We need your support to keep TheyWorkForYou running and make sure people across the UK can continue to hold their elected representatives to account.Donate to our crowdfunder
If they fulfil those conditions that I mentioned, the answer is yes.
I would like to touch on what our exit from the EU might mean for the applied GDPR, as provided for by Chapter 3 of Part 2 of the Data Protection Act 2018. Noble Lords will recall that we created a separate regime which provides for broadly equivalent standards to the GDPR to apply to processing activities that are outside the scope of EU law and covered by neither Part 3 nor 4 of the Act, which deal with processing by law enforcement and intelligence services respectively. This regime currently applies, for example, where a controller other than the intelligence services is processing for national security or defence purposes.
As the EU GDPR will not, as a matter of domestic law, apply directly to any general processing activities when we leave the EU, these regulations are intended to simplify matters by providing for a single regime for all general processing activities. Those provisions in the 2018 Act that provide for the applied GDPR, together with other references to the applied GDPR in legislation, are removed. Importantly, the provisions in the applied GDPR which currently provide exemptions from specified provisions where these are required for the purposes of safeguarding national security or for defence purposes have been retained in the merged regime. These exemptions balance the need to protect personal data against ensuring that the UK’s security and intelligence community can continue to carry out its vital work to safeguard national security. I should emphasise that the merger does not itself alter the purview of EU law so where aspects of domestic data protection law were outside EU competence before exit day, this will not change as a result of this instrument. We have included provisions in the regulations to make that point clear.
I believe that the approach the Government are taking is an appropriate way of addressing the deficiencies in domestic data protection laws resulting from the UK leaving the EU. The aim of these regulations is to ensure continuity for data subjects, controllers and processors by maintaining the same data protection standards that currently exist under the GDPR and the Data Protection Act 2018.
My remarks have focused on the changes made to the GDPR and the Data Protection Act because they are the most significant. For completeness, I should add that the regulations make a number of minor amendments to other legislation, consequential on the amendments we are making to the UK GDPR and Data Protection Act 2018. For example, they amend references to the “GDPR” in other legislation to refer to the “UK GDPR”.
They also address a small number of non-exit-related issues. They clarify that the GDPR definition of consent applies for the purposes of the Privacy and Electronic Communications (EC Directive) Regulations 2003, and address two minor drafting issues that were identified in Schedule 19 to the Data Protection Act 2018, shortly before it received Royal Assent. I commend these regulations to the House