domestic law (whether in regulations under section 18(1) of the 2018 Act or otherwise)”.

(4) Omit paragraph 5.

(5) After that paragraph insert—

5A.  This Article and Article 46 are subject to restrictions in regulations under section 18(2) of the 2018 Act..

43.  In Article 50, for “the Commission and supervisory authorities” substitute “the Commissioner”.

Chapter 6 (independent supervisory authorities)

44.  For the heading of Chapter 6 substitute “The Commissioner”.

45.—(1) Article 51 is amended as follows.

(2) For the heading, substitute “Monitoring the application of this Regulation”.

(3) In paragraph 1—

(a)for “Each Member State shall provide for one or more independent public authorities to be” substitute “The Commissioner is”;

(b)omit “within the Union (“supervisory authority”)”.

(4) Omit paragraphs 2, 3 and 4.

46.—(1) Article 52 is amended as follows.

(2) In paragraph 1—

(a)for “Each supervisory authority” substitute “The Commissioner”;

(b)omit “its” (in both places).

(3) In paragraph 2—

(a)for “The member or members of each supervisory authority” substitute “The Commissioner”;

(b)omit “their” (in both places).

(4) In paragraph 3—

(a)for “Member or members of each supervisory authority” substitute “The Commissioner”;

(b)for “their duties” substitute “the Commissioner’s duties”;

(c)for “during their term of office” substitute “while holding office”.

(5) Omit paragraphs 4, 5 and 6.

47.  Omit Article 53.

48.  Omit Article 54.

49.  In the heading of section 2 of Chapter 6, for “Competence, tasks” substitute “Tasks”.

50.  Omit Article 55.

51.  Omit Article 56.

52.—(1) Article 57 is amended as follows.

(2) In paragraph 1—

(a)for “each supervisory authority shall on its territory” substitute “the Commissioner must”;

(b)in point (c), for “, in accordance with Member State law, the national parliament” substitute “Parliament”;

(c)in point (e), for “the supervisory authorities in other Member States” substitute “foreign designated authorities”;

(d)in point (f), for “another supervisory authority” substitute “a foreign designated authority”;

(e)omit point (g);

(f)in point (h), for “another supervisory authority” substitute “a foreign designated authority”;

(g)in point (j), after “and” insert “issue standard data protection clauses referred to”;

(h)after point (o) insert—

(oa)maintain a public register of certification mechanisms and data protection seals and marks pursuant to Article 42(8) and of controllers or processors established in third countries and certified pursuant to Article 42(7);;

(i)omit point (t).

(3) In paragraph 2, for “Each supervisory authority” substitute “The Commissioner”.

(4) In paragraph 3, for “the tasks of each supervisory authority shall be” substitute “the Commissioner’s tasks is to be”.

(5) In paragraph 4, for “supervisory authority” (in both places) substitute “Commissioner”.

53.—(1) Article 58 is amended as follows.

(2) In paragraph 1—

(a)for “Each supervisory authority shall have” substitute “The Commissioner has”;

(b)in point (e), for “its” substitute “the Commissioner’s”;

(c)in point (f), for “Union or Member State procedural law” substitute “domestic law”.

(3) In paragraph 2, for “Each supervisory authority shall have” substitute “The Commissioner has”.

(4) In paragraph 3—

(a)for “Each supervisory authority shall have” substitute “The Commissioner has”;

(b)in point (b)—

(i)for “its” substitute “the Commissioner’s”;

(ii)for “the national parliament, the Member State government or, in accordance with Member State law, to” substitute “Parliament, the government or”;

(c)omit point (c)

(5) After paragraph 3 insert—

3A.  In the 2018 Act, section 115(4) to (9) provide that the Commissioner’s functions under this Article are subject to certain safeguards..

(6) Omit paragraphs 4, 5 and 6.

54.  In Article 59—

(a)for “Each supervisory authority” substitute “The Commissioner”;

(b)for “its” substitute “the Commissioner’s”;

(c)for the second sentence substitute “The Commissioner must arrange for those reports to be laid before Parliament and send a copy to the Secretary of State.”;

(d)omit “, to the Commission and to the Board”.

Chapter 7 (cooperation and consistency)

55.  Omit Articles 60 to 76 and the headings for, and for the sections of, Chapter 7.

Chapter 8 (remedies, liability and penalties)

56.—(1) Article 77 is amended as follows.

(2) In the heading, for “a supervisory authority” substitute “the Commissioner”.

(3) In paragraph 1, for “a supervisory authority, in particular in the Member State of his or her habitual residence, place of work or place of the alleged infringement” substitute “the Commissioner”.

(4) In paragraph 2, for “The supervisory authority with which the complaint has been lodged” substitute “The Commissioner”.

57.—(1) Article 78 is amended as follows.

(2) In the heading, for “a supervisory authority” substitute “the Commissioner”.

(3) In paragraph 1, for “a supervisory authority” substitute “the Commissioner”.

(4) In paragraph 2, for “the supervisory authority which is competent pursuant to Articles 55 and 56” substitute “the Commissioner”.

(5) Omit paragraph 3.

(6) Omit paragraph 4.

58.—(1) Article 79 is amended as follows.

(2) In paragraph 1, for “a supervisory authority” substitute “the Commissioner”.

(3) Omit paragraph 2.

59.—(1) Article 80 is amended as follows.

(2) In paragraph 1—

(a)for the words from “a not-for profit” to “their personal data” substitute “a body or other organisation which meets the conditions in section 187(3) and (4) of the 2018 Act”;

(b)omit “where provided for by Member State law”.

(3) In paragraph 2—

(a)for “Member States” substitute “The Secretary of State”;

(b)omit “, in that Member State,”;

(c)for “the supervisory authority which is competent pursuant to Article 77” substitute “the Commissioner”.

(4) After that paragraph insert—

3.  The Secretary of State may exercise the power under paragraph 2 of this Article only by making regulations under section 190 of the 2018 Act..

60.  Omit Article 81.

61.  In Article 82, omit paragraph 6.

62.—(1) Article 83 is amended as follows.

(2) In paragraph 1, for “Each supervisory authority” substitute “The Commissioner”.

(3) In paragraph 2—

(a)in point (f), for “the supervisory authority” substitute “the Commissioner”;

(b)in point (h), for “the supervisory authority” substitute “the Commissioner”.

(4) In paragraph 4, for “10 000 000 EUR” substitute “£8,700,000”.

(5) In paragraph 5—

(a)for “20 000 000 EUR” substitute “£17,500,000”;

(b)for point (d) substitute—

(d)any obligations under Part 5 or 6 of Schedule 2 to the 2018 Act or regulations made under section 16(1)(c) of the 2018 Act;;

(c)in point (e), for “the supervisory authority” substitute “the Commissioner”.

(6) In paragraph 6—

(a)for “the supervisory authority” substitute “the Commissioner”;

(b)for “20 000 000 EUR” substitute “£17,500,000”.

(7) Omit paragraphs 7, 8 and 9.

(8) After paragraph 9 insert—

10.  In the 2018 Act, section 115(9) makes provision about the exercise of the Commissioner’s functions under this Article..

63.  In Article 84, for paragraphs 1 and 2 substitute—

Part 6 of the 2018 Act makes further provision about penalties applicable to infringements of this Regulation..

Chapter 9 (provisions relating to specific processing situations)

64.—(1) Article 85 is amended as follows.

(2) Omit paragraph 1.

(3) In paragraph 2—

(a)for “Members States shall” substitute “the Secretary of State may”;

(b)for “independent supervisory authorities” substitute “the Commissioner”;

(c)omit “, Chapter VII (cooperation and consistency)”.

(4) After that paragraph insert—

2A.  The Secretary of State may exercise the power under paragraph 2 of this Article only by making regulations under section 16 of the 2018 Act..

(5) Omit paragraph 3.

65.—(1) Article 86 is amended as follows.

(2) The existing text becomes paragraph 1.

(3) In that paragraph, for “Union or Member State law” substitute “domestic law”.

(4) After that paragraph insert—

2.  Chapter 3 of Part 2 of the 2018 Act makes provision about the application of this Regulation to the manual unstructured processing of personal data held by an FOI public authority (as defined in Article 2)..

66.  After Article 86 insert—

Article 86A

Processing and national security and defence

Chapter 3 of Part 2 of the 2018 Act makes provision about the application of this Regulation where processing is carried out, or exemption from a provision of this Regulation is required, for the purposes of safeguarding national security or for defence purposes..

67.  Omit Article 87.

68.  Omit Article 88.

69.—(1) Article 89 is amended as follows.

(2) After paragraph 1 insert—

1A.  In the 2018 Act, section 19 makes provision about when the requirements in paragraph 1 are satisfied..

(3) Omit paragraphs 2, 3 and 4.

70.  Omit Article 90.

71.  Omit Article 91.

Chapter 10 (delegated acts and implementing acts)

72.  Omit Articles 92 and 93 and the heading for Chapter 10.

Chapter 11 (final provisions)

73.—(1) Article 94 is amended as follows.

(2) Omit paragraph 1.

(3) In paragraph 2—

(a)in the first sentence, for “the repealed Directive” substitute “Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (which ceased to have effect on 25th May 2018)”;

(b)in the second sentence, for “by this Regulation” substitute “by the EU GDPR (as defined in section 3 of the 2018 Act)”(15).

74.—(1) Article 95 is amended as follows.

(2) For “the Union” substitute “the United Kingdom”.

(3) For “Directive 2002/58/EC” substitute “domestic law made before exit day implementing Directive 2002/58/EC of the European Parliament and of the Council of 12th July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector”.

75.—(1) Article 96 is amended as follows.

(2) For “Member States” substitute “the United Kingdom or the Commissioner”.

(3) For “Union law” substitute “domestic law”.

76.  Omit Article 97.

77.  Omit Article 98.

78.  Omit Article 99.

79.  Omit the sentence following Article 99.

Supplementary

80.  It is not to be presumed, by virtue of the revocation of a provision by this Schedule, that the provision was applicable to the United Kingdom immediately before exit day (and so would, but for this Schedule, be part of the UK GDPR).

Regulation 4

SCHEDULE 2Amendments of the Data Protection Act 2018

Introduction

1.  The Data Protection Act 2018 is amended as follows.

Part 1 (preliminary)

2.—(1) Section 1 is amended as follows.

(2) In subsection (2), for “GDPR” substitute “UK GDPR”.

(3) In subsection (3), for “GDPR” to the end substitute “UK GDPR”.

(4) In subsection (4), omit “and implements the Law Enforcement Directive”.

3.  In section 2(1) and (2), for “GDPR, the applied GDPR” substitute “UK GDPR”.

4.—(1) Section 3 is amended as follows.

(2) In subsection (6), omit “Chapter 2 or 3 of” and “Chapter or”.

(3) In subsection (9)—

(a)for paragraph (a) substitute—

(a)the UK GDPR,;

(b)omit paragraph (b);

(c)in paragraph (e), for “the GDPR” substitute “the EU GDPR”.

(4) In subsection (10)—

(a)for “The GDPR” substitute “The UK GDPR”;

(b)for “(General Data Protection Regulation)” substitute “(United Kingdom General Data Protection Regulation), as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 (and see section 205(4)(16))”.

(5) After subsection (10) insert—

(10A) “The EU GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation) as it has effect in EU law..

(6) Omit subsection (11).

(7) In subsection (14)—

(a)for paragraph (a) substitute—

(a)references to the UK GDPR are to the UK GDPR read with Part 2;;

(b)omit paragraph (b);

(c)in paragraphs (c) and (d), omit “Chapter 2 or 3 of”.

Part 2 (general processing) (other than Schedules 1 to 6)

5.—(1) Section 4 is amended as follows.

(2) In subsection (2)—

(a)for “Chapter 2 of this Part” substitute “This Part”;

(b)for “GDPR” (in each place) substitute “UK GDPR”.

(3) Omit subsection (3).

6.—(1) Section 5 is amended as follows.

(2) In subsection (1)—

(a)omit “Chapter 2 of”;

(b)for “GDPR” (in both places) substitute “UK GDPR”;

(c)for “Chapter 2 as” substitute “this Part as”.

(3) In subsection (2)—

(a)for “GDPR” (in each place) substitute “UK GDPR”;

(b)for “Chapter 2” substitute “this Part”.

(4) In subsection (3), for “Chapter 2” substitute “this Part”.

(5) Omit subsections (4), (5) and (6).

(6) In subsection (7)—

(a)omit “Chapter 2 or Chapter 3 of”;

(b)for “the Chapter” substitute “this Part”.

7.  For the heading of Chapter 2 substitute “The UK GDPR”.

8.  In the italic heading before section 6, for “GDPR” substitute “UK GDPR”.

9.  In section 6(1) and (2), for “GDPR” substitute “UK GDPR”.

10.—(1) Section 7 is amended as follows.

