To ask Her Majesty's Government what assessment they have made of the operation of sections 17A and B of the Data Protection Act 2018 as inserted by the Data Protection, Privacy and Electronic Communications (EU Exit) Regulations 2019; how many times the provisions contained within those Regulations have been exercised; and what plans they have, if any, to review the exercise of those powers once the UK leaves the EU.
The EU Withdrawal Act 2018 will retain the General Data Protection Regulation (GDPR) in domestic law when the UK leaves the EU. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 use powers under that Act to correct deficiencies in the GDPR so that it remains operable in a purely domestic context. For example, the Regulations rename the GDPR as the ‘UK GDPR’, repatriate certain powers from the EU Commission to the Secretary of State and replace European terminology with UK equivalents.
Section 17A of the Data Protection Act 2018, as inserted by these Regulations, repatriates power from the EU Commission to the Secretary of State to make adequacy decisions for the purposes of Article 45 of the UK GDPR. Section 17B sets out the requirement for ongoing monitoring of adequate countries and for adequacy decisions to be reviewed at least every four years (maintaining the standards in Article 45 of the GDPR).
The EU Exit provisions of these Regulations have not yet been exercised because they only come into force on Exit Day.