My Lords, I am pleased to introduce a statutory instrument laid before the House on 14 October. Neither the Joint Committee on Statutory Instruments nor the Secondary Legislation Scrutiny Committee has drawn the House’s attention to this instrument.
When the transition period comes to an end, the EU’s regulation on data protection, known as the GDPR, will be retained in domestic law through the European Union (Withdrawal) Act 2018. Last year, the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 were made. I will refer to those regulations as the main regulations. They were made to make minor and technical changes to the retained GDPR and the Data Protection Act 2018 to ensure that UK data protection law continued to be operable on exit day.
The instrument before noble Lords seeks to make some limited amendments to the main regulations, most of which address the fact that there has been a transition period. The majority of the changes are to references to “exit day” in the main regulations, which will be updated to read “IP completion day”. A small number of other changes relate to the transitional provisions for international transfers of personal data.
Binding corporate rules approved by EU data protection regulators enable multinational companies to transfer personal data within their group globally. The main regulations preserve pre-GDPR binding corporate rules that had previously been authorised by the Information Commissioner as a valid transfer mechanism after the transition period. However, a subset of pre-GDPR binding corporate rules currently relied on by organisations with data flows in the UK may have received authorisation from only EU supervisory authorities. This instrument makes provisions that will allow UK-based group members to use such rules as a valid transfer mechanism, if they obtain approval from the Information Commissioner within six months from the end of the transition period.
UK organisations can currently freely transfer personal data to EU and EEA states, and non-EEA countries for which the EU Commission has made adequacy decisions. The main regulations continue this position on a transitional basis and list the relevant adequacy decisions for clarity. This instrument updates the list to reflect developments since the main regulations were made by adding the 2019 adequacy decision for Japan and removing the reference to the EU’s adequacy decision for the US privacy shield. These amendments are not substantive and are entirely in keeping with the original intention of the main regulations, namely the continued free flow of personal data between the UK and third countries that have already been found to meet the requisite standards for data protection.
The main regulations also provided a legal basis for the continued free flow of personal data from the UK to the EU falling within scope of the law enforcement directive, otherwise known as the LED. The approach adopted in the main regulations was to transitionally deem EU member states and Gibraltar as adequate.
Since the main regulations were made, the Home Office has established that the EEA states, Norway, Iceland and Liechtenstein, and Switzerland, have also transposed the LED into their domestic law, which enables data sharing between authorities in the UK and law enforcement agencies within these countries for law enforcement purposes. To enable law enforcement co-operation and data sharing between the UK and EEA states and Switzerland to continue as it does now following the end of the transition period, this instrument adds them to the list of countries that will be treated as adequate, on a transitional basis, under Part 3 of the Data Protection Act 2018. This will be the most efficient way to ensure the flow of personal data, which is fundamental for law enforcement co-operation.
In 2019, an additional statutory instrument was made to amend the main regulations to reflect the arrangements made for personal data transferred from the UK to privacy shield companies in the US. As this adequacy decision has now been invalidated by the CJEU, the amending regulation no longer has any practical effect. Therefore, Regulation 7 revokes that amending regulation before it comes into force.
I have set out why our approach is an appropriate way to address deficiencies in our data protection regime resulting from the UK leaving the EU at the end of the transition period. This instrument will also revoke some EU legislation that would have no practical effect if it were to be retained under the European Union (Withdrawal) Act 2018 at the end of the transition period, such as Council decision 2004/644/EC, which adopts implementing rules of the European Parliament and European Council on the protection of individuals with regard to the processing of personal data by the community institutions and bodies and on the free movement of such data. This retained version of this decision will have no practical effect, so we are revoking it to keep the UK statute book tidy. I beg to move.
6.22 pm