(2) In subsection (1)—

(a)for “GDPR” substitute “UK GDPR”;

(b)omit “under the law of the United Kingdom”.

(3) In subsections (2) and (4), for “GDPR” substitute “UK GDPR”.

11.  In section 8, for “GDPR” substitute “UK GDPR”.

12.  Omit section 9.

13.—(1) Section 10 is amended as follows.

(2) In subsections (1), (2) and (3), for “GDPR” substitute “UK GDPR”.

(3) In subsection (5), for “10 of the GDPR” substitute “10(1) of the UK GDPR”.

14.  In section 11, in subsection (1) (in both places) and in subsection (2), for “GDPR” substitute “UK GDPR”.

15.  In section 12(1)(a) and (b), for “GDPR” substitute “UK GDPR”.

16.  In section 13(2) and (3), for “GDPR” substitute “UK GDPR”.

17.—(1) Section 14 is amended as follows.

(2) In subsection (1)—

(a)for “GDPR” (in both places) substitute “UK GDPR”;

(b)for “authorised by law” substitute “required or authorised under the law of the United Kingdom or a part of the United Kingdom”.

(3) In subsections (3)(c), (5) and (6) (in both places), for “GDPR” substitute “UK GDPR”.

18.  For the italic heading before section 15 substitute “Exemptions etc”.

19.—(1) Section 15 is amended as follows.

(2) In subsection (1), for “GDPR” substitute “UK GDPR”.

(3) In subsection (2)(a)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(4) In subsection (2)(b)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(5) In subsection (2)(c)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(6) In subsection (2)(d)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(7) In subsection (2)(e)—

(a)for “, V and VII of the GDPR” substitute “and V of the UK GDPR”;

(b)for “, as allowed for by Article 85(2) of the GDPR” substitute “(of a kind described in Article 85(2) of the UK GDPR)”.

(8) In subsection (2)(f)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)omit “, as allowed for by Article 89(2) and (3) of the GDPR”.

(9) In subsection (3)—

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(10) In subsection (4) —

(a)for “GDPR” (in the first place) substitute “UK GDPR”;

(b)for “, as allowed for by” substitute “(of a kind described in”;

(c)for “GDPR” (in the second place) substitute “UK GDPR)”.

(11) After subsection (4) insert—

(4A) In connection with the manual unstructured processing of personal data held by an FOI public authority, see Chapter 3 of this Part (sections 21, 24 and 25)..

(12) In subsection (5), for “and the exemption in section 26” substitute “(sections 26 to 28)”.

20.—(1) Section 16 is amended as follows.

(2) In subsection (1)—

(a)in the opening words, for “GDPR” substitute “UK GDPR”;

(b)in paragraph (a)—

(i)omit “for Member State law”;

(ii)for “GDPR” substitute “UK GDPR”;

(c)in paragraph (b), for “a legislative measure” substitute “provision”;

(d)in paragraph (c), for “GDPR” substitute “UK GDPR”.

(3) In subsection (2)—

(a)omit “and” at the end of paragraph (a)(ii);

(b)after paragraph (b) insert—

, and

(c)consequentially amend the UK GDPR by adding, varying or omitting a reference to section 15, Schedule 2, 3 or 4, this section or regulations under this section..

21.  For the italic heading before section 17 substitute “Certification”.

22.—(1) Section 17 is amended as follows.

(2) In subsection (1)(b), for “national accreditation body” substitute “UK national accreditation body”.

(3) In subsection (3), for “national accreditation body” substitute “UK national accreditation body”.

(4) In subsection (6)—

(a)for “national accreditation body” substitute “UK national accreditation body”;

(b)for “GDPR” substitute “UK GDPR”.

(5) In subsection (7)—

(a)for “national accreditation body” substitute “UK national accreditation body”;

(b)for “GDPR” substitute “UK GDPR”.

(6) In subsection (8)—

(a)for “GDPR” substitute “UK GDPR”;

(b)for “national accreditation body” (in both places) substitute “UK national accreditation body”.

23.  Before section 18 (but after the italic heading before it) insert—

17A    Transfers based on adequacy regulations

(1) The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—

(a)a third country,

(b)a territory or one or more sectors within a third country,

(c)an international organisation, or

(d)a description of such a country, territory, sector or organisation.

(2) For the purposes of the UK GDPR and this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(3) Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).

(4) Article 45(2) of the UK GDPR makes provision about the assessment of the adequacy of the level of protection for the purposes of this section and section 17B.

(5) Regulations under this section—

(a)where they relate to a third country, must specify their territorial and sectoral application;

(b)where applicable, must specify the independent supervisory authority or authorities referred to in Article 45(2)(b) of the UK GDPR.

(6) Regulations under this section may, among other things—

(a)provide that in relation to a country, territory, sector, organisation or transfer specified, or falling within a description specified, in the regulations, section 17B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;

(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(c)confer a discretion on a person.

(7) Regulations under this section are subject to the negative resolution procedure.

17B    Transfers based on adequacy regulations: review etc

(1) For so long as regulations under section 17A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.

(2) Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.

(3) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 17A or to amend or revoke such regulations.

(4) Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 17A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5) Where regulations under section 17A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.

(6) The Secretary of State must publish—

(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 17A, and

(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.

(7) In the case of regulations under section 17A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—

(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and

(b)the lists published under subsection (6) must specify or describe the relevant transfers.

17C    Standard data protection clauses

(1) The Secretary of State may by regulations specify standard data protection clauses which the Secretary of State considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 119A).

(2) The Secretary of State must keep under review the standard data protection clauses specified in regulations under this section that are for the time being in force.

(3) Regulations under this section are subject to the negative resolution procedure..

24.—(1) Section 18 is amended as follows.

(2) In the heading, at the end insert “: public interest”.

(3) In subsection (1), for “GDPR” substitute “UK GDPR”.

(4) In subsection (2), for paragraph (a) (but not the final “and”) substitute—

(a)the transfer cannot take place based on adequacy regulations (see section 17A),.

25.  In section 19(2), for “GDPR” substitute “UK GDPR”.

26.  In section 20—

(a)for “this Chapter” (in both places) substitute “this Part”;

(b)for “GDPR” substitute “UK GDPR”.

27.  For the heading of Chapter 3 substitute “Exemptions for manual unstructured processing and for national security and defence purposes”.

28.  For the italic heading before section 21 substitute “Definitions”.

29.—(1) Section 21 is amended as follows.

(2) For the heading substitute “Definitions”.

(3) Omit subsections (1), (2), (3) and (4).

30.  Omit section 22 and the italic heading before it.

31.  Omit section 23.

32.—(1) Section 24 is amended as follows.

(2) In subsection (1)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”.

(3) In subsection (2)—

(a)in paragraphs (a), (b) and (c), for “the applied GDPR” substitute “the UK GDPR”;

(b)after paragraph (c) insert—

(ca)in Part 2 of this Act, sections 17A, 17B and 17C (transfers to third countries);

(cb)in Part 5 of this Act, section 119A (standard clauses for transfers to third countries);;

(c)for paragraph (d) substitute—

(d)in Part 7 of this Act, sections 170 and 171 (offences relating to personal data)..

(4) In subsection (3)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”.

(5) In subsection (5)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”;

(d)in paragraph (a), for “that Article” substitute “Article 15”.

33.—(1) Section 25 is amended as follows.

(2) In subsection (1)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”;

(c)for “section 21(2)” substitute “Article 2(1A)”.

(3) In subsection (2)(a) and (b), omit “of the applied GDPR”.

34.—(1) Section 26 is amended as follows.

(2) In subsection (1)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”.

(3) In subsection (2)—

(a)in paragraphs (a), (b), (c) and (d), for “the applied GDPR” substitute “the UK GDPR”;

(b)in paragraph (e), for “the applied GDPR” (in both places) substitute “the UK GDPR”;

(c)in paragraph (f), for “the applied GDPR” substitute “the UK GDPR”;

(d)after paragraph (f) insert—

(fa)in Part 2 of this Act, sections 17A, 17B and 17C (transfers to third countries);;

(e)in paragraph (g)—

(i)in sub-paragraph (ii), for “the applied GDPR” substitute “the UK GDPR”;

(ii)after sub-paragraph (iii) insert—

(iv)section 119A (standard clauses for transfers to third countries);.

35.  In section 27(5), for “the applied GDPR” substitute “the UK GDPR”.

36.—(1) Section 28 is amended as follows.

(2) In the heading, for “applied GDPR” substitute “UK GDPR”.

(3) In subsections (1) and (2)—

(a)for “the applied GDPR” substitute “the UK GDPR”;

(b)for “this Chapter” substitute “the UK GDPR”.

(4) In subsection (3), for “the applied GDPR” substitute “the UK GDPR”.

(5) After subsection (4) insert—

(5) The functions conferred on the Commissioner in relation to the UK GDPR by Articles 57(1)(a), (d), (e), (h) and (u) and 58(1)(d) and (2)(a) to (d) of the UK GDPR (which are subject to safeguards set out in section 115) include functions in relation to subsection (3)..

Part 3 (law enforcement processing) (other than Schedules 7 and 8)

37.  In section 33(7), for “other than a member State” substitute “outside the United Kingdom”.

38.  In section 48, omit subsection (8).

39.  In section 67, omit subsection (8).

40.—(1) Section 73 is amended as follows.

(2) In subsection (1)(b), omit “other than the United Kingdom”.

(3) In subsection (3)—

(a)in paragraph (a) for “an adequacy decision (see section 74)” substitute “adequacy regulations (see section 74A)”;

(b)in paragraphs (b) and (c), for “an adequacy decision” substitute “adequacy regulations”.

(4) In subsection (5)(a), omit “a member State or”.

41.  Omit section 74.

42.  After section 74 insert—

74A    Transfers based on adequacy regulations

(1) The Secretary of State may by regulations specify any of the following which the Secretary of State considers ensures an adequate level of protection of personal data—

(a)a third country,

(b)a territory or one or more sectors within a third country,

(c)an international organisation, or

(d)a description of such a country, territory, sector or organisation.

(2) For the purposes of this Part of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, regulations made under this section are in force which specify, or specify a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, and

(b)in the case of an international organisation, the organisation,

and such a transfer does not require specific authorisation.

(3) Regulations under this section may specify that the Secretary of State considers that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations and, if they do so, only such a transfer may rely on those regulations for the purposes of subsection (2).

(4) When assessing the adequacy of the level of protection for the purposes of this section or section 74B, the Secretary of State must, in particular, take account of—

(a)the rule of law, respect for human rights and fundamental freedoms, relevant legislation, both general and sectoral, including concerning public security, defence, national security and criminal law and the access of public authorities to personal data, as well as the implementation of such legislation, data protection rules, professional rules and security measures, including rules for the onward transfer of personal data to another third country or international organisation, which are complied with in that country or international organisation, case-law, as well as effective and enforceable data subject rights and effective administrative and judicial redress for the data subjects whose personal data is transferred,

(b)the existence and effective functioning of one or more independent supervisory authorities in the third country or to which an international organisation is subject, with responsibility for ensuring and enforcing compliance with data protection rules, including adequate enforcement powers, for assisting and advising data subjects in exercising their rights and for cooperation with the Commissioner, and

(c)the international commitments the third country or international organisation concerned has entered into, or other obligations arising from legally binding conventions or instruments as well as from its participation in multilateral or regional systems, in particular in relation to the protection of personal data.

(5) Regulations under this section—

(a)where they relate to a third country, must specify their territorial and sectoral application;

(b)where applicable, must specify the independent supervisory authority or authorities referred to in subsection (4)(b).

(6) Regulations under this section may, among other things—

(a)provide that, in relation to a country, territory, sector, organisation or territory specified, or falling within a description specified, in the regulations, section 74B(1) has effect as if it required the reviews described there to be carried out at such shorter intervals as are specified in the regulations;

(b)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(c)confer a discretion on a person.

(7) Regulations under this section are subject to the negative resolution procedure.

74B    Transfers based on adequacy regulations: review etc

(1) For so long as regulations under section 74A are in force which specify, or specify a description which includes, a third country, a territory or sector within a third country or an international organisation, the Secretary of State must carry out a review of whether the country, territory, sector or organisation ensures an adequate level of protection of personal data at intervals of not more than 4 years.

(2) Each review under subsection (1) must take into account all relevant developments in the third country or international organisation.

(3) The Secretary of State must, on an ongoing basis, monitor developments in third countries and international organisations that could affect decisions to make regulations under section 74A or to amend or revoke such regulations.

(4) Where the Secretary of State becomes aware that a country, territory, sector or organisation specified, or falling within a description specified, in regulations under section 74A no longer ensures an adequate level of protection of personal data, whether as a result of a review under this section or otherwise, the Secretary of State must, to the extent necessary, amend or revoke the regulations.

(5) Where regulations under section 74A are amended or revoked in accordance with subsection (4), the Secretary of State must enter into consultations with the third country or international organisation concerned with a view to remedying the lack of an adequate level of protection.

(6) The Secretary of State must publish—

(a)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which are for the time being specified in regulations under section 74A, and

(b)a list of the third countries, territories and specified sectors within a third country and international organisations, and the descriptions of such countries, territories, sectors and organisations, which have been but are no longer specified in such regulations.

(7) In the case of regulations under section 74A which specify that an adequate level of protection of personal data is ensured only for a transfer specified or described in the regulations—

(a)the duty under subsection (1) is only to carry out a review of the level of protection ensured for such a transfer, and

(b)the lists published under subsection (6) must specify or describe the relevant transfers..

43.  In section 76(1)(c), omit “a member State or”.

44.  Section 77(8), for “member States” substitute “the United Kingdom”.

45.—(1) Section 78 is amended as follows.

(2) In subsection (4), omit “other than the United Kingdom”.

(3) In subsection (5)(a), omit “a member State or”.

46.—(1) Section 80 is amended as follows.

(2) In subsection (1), for “an EU recipient or a non-EU recipient” substitute “a non-UK recipient”.

(3) In subsection (2)—

(a)omit the definition of “EU recipient”;

(b)for “non-EU recipient” substitute “non-UK recipient”.

(4) In subsection (4), for “the EU recipient or non-EU recipient” substitute “the non-UK recipient”.

(5) Omit subsections (5), (6) and (7).

Part 5 (Information Commissioner) (other than Schedules 12 to 14)

47.—(1) Section 115 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) Omit subsection (1).

(4) In subsection (2)—

(a)in paragraphs (a) and (b), for “GDPR” substitute “UK GDPR”;

(b)after “section 2” insert “and section 28(5)”.

(5) In subsections (3) and (4), for “GDPR” substitute “UK GDPR”.

(6) In subsection (5), for “GDPR” (in both places) substitute “UK GDPR”.

(7) In subsection (6), for “GDPR” substitute “UK GDPR”.

(8) In subsection (7), for “GDPR” (in both places) substitute “UK GDPR”.

(9) In subsection (8)(a) and (b), for “GDPR” substitute “UK GDPR”.

(10) In subsections (9) and (10), for “GDPR” substitute “UK GDPR”.

48.—(1) Section 116 is amended as follows.

(2) Before subsection (1) insert—

(A1) The Commissioner is responsible for monitoring the application of Part 3 of this Act, in order to protect the fundamental rights and freedoms of individuals in relation to processing by a competent authority for any of the law enforcement purposes (as defined in Part 3) and to facilitate the free flow of personal data..

(3) In subsection (1), omit paragraph (a) (including the final “and”).

(4) In subsection (2), for “GDPR” substitute “UK GDPR”.

49.—(1) Section 117 is amended as follows.

(2) After “this Act” insert “or the UK GDPR”.

(3) Omit “(and see also Article 55(3) of the GDPR)” (and the comma before those words).

50.—(1) Section 118 is amended as follows.

(2) For the heading substitute “Co-operation between parties to the Data Protection Convention”.

(3) Omit subsections (1), (2), (3) and (4).

51.  After section 119 insert—

119A    Standard clauses for transfers to third countries etc

(1) The Commissioner may issue a document specifying standard data protection clauses which the Commissioner considers provide appropriate safeguards for the purposes of transfers of personal data to a third country or an international organisation in reliance on Article 46 of the UK GDPR (and see also section 17C).

(2) The Commissioner may issue a document that amends or withdraws a document issued under subsection (1).

(3) A document issued under this section—

(a)must specify when it comes into force,

(b)may make different provision for different purposes, and

(c)may include transitional provision or savings.

(4) Before issuing a document under this section, the Commissioner must consult the Secretary of State and such of the following as the Commissioner considers appropriate—

(a)trade associations;

(b)data subjects;

(c)persons who appear to the Commissioner to represent the interests of data subjects.

(5) After a document is issued under this section—

(a)the Commissioner must send a copy to the Secretary of State, and

(b)the Secretary of State must lay it before Parliament.

(6) If, within the 40-day period, either House of Parliament resolves not to approve the document then, with effect from the end of the day on which the resolution is passed, the document is to be treated as not having been issued under this section (so that the document, and any amendment or withdrawal made by the document, is to be disregarded for the purposes of Article 46(2)(d) of the UK GDPR).

(7) Nothing in subsection (6)—

(a)affects any transfer of personal data previously made in reliance on the document, or

(b)prevents a further document being laid before Parliament.

(8) The Commissioner must publish—

(a)a document issued under this section, and

(b)a notice identifying any document which, under subsection (6), is treated as not having been issued under this section.

(9) The Commissioner must keep under review the clauses specified in a document issued under this section for the time being in force.

(10) In this section, “the 40-day period” means—

(a)if the document is laid before both Houses of Parliament on the same day, the period of 40 days beginning with that day, or

(b)if the document is laid before the Houses of Parliament on different days, the period of 40 days beginning with the later of those days.

(11) In calculating the 40-day period, no account is to be taken of any period during which Parliament is dissolved or prorogued or during which both Houses of Parliament are adjourned for more than 4 days.

(12) In this section, “trade association” includes a body representing controllers or processors..

52.—(1) Section 120 is amended as follows.

(2) In subsection (2), for “GDPR” (in each place) substitute “UK GDPR”.

(3) After subsection (2) insert—

(2A) The Commissioner may contribute to the activities of international organisations with data protection functions..

(4) In subsection (6), in the definition of “third country”, for “that is not a member State” substitute “outside the United Kingdom”.

53.  In section 123(7), for “GDPR” (in both places) substitute “UK GDPR”.

54.  In section 129(1), for “GDPR” substitute “UK GDPR”.

55.  In section 132(2), omit paragraph (d).

56.  In section 135(4), for “GDPR” substitute “UK GDPR”.

57.  In section 136(1)(b), for “GDPR” substitute “UK GDPR”.

58.  In section 139(2), for “GDPR” substitute “UK GDPR”.

Part 6 (enforcement) (other than Schedules 15 to 17)

59.  In section 142(9)—

(a)for “GDPR” (in both places) substitute “UK GDPR”;

(b)for “the European Union” substitute “the United Kingdom”.

60.  In section 143(9), for “GDPR” substitute “UK GDPR”.

61.  In section 149(2)(a), (b), (c) and (e), (3) and (4)(b) and (c), for “GDPR” substitute “UK GDPR”.

62.  In section 151(1)(b) and (8)(a), for “GDPR” substitute “UK GDPR”.

63.  In section 155(2)(a), for “GDPR” (in both places) substitute “UK GDPR”.

64.—(1) Section 157 is amended as follows.

(2) In subsection (1), for “GDPR” (in both places) substitute “UK GDPR”;

(3) In subsection (2)(a), omit “74,”.

(4) In subsection (5), for “20 million Euros” (in both places) substitute “£17,500,000”.

(5) In subsection (6), for “10 million Euros” (in both places) substitute “£8,700,000”.

(6) Omit subsection (7).

65.  In section 159(1) and (2), for “GDPR” substitute “UK GDPR”.

66.—(1) Section 165 is amended as follows.

(2) In subsection (1), for “GDPR” (in both places) substitute “UK GDPR”.

(3) In subsection (5)(b), for “another supervisory authority or” substitute “a”.

(4) Omit subsection (6).

(5) In subsection (7), omit the definition of “supervisory authority”.

67.  In section 166(1), for “GDPR” substitute “UK GDPR”.

68.  In section 167(4), for “GDPR” substitute “UK GDPR”.

69.—(1) Section 168 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In subsections (1) and (2), for “GDPR” substitute “UK GDPR”.

70.  In section 169(1), for “GDPR” substitute “UK GDPR”.

71.  In section 170(7), for “GDPR” substitute “UK GDPR”.

72.  In section 171(8)(a), for “GDPR” substitute “UK GDPR”.

73.  In section 173(2)(a) and (b), for “GDPR” substitute “UK GDPR”.

74.  In section 174(2)(a) and (b), for “GDPR” substitute “UK GDPR”.

75.  In section 180(2)(d) and (e), for “GDPR” substitute “UK GDPR”.

76.  In section 181, in the definition of “representative”, for “GDPR” (in both places) substitute “UK GDPR”.

Part 7 (supplementary and final provision) (other than Schedules 18 to 20)

77.  In section 182(3), omit paragraph (a).

78.—(1) Section 183 is amended as follows.

(2) In subsection (2)(d), for “processing of personal data to which Chapter 3 of Part 2 or Part 4 of this Act applies” substitute “relevant processing of personal data”.

(3) After subsection (2) insert—

(2A) In subsection (2)(d), “relevant processing of personal data” means—

(a)processing of personal data described in Article 2(1)(a) or (b) or (1A) of the UK GDPR, and

(b)processing of personal data to which Part 4 of this Act applies..

79.  In section 185(4)(a) and (b), for “GDPR” substitute “UK GDPR”.

80.—(1) Section 186 is amended as follows.

(2) In subsection (2)(a), for “GDPR” substitute “UK GDPR”.

(3) In subsection (3)(b), omit “23,”.

81.—(1) Section 187 is amended as follows.

(2) In subsection (1), in the opening words, for “GDPR applies” insert “UK GDPR applies, Article 80(1) of the UK GDPR (representation of data subjects)”.

(3) In subsection (1)(a)—

(a)omit “Article 80(1) of the GDPR (representation of data subjects)”;

(b)for “that Article” substitute “subsections (3) and (4)”;

(c)for “GDPR” (in the second place) substitute “UK GDPR”.

(4) In subsection (1)(b)—

(a)for “a data subject may also authorise” substitute “also authorises”;

(b)for “GDPR” substitute “UK GDPR”.

(5) In subsection (2)—

(a)for “GDPR” substitute “UK GDPR”;

(b)in paragraph (a), for “, (4)(d) and (6)(c)” substitute “and (4)(d)”.

(6) In subsection (5), for “GDPR” substitute “UK GDPR”.

82.  In section 188(2), for “GDPR” substitute “UK GDPR”.

83.—(1) Section 189 is amended as follows.

(2) In subsection (2), for “GDPR” (in each place) substitute “UK GDPR”.

(3) In subsection (4)(c) and (d), for “GDPR” substitute “UK GDPR”.

84.  In section 190(1), for “GDPR” (in each place) substitute “UK GDPR”.

85.—(1) Section 205 is amended as follows.

(2) In subsection (1), in the definition of “enactment”—

(a)omit “and” at the end of paragraph (d);

(b)after paragraph (e) insert—

and

(f)any retained direct EU legislation;.

(3) In subsection (1), in the definition of “international obligation of the United Kingdom”, omit paragraph (a).

(4) After subsection (1) insert—

(1A) In this Act, references to a fundamental right or fundamental freedom (however expressed) are to a fundamental right or fundamental freedom which continues to form part of domestic law on and after exit day by virtue of section 4 of the European Union (Withdrawal) Act 2018, as the right or freedom is amended or otherwise modified by the law of the United Kingdom, or of a part of the United Kingdom, from time to time on or after exit day..

(5) In subsection (2)—

(a)before paragraph (a) insert—

(za)section 119A(10) and (11);;

(b)omit “Chapter 2 or 3 of”.

(6) Omit subsection (3).

(7) After subsection (3) insert—

(4) In the definition of “the UK GDPR” in section 3(10)—

(a)the reference to Regulation (EU) 2016/679 as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 is to be treated as a reference to that Regulation as modified by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the 2019 Regulations”), but

(b)nothing in the definition or in paragraph (a) determines whether, where Regulation (EU) 2016/679 is modified on or after exit day by the law of England and Wales, Scotland or Northern Ireland (other than by Schedule 1 to the 2019 Regulations), the reference to Regulation (EU) 2016/679 is then to be read as a reference to that Regulation as modified.

(5) Subsection (4) is not to be read as implying anything about how other references to Regulation (EU) 2016/679 or references to other retained EU law are to be interpreted..

86.—(1) The Table in section 206 is amended as follows.

(2) Omit the entries for “the applied Chapter 2” and “the applied GDPR”.

(3) After the entry for “enforcement notice” insert—

the EU GDPRsection 3.

(4) Omit the entry for “the GDPR”.

(5) In the entries for “public authority” and “public body”, for “GDPR” substitute “UK GDPR”.

(6) At the end insert—

the UK GDPRsection 3.

87.—(1) Section 207 is amended as follows.

(2) In subsection (1), for “(2) and (3)” substitute “(1A) and (2)”.

(3) After subsection (1) insert—

(1A) In the case of the processing of personal data to which Part 2 (the UK GDPR) applies, it applies to the types of such processing to which the UK GDPR applies by virtue of Article 3 of the UK GDPR..

(4) In subsection (2), for “It applies to the processing of personal data” substitute “In the case of the processing of personal data to which Part 2 does not apply, it applies where such processing is carried out”.

(5) Omit subsection (3).

(6) In subsection (4), for “Subsections (1) to (3)” substitute “Subsections (1), (1A) and (2)”.

(7) Omit subsection (6).

(8) In subsection (7), omit the words after paragraph (d).

88.  In section 209(2), (3) and (4), for “GDPR” substitute “UK GDPR”.

89.  In section 210(2) and (3), for “GDPR” substitute “UK GDPR”.

90.—(1) Section 213 is amended as follows.

(2) In subsection (2), for “GDPR” substitute “EU GDPR”.

(3) At the end insert—

(4) Schedule 21 contains further transitional, transitory and saving provision made in connection with the amendment of this Act and the UK GDPR by regulations under section 8 of the European Union (Withdrawal) Act 2018..

Schedules

91.—(1) Schedule 1 is amended as follows.

(2) In paragraph 2(3), for “GDPR” substitute “UK GDPR”.

(3) In paragraph 4(b), for “GDPR” substitute “UK GDPR”.

(4) In paragraph 39(a), for “GDPR” substitute “UK GDPR”.

(5) In paragraph 41, for “GDPR” (in both places) substitute “UK GDPR”.

92.—(1) Schedule 2 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In the heading of Part 1, for “based on” substitute “as described in”.

(4) In the italic heading before paragraph 1, for “GDPR” (in the first place) substitute “UK GDPR”.

(5) In paragraph 1—

(a)in sub-paragraph (a), for “GDPR” (in both places) substitute “UK GDPR”;

(b)in sub-paragraph (b), for “GDPR” (in both places) substitute “UK GDPR”.

(6) In paragraph 2—

(a)in sub-paragraph (1), for “GDPR” (in the second place) substitute “UK GDPR”;

(b)in sub-paragraph (3), for “GDPR” substitute “UK GDPR”.

(7) In paragraph 3—

(a)in sub-paragraph (1), for “GDPR” substitute “UK GDPR”;

(b)in sub-paragraph (3), for “GDPR” (in each place) substitute “UK GDPR”.

(8) In paragraph 4—

(a)in sub-paragraph (1), for “GDPR” substitute “UK GDPR”;

(b)in sub-paragraph (2), in the opening words (but not the words following paragraph (g)), for “GDPR” (in each place) substitute “UK GDPR”;

(c)in sub-paragraph (4), for “GDPR” substitute “UK GDPR”.

(9) In the heading of Part 2, for “based on” substitute “as described in”.

(10) In the italic heading before paragraph 6, for “GDPR” (in the first place) substitute “UK GDPR”.

(11) In paragraph 6, for “GDPR” (in the second and third places) substitute “UK GDPR”.

(12) In paragraph 13, for “GDPR” (in the second place) substitute “UK GDPR”.

(13) In the heading of Part 3, for “based on Article 23(1):” substitute “for the”.

(14) In paragraph 16(1), for “GDPR” (in both places) substitute “UK GDPR”.

(15) In the heading of Part 4, for “based on” substitute “as described in”.

(16) In the italic heading before paragraph 18, for “GDPR” (in the first place) substitute “UK GDPR”.

(17) In paragraph 18, for “GDPR” (in the second and third places) substitute “UK GDPR”.

(18) In paragraph 20(3), for “GDPR” substitute “UK GDPR”.

(19) In paragraph 25—

(a)in sub-paragraph (2), for “GDPR” (in both places) substitute “UK GDPR”;

(b)in sub-paragraph (3), for “GDPR” substitute “UK GDPR”.

(20) In the heading of Part 5, omit “based on Article 85(2)”.

(21) In paragraph 26(9)—

(a)in the opening words, for “GDPR” (in the second and third places) substitute “UK GDPR”;

(b)in paragraphs (a), (b), (c) and (d), for “GDPR” substitute “UK GDPR”;

(c)omit paragraph (e).

(22) In the heading of Part 6, omit “based on Article 89”.

(23) In paragraph 27—

(a)in sub-paragraph (1), for “sub-paragraph (3)” substitute “sub-paragraphs (3) and (4)”;

(b)in sub-paragraph (2), for “GDPR (the rights in which may be derogated from by virtue of Article 89(2) of the GDPR)” substitute “UK GDPR”;

(c)in sub-paragraph (3)(a), for “GDPR” substitute “UK GDPR”;

(d)after sub-paragraph (3) insert—

(4) Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph..

(24) In paragraph 28—

(a)in sub-paragraph (1), for “sub-paragraph (3)” substitute “sub-paragraphs (3) and (4)”;

(b)in sub-paragraph (2), for “GDPR (the rights in which may be derogated from by virtue of Article 89(3) of the GDPR)” substitute “UK GDPR”;

(c)in sub-paragraph (3), for “GDPR” substitute “UK GDPR”;

(d)after sub-paragraph (3) insert—

(4) Where processing for a purpose described in sub-paragraph (1) serves at the same time another purpose, the exemption in sub-paragraph (1) is available only where the personal data is processed for a purpose referred to in that sub-paragraph..

93.—(1) Schedule 3 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In the heading of Part 1, for “GDPR” substitute “UK GDPR”.

(4) In paragraph 1, for “GDPR” (in the second and third places) substitute “UK GDPR”.

(5) In paragraph 2(2), for “GDPR” substitute “UK GDPR”.

(6) In the italic heading before paragraph 5, for “GDPR” substitute “UK GDPR”.

(7) In paragraph 5(1), for “GDPR” substitute “UK GDPR”.

(8) In the italic heading before paragraph 6, for “GDPR” substitute “UK GDPR”.

(9) In paragraph 6(1), for “GDPR” substitute “UK GDPR”.

(10) In paragraph 7(2), for “GDPR” substitute “UK GDPR”.

(11) In the italic heading before paragraph 11, for “GDPR” substitute “UK GDPR”.

(12) In paragraph 11, for “GDPR” substitute “UK GDPR”.

(13) In the italic heading before paragraph 12, for “GDPR” substitute “UK GDPR”.

(14) In paragraph 12(1)(a) and (3), for “GDPR” substitute “UK GDPR”.

(15) In paragraph 17(2), for “GDPR” substitute “UK GDPR”.

(16) In the italic heading before paragraph 19, for “GDPR” substitute “UK GDPR”.

(17) In paragraph 19, for “GDPR” substitute “UK GDPR”.

(18) In the italic heading before paragraph 20, for “GDPR” substitute “UK GDPR”.

(19) In paragraph 20(1)(a) and (3), for “GDPR” substitute “UK GDPR”.

(20) In the italic heading before paragraph 21, for “GDPR” substitute “UK GDPR”.

(21) In paragraph 21(2), for “GDPR” substitute “UK GDPR”.

94.—(1) Schedule 4 is amended as follows.

(2) In the heading, for “GDPR” substitute “UK GDPR”.

(3) In the italic heading before paragraph 1, for “GDPR” (in the first place) substitute “UK GDPR”.

(4) In paragraph 1, for “GDPR” (in the second and third places) substitute “UK GDPR”.

95.  In Schedule 5, in the following provisions, for “national accreditation body” substitute “UK national accreditation body”—

(a)paragraph 1(2) (in both places);

(b)paragraph 4(4) (in both places);

(c)paragraph 6(4).

96.  Omit Schedule 6.

97.—(1) Schedule 13 is amended as follows.

(2) In paragraph 1(1)—

(a)in paragraph (e), omit “LED supervisory authorities and”;

(b)in paragraph (f), omit “LED supervisory authorities and” and “the Law Enforcement Directive and”;

(c)in paragraph (g), omit “an LED supervisory authority,”;

(d)omit paragraph (i).

(3) In paragraph 3, omit the definition of “LED supervisory authority”.

98.  In Schedule 14, omit Part 1.

99.—(1) Schedule 18 is amended as follows.

(2) In paragraph 1(2), for “section 21(2)” substitute “Article 2(1A) of the UK GDPR”.

(3) In paragraph 5(a) and (b), for “GDPR” substitute “UK GDPR”.

100.—(1) Schedule 19 is amended as follows.

(2) In paragraph 431(3), for “the GDPR or the applied GDPR” substitute “the UK GDPR”.

(3) In paragraph 432(5)(a), for “the GDPR or the applied GDPR” substitute “the UK GDPR”.

101.—(1) Schedule 20 is amended as follows.

(2) In the heading of Part 3, for “GDPR” substitute “UK GDPR”.

(3) In the italic heading before paragraph 12, for “GDPR” (in both places) substitute “UK GDPR”.

(4) In paragraph 18—

(a)in sub-paragraphs (2)(b) and (6)(b), for “applied GDPR” substitute “UK GDPR”;

(b)after sub-paragraph (7) insert—

(8) In this paragraph, references to the UK GDPR do not include the EU GDPR as it was directly applicable to the United Kingdom before exit day (see paragraph 2 of Schedule 21)..

(5) In paragraph 50, for “GDPR” substitute “UK GDPR”.

102.  After Schedule 20 insert—

Section 213

SCHEDULE 21Further transitional provision etc

Part 1Interpretation
The applied GPDR

1.  In this Schedule, “the applied GDPR” means the EU GDPR as applied by Chapter 3 of Part 2 before exit day.

Part 2Continuation of existing acts etc
Merger of the directly applicable GDPR and the applied GDPR

2.(1) On and after exit day, references in an enactment to the UK GDPR (including the reference in the definition of “the data protection legislation” in section 3(9)) include—

(a)the EU GDPR as it was directly applicable to the United Kingdom before exit day, read with Chapter 2 of Part 2 of this Act as it had effect before exit day, and

(b)the applied GDPR, read with Chapter 3 of Part 2 of this Act as it had effect before exit day.

(2) On and after exit day, references in an enactment to, or to a provision of, Chapter 2 of Part 2 of this Act (including general references to this Act or to Part 2 of this Act) include that Chapter or that provision as applied by Chapter 3 of Part 2 of this Act as it had effect before exit day.

(3) Sub-paragraphs (1) and (2) have effect—

(a)in relation to references in this Act, except as otherwise provided;

(b)in relation to references in other enactments, unless the context otherwise requires.

3.(1) Anything done in connection with the EU GDPR as it was directly applicable to the United Kingdom before exit day, the applied GDPR or this Act—

(a)if in force or effective immediately before exit day, continues to be in force or effective on and after exit day, and

(b)if in the process of being done immediately before exit day, continues to be done on and after exit day.

(2) References in this paragraph to anything done include references to anything omitted to be done.

Part 3Transfers to third countries and international organisations
UK GDPR: adequacy decisions and adequacy regulations

4.(1) On and after exit day, for the purposes of the UK GDPR and Part 2 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 5 specifies, or specifies a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(2) Sub-paragraph (1) has effect subject to provision in paragraph 5 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 5 for the purposes of sub-paragraph (1).

(3) The Secretary of State may by regulations—

(a)repeal sub-paragraphs (1) and (2) and paragraph 5;

(b)amend paragraph 5 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)amend paragraph 5 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and making provision described in sub-paragraph (2).

(4) Regulations under this paragraph may, among other things——

(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(b)confer a discretion on a person.

(5) Regulations under this paragraph are subject to the negative resolution procedure.

(6) Sub-paragraphs (1) and (2) have effect in addition to section 17A(2) and (3).

5.(1) The following are specified for the purposes of paragraph 4(1)—

(a)an EEA state;

(b)Gibraltar;

(c)a Union institution, body, office or agency set up by, or on the basis of, the Treaty on the European Union, the Treaty on the Functioning of the European Union or the Euratom Treaty;

(d)an equivalent institution, body, office or agency set up by, or on the basis of, the Treaties establishing the European Economic Area;

(e)a third country which is the subject of a decision listed in sub-paragraph (2), other than a decision that, immediately before exit day, had been repealed or was suspended;

(f)a third country, territory or sector within a third country or international organisation which is the subject of an adequacy decision made by the European Commission before exit day on the basis of Article 45(3) of the EU GDPR, other than a decision that, immediately before exit day, had been repealed or was suspended.

(2) The decisions mentioned in sub-paragraph (1)(e) are the following—

(a)Commission Decision 2000/518/EC(17) of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;

(b)Commission Decision 2002/2/EC(18) of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;

(c)Commission Decision 2003/490/EC(19) of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;

(d)Commission Decision 2003/821/EC(20) of 21st November 2003 on the adequate protection of personal data in Guernsey;

(e)Commission Decision 2004/411/EC(21) of 28th April 2004 on the adequate protection of personal data in the Isle of Man;

(f)Commission Decision 2008/393/EC(22) of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;

(g)Commission Decision 2010/146/EU(23) of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;

(h)Commission Decision 2010/625/EU(24) of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;

(i)Commission Decision 2011/61/EU(25) of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;

(j)Commission Implementing Decision 2012/484/EU(26) of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;

(k)Commission Implementing Decision 2013/65/EU(27) of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;

(l)Commission Implementing Decision (EU) 2016/1250(28) of 12th July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield.

(3) Where a decision described in sub-paragraph (1)(e) or (f) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 4(1).

(4) The references to a decision in sub-paragraphs (1)(e) and (f) and (2) are to the decision as it had effect in EU law immediately before exit day, subject to sub-paragraphs (5) and (6).

(5) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(e) or (f) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(6) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(e) or (f) relates to—

(a)transfers from the European Union (or the European Community) or the European Economic Area, or

(b)transfers to which the EU GDPR applies,

it is to be treated as relating to equivalent transfers to or from the United Kingdom or transfers to which the UK GDPR applies (as appropriate).

6.(1) In the provisions listed in sub-paragraph (2)—

(a)references to regulations made under section 17A (other than references to making such regulations) include the provision made in paragraph 5;

(b)references to the revocation of such regulations include the repeal of all or part of paragraph 5.

(2) Those provisions are—

(a)Articles 13(1)(f), 14(1)(f), 45(1) and (7), 46(1) and 49(1) of the UK GDPR;

(b)sections 17B(1), (3), (6) and (7) and 18(2) of this Act.

UK GDPR: transfers subject to appropriate safeguards provided by standard data protection clauses

7.(1) Subject to paragraph 8, the appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after exit day as described in this paragraph.

(2) The safeguards may be provided for by any standard data protection clauses included in an arrangement which, if the arrangement had been entered into immediately before exit day, would have provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.

(3) The safeguards may be provided for by a version of standard data protection clauses described in sub-paragraph (2) incorporating changes where—

(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and

(b)none of the changes alters the effect of the clauses.

(4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—

(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;

(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.

(5) In the case of a transfer of personal data made under arrangements entered into before exit day, the safeguards may be provided for on and after exit day by standard data protection clauses not falling within sub-paragraph (2) which—

(a)formed part of the arrangements immediately before exit day, and

(b)at that time, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(2)(c) or (d) or (5) of the EU GDPR.

(6) The Secretary of State and the Commissioner must keep the operation of this paragraph under review.

(7) In this paragraph, “adequacy decision” means a decision made on the basis of—

(a)Article 45(3) of the EU GDPR, or

(b)Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

(8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

8.(1) Paragraph 7 does not apply to the extent that it has been disapplied by—

(a)regulations made by the Secretary of State, or

(b)a document issued by the Commissioner.

(2) Regulations under this paragraph are subject to the negative resolution procedure.

(3) Subsections (3) to (8) and (10) to (12) of section 119A apply in relation to a document issued by the Commissioner under this paragraph as they apply to a document issued by the Commissioner under section 119A(2).

UK GDPR: transfers subject to appropriate safeguards provided by binding corporate rules

9.(1) The appropriate safeguards referred to in Article 46(1) of the UK GDPR may be provided for on and after exit day as described sub-paragraphs (2) to (4), subject to sub-paragraph (5).

(2) The safeguards may be provided for by any binding corporate rules authorised by the Commissioner which, immediately before exit day, provided for the appropriate safeguards referred to in Article 46(1) of the EU GDPR by virtue of Article 46(5) of the EU GDPR.

(3) The safeguards may be provided for by a version of binding corporate rules described in sub-paragraph (2) incorporating changes where—

(a)all of the changes are made in consequence of the withdrawal of the United Kingdom from the EU or provision made by regulations under section 8 or 23 of the European Union (Withdrawal) Act 2018 (or both), and

(b)none of the changes alters the effect of the rules.

(4) The following changes are to be treated as falling within sub-paragraph (3)(a) and (b)—

(a)changing references to adequacy decisions made by the European Commission into references to equivalent provision made by regulations under section 17A or by or under paragraphs 4 to 6 of this Schedule;

(b)changing references to transferring personal data outside the European Union or the European Economic Area into references to transferring personal data outside the United Kingdom.

(5) Sub-paragraphs (2) to (4) cease to apply in relation to binding corporate rules if, on or after exit day, the Commissioner withdraws the authorisation of the rules (or, where sub-paragraph (3) is relied on, the authorisation of the rules mentioned in sub-paragraph (2)).

(6) The Commissioner must keep the operation of this paragraph under review.

(7) In this paragraph—

“adequacy decision” means a decision made on the basis of—

(a)

Article 45(3) of the EU GDPR, or

(b)

Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council of 24th October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data;

“binding corporate rules” has the meaning given in Article 4(20) of the UK GDPR.

(8) This paragraph has effect in addition to Article 46(2) and (3) of the UK GDPR.

Part 3 (law enforcement processing): adequacy decisions and adequacy regulations

10.(1) On and after exit day, for the purposes of Part 3 of this Act, a transfer of personal data to a third country or an international organisation is based on adequacy regulations if, at the time of the transfer, paragraph 11 specifies, or specifies a description which includes—

(a)in the case of a third country, the country or a relevant territory or sector within the country, or

(b)in the case of an international organisation, the organisation.

(2) Sub-paragraph (1) has effect subject to provision in paragraph 11 providing that only particular transfers to the country, territory, sector or organisation may rely on a particular provision of paragraph 11 for the purposes of sub-paragraph (1).

(3) The Secretary of State may by regulations—

(a)repeal sub-paragraphs (1) and (2) and paragraph 11;

(b)amend paragraph 11 so as to omit a third country, territory, sector or international organisation specified, or of a description specified, in that paragraph;

(c)amend paragraph 11 so as to replace a reference to, or description of, a third country, territory, sector or organisation with a narrower reference or description, including by specifying or describing particular transfers of personal data and by making provision described in sub-paragraph (2).

(4) Regulations under this paragraph may, among other things—

(a)identify a transfer of personal data by any means, including by reference to the controller or processor, the recipient, the personal data transferred or the means by which the transfer is made or by reference to relevant legislation, lists or other documents, as they have effect from time to time;

(b)confer a discretion on a person.

(5) Regulations under this paragraph are subject to the negative resolution procedure.

(6) Sub-paragraphs (1) and (2) have effect in addition to section 74A(2) and (3).

11.(1) The following are specified for the purposes of paragraph 10(1)—

(a)a member State;

(b)Gibraltar;

(c)a third country, a territory or sector within a third country or an international organisation which is the subject of an adequacy decision made by the European Commission before exit day on the basis of Article 36(3) of the Law Enforcement Directive, other than a decision that, immediately before exit day, had been repealed or was suspended.

(2) Where a decision described in sub-paragraph (1)(c) states that an adequate level of protection of personal data is ensured only for a transfer specified or described in the decision, only such a transfer may rely on that provision and that decision for the purposes of paragraph 10(1).

(3) The reference to a decision in sub-paragraph (1)(c) is to the decision as it had effect in EU law immediately before exit day, subject to sub-paragraphs (4) and (5).

(4) For the purposes of this paragraph, where a reference to legislation, a list or another document in a decision described in sub-paragraph (1)(c) is a reference to the legislation, list or document as it has effect from time to time, it is to be treated as a reference to the legislation, list or other document as it has effect at the time of the transfer.

(5) For the purposes of this paragraph, where a decision described in sub-paragraph (1)(c) relates to—

(a)transfers from the European Union (or the European Community) or the European Economic Area, or

(b)transfers to which the Law Enforcement Directive applies,

it is to be treated as relating to equivalent transfers from the United Kingdom or transfers to which Part 3 of this Act applies (as appropriate).

12.  In section 74B(1), (3), (6) and (7)—

(a)references to regulations made under section 74A (other than references to making such regulations) include the provision made in paragraph 11;

(b)references to the revocation of such regulations include the repeal of all or part of paragraph 11.

Part 4Repeal of provisions in Chapter 3 of Part 2
Applied GDPR: power to make provision in consequence of GDPR regulations

13.(1) Regulations made under section 23 before exit day continue in force until they are revoked, despite the repeal of that section by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

(2) The provisions listed in section 186(3) include regulations made under section 23 before exit day (and not revoked).

(3) Sub-paragraphs (1) and (2) do not have effect so far as otherwise provided by the law of England and Wales, Scotland or Northern Ireland.

Applied GDPR: national security certificates

14.(1) This paragraph applies to a certificate issued under section 27 of this Act which has effect immediately before exit day.

(2) A reference in the certificate to a provision of the applied GDPR has effect, on and after exit day, as it if were a reference to the corresponding provision of the UK GDPR or this Act.

Part 5The Information Commissioner
Confidentiality of information

15.  The repeal of section 132(2)(d) by the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 has effect only in relation to a disclosure of information made on or after exit day.

Part 6Enforcement
GDPR: maximum amount of penalties

16.  In relation to an infringement, before exit day, of a provision of the EU GDPR (as it was directly applicable to the United Kingdom) or the applied GDPR—

(a)Article 83(5) and (6) of the UK GDPR and section 157(5)(a) and (b) of this Act have effect as if for “£17,500,000” there were substituted “20 million Euros”;

(b)Article 83(4) of the UK GDPR and section 157(6)(a) and (b) of this Act have effect as if for “£8,700,000” there were substituted “10 million Euros”;

(c)the maximum amount of a penalty in sterling must be determined by applying the spot rate of exchange set by the Bank of England on the day on which the penalty notice is given under section 155 of this Act.

GDPR: right to an effective remedy against the Commissioner

17.(1) This paragraph applies where—

(a)proceedings are brought against a decision made by the Commissioner before exit day, and

(b)the Commissioner’s decision was preceded by an opinion or decision of the European Data Protection Board in accordance with the consistency mechanism referred to in Article 63 of the EU GDPR.

(2) The Commissioner must forward the Board’s opinion or decision to the court or tribunal dealing with the proceedings..

Regulation 6

SCHEDULE 3Consequential amendments of other legislation

PART 1Revocation of retained EU law

Revocation of Regulations and Decisions

1.  The following Regulations and Decisions are revoked in so far as they are retained EU law—

(a)Commission Decision 2000/518/EC of 26th July 2000 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided in Switzerland;

(b)Commission Decision 2001/497/EC(29) of 15th June 2001 on standard contractual clauses for the transfer of personal data to third countries, under Directive 95/46/EC;

(c)Commission Decision 2002/2/EC of 20th December 2001 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data provided by the Canadian Personal Information Protection and Electronic Documents Act;

(d)Commission Decision 2003/490/EC of 30th June 2003 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Argentina;

(e)Commission Decision 2003/821/EC of 21st November 2003 on the adequate protection of personal data in Guernsey;

(f)Commission Decision 2004/411/EC of 28th April 2004 on the adequate protection of personal data in the Isle of Man;

(g)Commission Decision 2004/915/EC(30) of 27th December 2004 amending Decision 2001/497/EC as regards the introduction of an alternative set of standard contractual clauses for the transfer of personal data to third countries;

(h)Commission Decision 2008/393/EC of 8th May 2008 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Jersey;

(i)Commission Decision 2010/87/EU(31) of 5th February 2010 on standard contractual clauses for the transfer of personal data to processors established in third countries under Directive 95/46/EC of the European Parliament and of the Council;

(j)Commission Decision 2010/146/EU of 5th March 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection provided by the Faeroese Act on processing of personal data;

(k)Commission Decision 2010/625/EU of 19th October 2010 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data in Andorra;

(l)Commission Decision 2011/61/EU of 31st January 2011 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the State of Israel with regard to automated processing of personal data;

(m)Commission Implementing Decision 2012/484/EU of 21st August 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by the Eastern Republic of Uruguay with regard to automated processing of personal data;

(n)Commission Implementing Decision 2013/65/EU of 19th December 2012 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequate protection of personal data by New Zealand;

(o)Commission Implementing Decision (EU) 2016/1250 of 12th July 2016 pursuant to Directive 95/46/EC of the European Parliament and of the Council on the adequacy of the protection provided by the EU-U.S. Privacy Shield;

(p)Commission Implementing Decision (EU) 2016/2295(32) of 16th December 2016 amending Decisions 2000/518/EC, 2002/2/EC, 2003/490/EC, 2003/821/EC, 2004/411/EC, 2008/393/EC, 2010/146/EU, 2010/625/EU, 2011/61/EU and Implementing Decisions 2012/484/EU, 2013/65/EU on the adequate protection of personal data by certain countries, pursuant to Article 25(6) of Directive 95/46/EC of the European Parliament and of the Council;

(q)Commission Implementing Decision (EU) 2016/2297(33) of 16th December 2016 amending Decisions 2001/497/EC and 2010/87/EU on standard contractual clauses for the transfer of personal data to third countries and to processors established in such countries, under Directive 95/46/EC of the European Parliament and of the Council;

(r)Regulation (EU) 2018/1725 of the European Parliament and of the Council of 23rd October 2018 on the protection of natural persons with regard to the processing of personal data by the Union institutions, bodies, offices and agencies and on the free movement of such data, and repealing Regulation (EC) No 45/2001 and Decision No 1247/2002/EC.

Revocation of provisions of EEA agreement

2.  Paragraphs 5e, 5ea, 5ed, 5ee, 5ef, 5eg, 5eh, 5ei, 5ek, 5el, 5em, 5en, 5eo, 5ep and 5eq of Annex 11 to the EEA agreement, as it forms part of the law of England and Wales, Scotland or Northern Ireland on and after exit day by virtue of section 3(1) of the European Union (Withdrawal) Act 2018, are revoked in so far as they are retained EU law.

PART 2Amendments of primary legislation

Consumer Credit Act 1974

3.  The Consumer Credit Act 1974(34) is amended as follows.

4.  In section 157(2A)(a) (duty to disclose name etc of agency), for “GDPR” substitute “UK GDPR”.

5.  In section 159(1)(a) (correction of wrong information), for “GDPR” substitute “UK GDPR”.

6.  In section 189(1) (definitions)—

(a)omit the definition of “the GDPR”;

(b)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

Pharmacy (Northern Ireland) Order 1976

7.  In paragraph 2 of Schedule 3 to the Pharmacy (Northern Ireland) Order 1976(35) (fitness to practice: disclosure of information)—

(a)in sub-paragraph (2)(a), for “GDPR” substitute “UK GDPR”;

(b)for sub-paragraph (5) substitute—

(5) In this paragraph, “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Medical Act 1983

8.  The Medical Act 1983(36) is amended as follows.

9.—(1) Section 29E (evidence) is amended as follows.

(2) In subsection (5), for “GDPR” substitute “UK GDPR”.

(3) In subsection (9), omit the definition of “the GDPR”.

10.—(1) Section 35A (General Medical Council’s power to require disclosure of information) is amended as follows.

(2) In subsection (4), for “GDPR” substitute “UK GDPR”.

(3) In subsection (7), omit the definition of “the GDPR”.

11.  In section 55(1) (interpretation), at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

12.  In paragraph 9B of Schedule 1 (incidental powers of the General Medical Council)—

(a)in sub-paragraph (2)(a), for “GDPR” substitute “UK GDPR”;

(b)omit sub-paragraph (4).

13.  In paragraph 5A of Schedule 4 (professional performance assessments and health assessments)—

(a)in sub-paragraph (8), for “GDPR” substitute “UK GDPR”;

(b)omit sub-paragraph (14).

Dentists Act 1984

14.  The Dentists Act 1984(37) is amended as follows.

15.—(1) Section 33B (the General Dental Council’s power to require disclosure of information: the dental profession) is amended as follows.

(2) In subsection (3), for “GDPR” substitute “UK GDPR”.

(3) In subsection (4), in the definition of “relevant provision of the GDPR”—

(a)for “the GDPR” (in both places) substitute “the UK GDPR”;

(b)for “GDPR provisions” substitute “UK GDPR provisions”.

(4) Omit subsection (11).

16.—(1) Section 36Y (the General Dental Council’s power to require disclosure of information: professions complementary to dentistry) is amended as follows.

(2) In subsection (3), for “GDPR” substitute “UK GDPR”.

(3) In subsection (4), in the definition of “relevant provision of the GDPR”—

(a)for “the GDPR” (in both places) substitute “the UK GDPR”;

(b)for “GDPR provisions” (in the second place) substitute “UK GDPR provisions”.

(4) Omit subsection (11).

17.  In section 53(1) (interpretation), at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

Opticians Act 1989

18.—(1) Section 13B of the Opticians Act 1989 (the Council’s power to require disclosure of information)(38) is amended as follows.

(2) In subsection (3), for “GDPR” substitute “UK GDPR”.

(3) For subsection (10) substitute—

(10) In this section, “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Immigration and Asylum Act 1999

19.—(1) Section 13 of the Immigration and Asylum Act 1999 (proof of identity of persons to be removed or deported)(39) is amended as follows.

(2) In subsection (4), for “GDPR” substitute “UK GDPR”.

(3) For subsection (4A) substitute—

(4A) “The UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Freedom of Information Act 2000

20.—(1) Section 40 of the Freedom of Information Act 2000 (personal information)(40) is amended as follows.

(2) In subsections (3B), (4A)(a) and (5B)(b) and (c), for “GDPR” substitute “UK GDPR”.

(3) In subsection (7)—

(a)in the definition of “the data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the words from ““the GDPR”, “personal data”, “processing”” to the “(14) of that Act);”;

(c)at the appropriate places insert—

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);;

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

(4) In subsection (8), for “GDPR” (in both places) substitute “UK GDPR”.

Health and Personal Social Services Act (Northern Ireland) 2001

21.—(1) Section 7A of the Health and Personal Social Services Act (Northern Ireland) 2001 (power to obtain information etc)(41) is amended as follows.

(2) In subsection (3), for “GDPR” substitute “UK GDPR”.

(3) For subsection (8) substitute—

(8) In this section, “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Freedom of Information (Scotland) Act 2002

22.—(1) Section 38 of the Freedom of Information (Scotland) Act 2002 (personal information)(42) is amended as follows.

(2) In subsections (2B) and (3A)(a), for “GDPR” substitute “UK GDPR”.

(3) In subsection (5)—

(a)in the definition of “the data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the words from ““the GDPR”, “personal data”, “processing”” to “(14) of that Act);”;

(c)at the appropriate places insert—

“personal data” and “processing” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (4) and (14) of that Act);;

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

(4) In subsection (5A), for “GDPR” (in both places) substitute “UK GDPR”.

Mental Health (Care and Treatment) (Scotland) Act 2003

23.—(1) Section 279 of the Mental Health (Care and Treatment) (Scotland) Act 2003 (information for research)(43) is amended as follows.

(2) In subsection (2), for “GDPR” substitute “UK GDPR”.

(3) For subsection (10) substitute—

(10) In this section, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Crime and Courts Act 2013

24.—(1) Section 42 of the Crime and Courts Act 2013 (other interpretive provisions)(44) is amended as follows.

(2) In subsection (5)(a), for “GDPR” substitute “UK GDPR”.

(3) For subsection (5A) substitute—

(5A) In subsection (5)(a), “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Small Business, Enterprise and Employment Act 2015

25.—(1) Section 6 of the Small Business, Enterprise and Employment Act 2015 (application of listed provisions to designated credit reference agencies)(45) is amended as follows.

(2) In subsection (7)(b), for “GDPR” substitute “UK GDPR”.

(3) For subsection (7A) substitute—

(7A) In subsection (7), “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Social Security (Scotland) Act 2018

26.—(1) Section 60 of the Social Security (Scotland) Act 2018 (right to reports used in determining entitlement)(46) is amended as follows.

(2) In subsection (2), for “GDPR” substitute “UK GDPR”.

(3) For subsection (3) substitute—

(3) In subsection (2), “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

PART 3Amendments of other legislation

Channel Tunnel (International Arrangements) Order 1993

27.—(1) Article 4 of the Channel Tunnel (International Arrangements) Order 1993 (application of enactments)(47) is amended as follows.

(2) In paragraph (2)—

(a)after “For the purposes of” insert “Article 3 of the UK GDPR and”;

(b)in the words following paragraph (c), after “establishment (and” insert “the UK GDPR and”.

(3) In paragraph (3)—

(a)after “For the purposes of” insert “Article 3 of the UK GDPR and”;

(b)in the words following paragraph (b), after “establishment (and” insert “the UK GDPR and”.

(4) After paragraph (3) insert—

(4) In this article, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Channel Tunnel (Miscellaneous Provisions) Order 1994

28.—(1) Article 4 of the Channel Tunnel (Miscellaneous Provisions) Order 1994 (application of enactments)(48) is amended as follows.

(2) In paragraph (2)—

(a)after “For the purposes of” insert “Article 3 of the UK GDPR and”;

(b)for “the 2018 Act applies” substitute “the UK GDPR and the 2018 Act apply”.

(3) In paragraph (3)—

(a)after “For the purposes of” insert “Article 3 of the UK GDPR and”;

(b)for “the 2018 Act does” substitute “the UK GDPR and the 2018 Act do”.

(4) After paragraph (3) insert—

(4) In this article, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Scottish Parliamentary Corporate Body (Crown Status) Order 1999

29.  In article 7 of the Scottish Parliamentary Corporate Body (Crown Status) Order 1999 (Data Protection Act 2018)(49)—

(a)in paragraph (2)(a), (d) and (e), for “GDPR” substitute “UK GDPR”;

(b)omit paragraph (5).

Northern Ireland Assembly Commission (Crown Status) Order 1999

30.  In article 9 of the Northern Ireland Assembly Commission (Crown Status) Order 1999 (Data Protection Act 2018)(50)—

(a)in paragraph (2)(a), (d) and (e), for “GDPR” substitute “UK GDPR”;

(b)omit paragraph (5).

Representation of the People (England and Wales) Regulations 2001

31.  The Representation of the People (England and Wales) Regulations 2001(51) are amended as follows.

32.—(1) Regulation 3(1) (interpretation) is amended as follows.

(2) In the definition of “Article 89 GDPR purposes”, for “the GDPR” substitute “the UK GDPR”.

(3) Omit the definition of “the GDPR”.

(4) At the appropriate place insert—

“the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018;.

33.  In regulation 92(2)(ba) (interpretation and application of Part VI etc), for “the GDPR” substitute “the UK GDPR”.

Representation of the People (Scotland) Regulations 2001

34.  The Representation of the People (Scotland) Regulations 2001(52) are amended as follows.

35.—(1) Regulation 3(1) (interpretation) is amended as follows.

(2) In the definition of “Article 89 GDPR purposes”, for “the GDPR” substitute “the UK GDPR”.

(3) Omit the definition of “the GDPR”.

(4) At the appropriate place insert—

“the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018;.

36.  In regulation 92(2)(ba) (interpretation of Part VI etc), for “the GDPR” substitute “the UK GDPR”.

Financial Services and Markets Act 2000 (Disclosure of Confidential Information) Regulations 2001

37.—(1) Regulation 9 of the Financial Services and Markets 2000 (Disclosure of Confidential Information) Regulations 2001 (disclosure by regulators or regulator workers to certain other persons)(53) is amended as follows.

(2) In paragraph (2B)(a), for “GDPR” substitute “UK GDPR”.

(3) For paragraph (6) substitute—

(6) In this regulation, “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Nursing and Midwifery Order 2001

38.  The Nursing and Midwifery Order 2001(54) is amended as follows.

39.—(1) Article 3 (the Nursing and Midwifery Council and its Committees) is amended as follows.

(2) In paragraph (18), for “GDPR” substitute “UK GDPR”.

(3) Omit paragraph (19).

40.—(1) Article 25 (the Council’s power to require disclosure of information) is amended as follows.

(2) In paragraph (3), for “GDPR” substitute “UK GDPR”.

(3) In paragraph (6), omit the definition of “the GDPR”.

41.  In article 40(6) (Directive 2005/36/EC: designation of competent authority etc), omit the definition of “the GDPR”.

42.  In Schedule 4 (interpretation), at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

Electronic Commerce (EC Directive) Regulations 2002

43.—(1) Regulation 3 of the Electronic Commerce (EC Directive) Regulations 2002 (exclusions)(55) is amended as follows.

(2) In paragraph (1)(b), for “GDPR” substitute “UK GDPR”.

(3) In paragraph (3)—

(a)omit the definition of “the GDPR”;

(b)at the appropriate place insert—

“the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018;.

Privacy and Electronic Communications (EC Directive) Regulations 2003

44.  In regulation 2(1) of the Privacy and Electronic Communications (EC Directive) Regulations 2003(56), for “GDPR” substitute “UK GDPR”.

Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003

45.  The Nationality, Immigration and Asylum Act 2002 (Juxtaposed Controls) Order 2003(57) is amended as follows.

46.—(1) Article 8 (exercise of powers by French officers in a control zone in the United Kingdom: disapplication of law of England and Wales) is amended as follows.

(2) In paragraph (2), for “The Data Protection Act 2018” substitute “The UK GDPR and the Data Protection Act 2018.

(3) After paragraph (2) insert—

(2A) In paragraph (2), “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

47.—(1) Article 11 (exercise of powers by UK immigration officers and constables in a control zone in France: enactments having effect) is amended as follows.

(2) In paragraph (4)—

(a)for “The Data Protection Act 2018” substitute “The UK GDPR and the Data Protection Act 2018 (“the 2018 Act”)”;

(b)for “section 207 of that Act” substitute “Article 3 of the UK GDPR and section 207 of the 2018 Act”.

(3) After paragraph (4) insert—

(4A) In paragraph (4), “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Pupils’ Educational Records (Scotland) Regulations 2003

48.  The Pupils’ Educational Records (Scotland) Regulations 2003(58) are amended as follows.

49.  In regulation 2 (interpretation)—

(a)omit the definition of “the GDPR”;

(b)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

50.  In regulation 6(aa) and (ab) (circumstances where information should not be disclosed), for “GDPR” substitute “UK GDPR”.

51.  In regulation 9(1A) (in both places) and (1B), for “GDPR” substitute “UK GDPR”.

Environmental Information Regulations 2004

52.  The Environmental Information Regulations 2004(59) are amended as follows.

53.—(1) Regulation 2 (interpretation) is amended as follows.

(2) In paragraph (1)—

(a)in the definition of “the data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the words from ““the GDPR”” to “(14) of that Act);”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

(3) In paragraph (4A)—

(a)after “references to” insert “the UK GDPR and”;

(b)after “as if in” insert “Article 2 of the UK GDPR and”;

(c)for “(other general processing)” substitute “(exemptions for manual unstructured processing and for national security and defence purposes)”.

54.  In regulation 13 (personal data), in paragraphs (2B)(a), (3A)(a), (5B)(b) and (c) and (6) (in both places), for “GDPR” substitute “UK GDPR”.

Environmental Information (Scotland) Regulations 2004

55.  The Environmental Information (Scotland) Regulations 2004(60) are amended as follows.

56.—(1) Regulation 2 (interpretation) is amended as follows.

(2) In paragraph (1)—

(a)in the definition of “the data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the words from ““the GDPR”” to “(14) of that Act);”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

(3) In paragraph (3A)—

(a)after “references to” insert “the UK GDPR and”;

(b)after “as if in” insert “Article 2 of the UK GDPR and”;

(c)for “(other general processing)” substitute “(exemptions for manual unstructured processing and for national security and defence purposes)”.

57.  In regulation 11 (personal data), in paragraphs (3B), (4A)(a) and (7) (in both places), for “GDPR” substitute “UK GDPR”.

Licensing Act 2003 (Personal Licences) Regulations 2005

58.—(1) Regulation 7 of the Licensing Act 2003 (Personal Licences) Regulations 2005 (application for grant of a personal licence)(61) is amended as follows.

(2) In paragraph (1)(b)(iii), for “GDPR” substitute “UK GDPR”.

(3) For paragraph (3) substitute—

(3) In this regulation, “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Education (Pupil Information) (England) Regulations 2005

59.—(1) Regulation 5 of the Education (Pupil Information) (England) Regulations 2005 (disclosure of curricular and educational records)(62) is amended as follows.

(2) In paragraph (4), for “GDPR” (in both places) substitute “UK GDPR”.

(3) For paragraph (7) substitute—

(7) In this regulation, “the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act)..

Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005

60.—(1) Regulation 45 of the Civil Contingencies Act 2004 (Contingency Planning) Regulations 2005 (sensitive information)(63) is amended as follows.

(2) In paragraphs (1B)(a) and (1C)(a), for “GDPR” substitute “UK GDPR”.

(3) In paragraph (1D)—

(a)in the definition of “the data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the words from ““the GDPR”” to “(14) of that Act);”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

(4) In paragraph (1E), for “GDPR” (in both places) substitute “UK GDPR”.

Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005

61.—(1) Regulation 39 of the Civil Contingencies Act 2004 (Contingency Planning) (Scotland) Regulations 2005 (sensitive information)(64) is amended as follows.

(2) In paragraphs (1B)(a) and (1C)(a), for “GDPR” substitute “UK GDPR”.

(3) In paragraph (1D)—

(a)in the definition of “the data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the words from ““the GDPR”” to “(14) of that Act);”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

(4) In paragraph (1E), for “GDPR” (in both places) substitute “UK GDPR”.

Register of Judgments, Orders and Fines Regulations 2005

62.  In regulation 3 of the Register of Judgments, Orders and Fines Regulations 2005 (interpretation)(65)—

(a)in the definition of “the data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the definition of “the GDPR”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

National Assembly for Wales (Representation of the People) Order 2007

63.—(1) Paragraph 14 of Schedule 1 to the National Assembly for Wales (Representation of the People) Order 2007 (absent voting at Assembly elections: conditions on the use, supply and inspection of absent vote records or lists)(66) is amended as follows.

(2) In sub-paragraph (1)(a), for “GDPR” substitute “UK GDPR”.

(3) For sub-paragraph (2) substitute—

(2) In this paragraph, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

National Assembly for Wales Commission (Crown Status) Order 2007

64.  In article 5 of the National Assembly for Wales Commission (Crown Status) Order 2007 (Data Protection Act 2018)(67)—

(a)in paragraph (2)(a), (d) and (e), for “GDPR” substitute “UK GDPR”;

(b)omit paragraph (5).

Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007

65.—(1) Regulation 18 of the Representation of the People (Absent Voting at Local Elections) (Scotland) Regulations 2007 (conditions on the supply and inspection of absent voter records or lists)(68) is amended as follows.

(2) In paragraph (1)(a), for “GDPR” substitute “UK GDPR”.

(3) For paragraph (2) substitute—

(2) In this regulation, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007

66.—(1) Regulation 5 of the Representation of the People (Post-Local Government Elections Supply and Inspection of Documents) (Scotland) Regulations 2007 (conditions on the use, supply and disclosure of documents open to public inspection)(69) is amended as follows.

(2) In paragraph (2)(i), for “GDPR” substitute “UK GDPR”.

(3) For paragraph (4) substitute—

(4) In this regulation, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007

67.  The Education (Pupil Records and Reporting) (Transitional) Regulations (Northern Ireland) 2007(70) are amended as follows.

68.  In regulation 2 (interpretation)—

(a)omit the definition of “the GDPR”;

(b)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

69.  In regulation 10(2) (duties of Boards of Governors), for “GDPR” substitute “UK GDPR”.

Representation of the People (Northern Ireland) Regulations 2008

70.—(1) Regulation 118 of the Representation of the People (Northern Ireland) Regulations 2008 (conditions on the use, supply and disclosure of documents open to public inspection)(71) is amended as follows.

(2) In paragraph (2), for “GDPR” substitute “UK GDPR”.

(3) For paragraph (4) substitute—

(4) In this regulation, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008

71.  The Controlled Drugs (Supervision of Management and Use) (Wales) Regulations 2008(72) are amended as follows.

72.—(1) Regulation 2(1) (interpretation) is amended as follows.

(2) In the English language text—

(a)omit the words from ““the GDPR”” to “(14) of that Act);”;

(b)at the appropriate place insert—

“the UK GDPR” (“GDPR y DU”) has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

(3) In the Welsh language text—

(a)omit the words from “mae i “y GDPR”” to “(14) o’r Ddeddf honno);”;

(b)at the appropriate place insert—

“mae i “GDPR y DU” yr un ystyr ag a roddir i honno yn Rhannau 5 i 7 o’r Ddeddf Diogelu Data 2018 (gweler adran 3(10) a (14) o’r Ddeddf honno);.

73.  In regulation 25(7) (duty to co-operate by disclosing information as regards relevant persons)—

(a)in the English language text, for “GDPR” substitute “UK GDPR”;

(b)in the Welsh language text, for “neu’r GDPR” substitute “neu GDPR y DU”.

74.  In regulation 26(6) (responsible bodies requesting additional information be disclosed about relevant persons) —

(a)in the English language text, for “GDPR” substitute “UK GDPR”;

(b)in the Welsh language text, for “neu’r GDPR” substitute “neu GDPR y DU”.

75.  In regulation 29(3) (occurrence reports) —

(a)in the English language text, for “GDPR” substitute “UK GDPR”;

(b)in the Welsh language text, for “neu’r GDPR” substitute “neu GDPR y DU”.

Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008

76.—(1) Regulation 5 of the Energy Order 2003 (Supply of Information) Regulations (Northern Ireland) 2008 (information whose disclosure would be affected by the application of other legislation)(73) is amended as follows.

(2) In paragraph (3B)(a), for “GDPR” substitute “UK GDPR”.

(3) In paragraph (5)—

(a)in the definition of “data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the definition of “the GDPR”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

INSPIRE Regulations 2009

77.—(1) Regulation 9 of the INSPIRE Regulations 2009 (public access to spatial data sets and spatial data services)(74) is amended as follows.

(2) In paragraph (2)(b), for “GDPR” substitute “UK GDPR”.

(3) In paragraph (8)—

(a)in the definition of “data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the definition of “the GDPR”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

(4) In paragraph (9), for “GDPR” (in both places) substitute “UK GDPR”.

INSPIRE (Scotland) Regulations 2009

78.—(1) Regulation 10 of the INSPIRE (Scotland) Regulations 2009 (public access to spatial data sets and spatial data services)(75) is amended as follows.

(2) In paragraph (2)(b), for “GDPR” substitute “UK GDPR”.

(3) In paragraph (7)—

(a)in the definition of “data protection principles”, for “GDPR” substitute “UK GDPR”;

(b)omit the definition of “the GDPR”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

(4) In paragraph (8), for “GDPR” (in both places) substitute “UK GDPR”.

Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009

79.  The Controlled Drugs (Supervision of Management and Use) Regulations (Northern Ireland) 2009(76) are amended as follows.

80.  In regulation 2(2) (interpretation)—

(a)omit the words from ““the GDPR”” to “(14) of that Act);”;

(b)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

81.  In regulation 25(7) (duty to co-operate by disclosing information as regards relevant persons), for “GDPR” substitute “UK GDPR”.

82.  In regulation 26(6) (responsible bodies requesting additional information be disclosed about relevant persons), for “GDPR” substitute “UK GDPR”.

83.  In regulation 29(3) (occurrence reports), for “GDPR” substitute “UK GDPR”.

Pharmacy Order 2010

84.  The Pharmacy Order 2010(77) is amended as follows.

85.  In article 3(1) (interpretation), at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

86.  In article 9(5) (inspection and enforcement), for “and references to Schedule 2 to the Data Protection Act 2018 have” substitute “has”.

87.—(1) Article 49 (disclosure of information: general) is amended as follows.

(2) In paragraph (2)(a), for “GDPR” substitute “UK GDPR”.

(3) Omit paragraph (6).

88.—(1) Article 55 (professional performance assessments) is amended as follows.

(2) In paragraph (5)(a), for “GDPR” substitute “UK GDPR”.

(3) Omit paragraph (9).

Local Elections (Northern Ireland) Order 2010

89.  In paragraph 1(1) of Schedule 3 to the Local Elections (Northern Ireland) Order 2010 (access to marked registers and other documents open to public inspection after an election)(78)—

(a)in the definition of “Article 89 GDPR purposes”, for “the GDPR” substitute “the UK GDPR”;

(b)omit the definition of “the GDPR”;

(c)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

Pupil Information (Wales) Regulations 2011

90.  Regulation 5 of the Pupil Information (Wales) Regulations 2011 (duties of head teacher - educational records)(79) is amended as follows.

91.—(1) In paragraph (5)(a) and (b) —

(a)in the English language text, for “GDPR” substitute “UK GDPR”;

(b)in the Welsh language text, for “neu’r GDPR” substitute “neu GDPR y DU”.

(2) For paragraph (6)—

(a)in the English language text substitute—

(6) In this regulation, “the UK GDPR” (“GDPR y DU”) has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act).;

(b)in the Welsh language text substitute—

(6) Yn y rheoliad hwn mae i “GDPR y DU” yr un ystyr ag a roddir i honno yn Rhannau 5 i 7 o’r Ddeddf Diogelu Data 2018 (gweler adran 3(10) a (14) o’r Ddeddf honno)..

Police and Crime Commissioner Elections Order 2012

92.  The Police and Crime Commissioner Elections Order 2012(80) is amended as follows.

93.—(1) Schedule 2 (absent voting in Police and Crime Commissioner elections) is amended as follows.

(2) In paragraph 20 (absent voter lists: supply of copies etc)—

(a)in sub-paragraph (8)(a), for “GDPR” substitute “UK GDPR”;

(b)for sub-paragraph (11) substitute—

(11) In this paragraph, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

(3) In paragraph 24 (restriction on use of absent voter records or lists or the information contained in them)—

(a)in sub-paragraph (3)(a), for “GDPR” substitute “UK GDPR”;

(b)for sub-paragraph (4) substitute—

(4) In this paragraph, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

94.—(1) Schedule 10 (access to marked registers and other documents open to public inspection after an election) is amended as follows.

(2) In paragraph 5 (restriction on use of absent voter records or lists or the information contained in them)—

(a)in sub-paragraph (3)(a), for “GDPR” substitute “UK GDPR”;

(b)for sub-paragraph (5) substitute—

(5) In this paragraph, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018..

Neighbourhood Planning (Referendums) Regulations 2012

95.  In paragraph 29(1) of Schedule 6 to the Neighbourhood Planning (Referendums) Regulations 2012 (interpretation of Part 8)(81)—

(a)in the definition of “Article 89 GDPR purposes”, for “the GDPR” substitute “the UK GDPR”;

(b)omit the definition of “the GDPR”;

(c)in the definition of “relevant requirement”, for “the GDPR” substitute “the UK GDPR”;

(d)at the appropriate place insert—

“the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018;.

Controlled Drugs (Supervision of Management and Use) Regulations 2013

96.—(1) Regulation 20 of the Controlled Drugs (Supervision of Management and Use) Regulations 2013 (information management)(82) is amended as follows.

(2) In paragraph (5), for “GDPR” (in both places) substitute “UK GDPR”.

(3) For paragraph (7) substitute—

(7) In this regulation, “personal data” and “the UK GDPR” have the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(2), (10) and (14) of that Act)..

Small and Medium Sized Business (Credit Information) Regulations 2015

97.—(1) Regulation 15 of the Small and Medium Sized Business (Credit Information) Regulations 2015 (access to and correction of information for individuals and small firms)(83) is amended as follows.

(2) In paragraph (1), for “GDPR” substitute “UK GDPR”.

(3) Omit paragraph (4).

Scottish Parliament (Elections etc) Order 2015

98.  The Scottish Parliament (Elections etc) Order 2015(84) is amended as follows.

99.—(1) Schedule 3 (absent voting) is amended as follows.

(2) In paragraph 16 (absent voting lists: supply of copies etc)—

(a)in sub-paragraph (4)(a), for “GDPR” substitute “UK GDPR”;

(b)for sub-paragraph (11) substitute—

(11) In this paragraph, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.

(3) In paragraph 20 (restriction on use of absent voting lists)—

(a)in sub-paragraph (3)(a), for “GDPR” substitute “UK GDPR”;

(b)for sub-paragraph (4) substitute—

(4) In this paragraph, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.

100.  In Schedule 8 (access to marked registers and other documents open to public inspection after an election), in paragraph 5 (restriction on use of documents)—

(a)in sub-paragraph (3)(a), for “GDPR” substitute “UK GDPR”;

(b)for sub-paragraph (5) substitute—

(5) In this paragraph, “the UK GDPR” has the meaning given in section 3(10) of the Data Protection Act 2018.

Electronic Identification and Trust Services for Electronic Transactions Regulations 2016

101.  In Schedule 2 to the Electronic Identification and Trust Services for Electronic Transactions Regulations 2016 (Information Commissioner’s enforcement powers)(85), in paragraph 16(a) and (b) (modification of section 159 of the Data Protection Act 2018), for “GDPR” substitute “UK GDPR”.

Court Files Privileged Access Rules (Northern Ireland) 2016

102.  The Court Files Privileged Access Rules (Northern Ireland) 2016(86) are amended as follows.

103.  In rule 2 (interpretation), at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

104.  In rule 5(a) (information that may be released), for “GDPR” substitute “UK GDPR”.

105.  In rule 7(2)(a) (provision of information), for “GDPR” substitute “UK GDPR”.

Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017

106.  The Money Laundering, Terrorist Financing and Transfer of Funds (Information on the Payer) Regulations 2017(87) are amended as follows.

107.  In regulation 3(1) (interpretation)—

(a)omit the words from ““the GDPR” to “(14) of that Act);”;

(b)at the appropriate place insert—

“the UK GDPR” has the same meaning as in Parts 5 to 7 of the Data Protection Act 2018 (see section 3(10) and (14) of that Act);.

108.  In regulation 16(8)(b) (risk assessment by the Treasury and Home Office), for “GDPR” substitute “UK GDPR”.

109.  In regulation 17(9)(b) (risk assessment by supervisory authorities), for “GDPR” substitute “UK GDPR”.

110.  In regulation 41 (data protection), in paragraphs (3)(a), (6), (7), (8) and (9), for “GDPR” substitute “UK GDPR”.

PART 4Modification

References to the GDPR

111.—(1) Legislation described in sub-paragraph (2) has effect on and after exit day as if it were modified in accordance with sub-paragraphs (3) and (4) (but see sub-paragraph (5)).

(2) That legislation is—

(a)subordinate legislation made on or before exit day;

(b)primary legislation passed or made on or before exit day.

(3) The following have effect as references to the UK GDPR—

(a)references to the GDPR as defined in section 3(10) of the 2018 Act or as defined for the purposes of Parts 5 to 7 of the 2018 Act;

(b)other references to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27th April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation).

(4) References described in sub-paragraph (3) which are references to the GDPR or the Regulation read with Chapter 2 of Part 2 of the 2018 Act have effect as references to the UK GDPR read with Part 2 of that Act.

(5) Sub-paragraphs (1) to (4) have effect unless the context otherwise requires and, in particular, do not affect references to the Regulation mentioned in sub-paragraph (3)(b) as it has effect in EU law.

(6) Paragraph 2 of Schedule 21 to the 2018 Act (inserted by these Regulations) has effect in relation to references to the UK GDPR arising as a result of this paragraph as it has effect in relation of other references to the UK GDPR.

(7) In this paragraph—

“primary legislation” has the meaning given in section 211 of the 2018 Act;

“references” includes any references, however expressed;

“subordinate legislation” has the meaning given in the Interpretation Act 1978.

PART 5Supplementary

Interpretation of references to enactments

112.  Nothing in Parts 2 to 4 of this Schedule is to be read as implying anything about whether references to an enactment or statutory provision (whether in Acts or instruments amended by those Parts of this Schedule or elsewhere) include the UK GDPR or other retained direct EU legislation.

Regulation 7

SCHEDULE 4Amendments consequential on provisions of the 2018 Act

Anti-terrorism, Crime and Security Act 2001

1.—(1) Part 1 of Schedule 4 to the Anti-terrorism, Crime and Security Act 2001 (extension of existing disclosure powers)(88) is amended as follows.

(2) Omit paragraph 42.

(3) After paragraph 53F insert—

53G.  Section 132(1) of the Data Protection Act 2018.

Investigatory Powers Act 2016

2.  In section 202(4) of the Investigatory Powers Act 2016 (restriction on use of class BDP warrants)(89), in the definition of “sensitive personal data”, for “section 2(a) to (f) of the Data Protection Act 1998” substitute “section 86(7)(a) to (e) of the Data Protection Act 2018”.

Data Protection Act 2018

3.  In Schedule 19 to the Data Protection Act 2018 (minor and consequential amendments)(90), omit paragraphs 76 and 201.

EXPLANATORY NOTE

(This note is not part of the Regulations)

These Regulations make amendments to legislation in relation to the regulation of the processing of personal data.

These Regulations are made in exercise of the powers in sections 8(1) and 23(1) of, and paragraphs 21 of Schedule 7 and 1(1) of Schedule 4 to, the European Union (Withdrawal) Act 2018 (c.16) (“the EUWA 2018”), in order to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(a), (b), (d) and (g)) arising from the withdrawal of the United Kingdom (“UK”) from the European Union (“EU”).

These Regulations also exercise powers in section 211(2) of the Data Protection Act 2018 (“the DPA 2018”) to make provision consequential to that Act, and in section 2(2) of the European Communities Act 1972 (c.68) for the purpose of implementing an EU obligation of the UK.

Regulations 1 and 2 cover citation, commencement, extent and interpretation.

Regulation 3 introduces Schedule 1, which amends Regulation (EU) 2016/679 of the European Parliament and of the Council (“the GDPR”) as it forms part of domestic law by virtue of section 3 of the EUWA 2018.

Regulation 4 introduces Schedule 2, which amends the DPA 2018.

Among other things, changes made by Schedules 1 and 2 have the effect of merging two pre-existing regimes for the regulation of the processing of personal data – namely that established by the GDPR as supplemented by Chapter 2 of Part 2 of the DPA 2018 as originally enacted, and that established in Chapter 3 of Part 2 of the DPA 2018 as originally enacted (“the applied GDPR”). The applied GDPR extended GDPR standards to certain processing out of scope of EU law and the GDPR.

Regulation 5 makes provision concerning interpretation in relation to processing that prior to exit day was subject to the applied GDPR.

Regulation 6 introduces Schedule 3, which makes amendments to other legislation. Part 1 of Schedule 3 revokes certain EU data protection law that forms part of domestic law by virtue of section 3 of the EUWA 2018. Parts 2 and 3 of Schedule 3 make amendments to other legislation consequential to the amendments made in Schedules 1 and 2. Part 4 of Schedule 3 makes general provision for references to the GDPR (that are not otherwise amended by Parts 2 or 3) to have effect as references to the UK GDPR on and after exit day. Part 5 of Schedule 3 makes supplementary provision in respect of Parts 2, 3 and 4.

Regulation 7 introduces Schedule 4 which makes amendments consequential to the DPA 2018 to the Anti-terrorism, Crime and Security Act 2001 (c.24) and to the Investigatory Powers Act 2016 (c.25). Related amendments appear in paragraphs 76 and 201 (respectively) of schedule 19 to the DPA but have not been commenced. Regulation 7 repeals those provisions.

Regulation 8 makes amendments to the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2002/2013) in light of provision made by the GDPR relating to the meaning of “consent”.

A full impact assessment has not been produced for this instrument as no, or no significant, impact on the private, voluntary or public sector is foreseen.

(3)

1972. c. 68. Section 2 was amended by section 27(1)(a) of the Legislative and Regulatory Reform Act 2006 (c.51) and Part 1 of the Schedule to the European Union (Amendment) Act 2008 (c. 7).

(5)

These regulations make a further amendment to this provision (see Sch. 3, para. 3).

(6)

OJ L 281, 23.11.1995, p31-50.

(7)

OJ L 178, 17/07/2000, p1-16.

(9)

Section 17A is inserted into the 2018 Act by these Regulations (see Sch. 2, para. 23).

(10)

OJ L 201, 31.7.2002, p37-47.

(11)

Such domestic legislation includes the Privacy and Electronic Communications (EC Directive) Regulations 2003 (S.I. 2003/2426) (“PECR”) and the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (S.I. 2000/2699) (as amended by PECR).

(12)

Section 17B is inserted into the 2018 Act by these Regulations (see Sch. 2, para. 23).

(13)

Section 17C is inserted into the 2018 Act by these Regulations (see Sch. 2, para. 23).

(14)

Section 119A is inserted into the 2018 Act by these Regulations (see Sch. 2, para. 51).

(15)

The definition of the EU GDPR is inserted into section 3 of the 2018 Act by these Regulations (see Sch. 2, para. 4(5)).

(16)

Section 205(4) is inserted into the 2018 Act by these Regulations (see Sch. 2, para. 85(7)).

(17)

OJ L 215, 25.8.2000, p. 1-3.

(18)

OJ L 2, 4.1.2002, p. 13-16.

(19)

OJ L 168, 05.07.2003, p. 19-22.

(20)

OJ L 308, 25.11.2003 p. 27-28.

(21)

OJ L 151, 30.4.2004. , p. 48-51.

(22)

OJ L 138, 28.5.2008, p. 21-23.

(23)

OJ L 58, 9.3.2010, p. 17-19.

(24)

OJ L 277, 21.10.2010, p. 27-29.

(25)

OJ L 27, 1.2.2011, p. 39-42

(26)

OJ L 227, 23.8.2012, p. 11-14.

(27)

OJ L 28, 30.1.2013, p. 12-14.

(28)

OJ L 207, 1.8.2016, p. 1-112.

(29)

OJ L 181, 4.7.2001, p. 19-31.

(30)

OJ L 385, 29.12.2004, p. 74-84.

(31)

OJ L 39, 12.2.2010, p. 5-18.

(32)

OJ L 344, 17.12.2016, p. 83-91.

(33)

OJ L 344, 17.12.2016, p. 100-101.

(90)

2018 c.12.