Amendments to Data Protection Regulations for EU-UK Data Transfers Post-Brexit, Slides of Law

Download Amendments to Data Protection Regulations for EU-UK Data Transfers Post-Brexit and more Slides Law in PDF only on Docsity! DExEU/EM/7-2018.2 1 EXPLANATORY MEMORANDUM TO THE DATA PROTECTION, PRIVACY AND ELECTRONIC COMMUNICATIONS (AMENDMENTS ETC) (EU EXIT) (NO.2) REGULATIONS 2019 2019 No. [XXXX] 1. Introduction 1.1 This explanatory memorandum has been prepared by the Department for Digital, Culture, Media and Sport (DCMS) and is laid before Parliament by Act. 1.2 This memorandum contains information for the Sifting Committees. 2. Purpose of the instrument 2.1 This instrument uses powers under the EU (Withdrawal) Act 2018 (EUWA) to amend the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (“the Main Regulations”) in order to correct deficiencies in EU-derived data protection legislation as a result of the withdrawal of the UK from the EU. This will ensure that the legal framework for data protection within the UK continues to function correctly after exit day. Explanations What did any relevant EU law do before exit day? 2.2 The General Data Protection Regulation (GDPR) applies directly across all EU Member States, including the UK, until Exit Day. It regulates the processing of personal data by data controllers and processors with an establishment in the EU; and by those outside the EU which are processing data about individuals who are in the EU for the purposes of providing them with goods and services or monitoring their behaviour. 2.3 The Data Protection Act (DPA) 2018 supplements the GDPR within the UK by exercising areas for derogation within the GDPR. The GDPR is direct EU legislation that will form part of UK domestic law under the EUWA from Exit Day. Under the GDPR, the European Commission has the power to make adequacy decisions in relation to third countries and there are several such adequacy decisions currently in force. 2.4 One of the adequacy decisions the Commission has made is a partial adequacy decision in relation to transfers to the USA under the Privacy Shield Framework (“Privacy Shield”). The decision allows personal data to be transferred from the EU to a company in the United States which is on the Privacy Shield list maintained by the U.S. Department of Commerce. In order to be added to the Privacy Shield list, a US company must commit to comply with Privacy Shield and must have a privacy policy which complies with a set of principles (“the Privacy Shield Principles”) on the protection of personal data and safeguards. The U.S. Department of Commerce is responsible for managing and administering the Privacy Shield. DExEU/EM/7-2018.2 2 Why is it being changed? 2.5 The Main Regulations transfer the European Commission’s powers in respect of making adequacy decisions to the Secretary of State, by enabling the Secretary of State to make “adequacy regulations”, and revoke the current European Commission adequacy decisions which would otherwise form part of retained EU law. However, the Main Regulations make transitional provisions with the intention of enabling personal data to continue to flow from the UK to jurisdictions subject to an EU adequacy decision immediately before Exit Day, including the European Commission's adequacy decision in relation to the Privacy Shield. 2.6 In order to reflect the arrangements made for personal data transferred from the UK to Privacy Shield companies in the US to continue to be protected under Privacy Shield, an amendment is needed to the Main Regulations to correct a deficiency in the retained EU law and ensure it operates effectively after EU exit. 2.7 Following the UK’s withdrawal from the EU, Privacy Shield companies will be required to update their privacy policies in order to continue receiving personal data from the UK in reliance on the Privacy Shield. 2.8 The instrument amends the Main Regulations to provide that personal data from the UK can only be transferred to Privacy Shield companies in reliance on Privacy Shield if the US Privacy Shield company has fulfilled this requirement. What will it now do? 2.9 The instrument amends the transitional provisions of the Main Regulations to provide that transfers of personal data from the UK in reliance on Privacy Shield can only take place after 29 March 2019 in a no deal scenario, if the certified Privacy Shield company has a privacy policy which includes a commitment to comply with the Privacy Shield Principles in relation to personal data transferred from the UK. This maintains consistency with arrangements prior to the UK’s withdrawal from the EU. 3. Matters of special interest to Parliament Matters of special interest to the Sifting Committees 3.1 The instrument is being laid for sifting by the Sifting Committees. The instrument is being laid for sifting now, before the Main Regulations are made, to enable time for the instrument to go through parliamentary procedure before 29 March 2019. Matters relevant to Standing Orders Nos. 83P and 83T of the Standing Orders of the House of Commons relating to Public Business (English Votes for English Laws) 3.2 As the instrument is subject to negative resolution procedure there are no matters relevant to Standing Orders Nos. 83P and 83T of the Standing Orders of the House of Commons relating to Public Business at this stage. 4. Extent and Territorial Application 4.1 The territorial extent of this instrument is all of the United Kingdom. 4.2 The territorial application of this instrument is all of the United Kingdom. DExEU/EM/7-2018.2 5 under their Privacy Shield commitments. This only requires the UK business to look at their US counterparts’ privacy policy online. 13.4 This instrument means that the Privacy Shield framework will continue to be available to the numerous UK small businesses who use it to facilitate their continued business relationships with US firms, where there are protections in place for the personal data which is transferred. Moreover, both the UK and US share an interest in Privacy Shield's ongoing availability to facilitate the cross-border data transfers that underpin our $231.9 billion annual bilateral trade and investment relationship. 14. Monitoring & review 14.1 The approach to monitoring of this legislation is the government will include this in future reviews of the UK’s data protection framework. Noting that the changes made by this instrument are limited to ensuring the UK’s data protection legislation will be operable on Exit Day. The government will review the need for further changes to the UK data protection framework and bring further legislative proposals forward as necessary to ensure it remains effective, protects data subjects' rights, ensures that data processing can processed where it is in the public interest and that data can be shared appropriately with the UK's international partners. 14.2 As this instrument is made under the EU Withdrawal Act 2018, no review clause is required. 15. Contact 15.1 Michael Animahaun at the Department for Digital, Culture, Media and Sport. Telephone: 07841 804604 or email: Michael.Animashaun@culture.gov.uk can be contacted with any queries regarding the instrument. 15.2 James Snook (Acting) Director at the Department for Digital, Culture, Media and Sport can confirm that this Explanatory Memorandum meets the required standard. 15.3 Margot James MP, Minister of State for the Department for Digital, Culture, Media and Sport, can confirm that this Explanatory Memorandum meets the required standard. DExEU/EM/7-2018.2 6 Annex Statements under the European Union (Withdrawal) Act 2018 Part 1 Table of Statements under the 2018 Act This table sets out the statements that may be required under the 2018 Act. Statement Where the requirement sits To whom it applies What it requires Sifting Paragraphs 3(3), 3(7) and 17(3) and 17(7) of Schedule 7 Ministers of the Crown exercising sections 8(1), 9 and 23(1) to make a Negative SI Explain why the instrument should be subject to the negative procedure and, if applicable, why they disagree with the recommendation(s) of the SLSC/Sifting Committees Appropriate- ness Sub-paragraph (2) of paragraph 28, Schedule 7 Ministers of the Crown exercising sections 8(1), 9 and 23(1) or jointly exercising powers in Schedule 2 A statement that the SI does no more than is appropriate. Good Reasons Sub-paragraph (3) of paragraph 28, Schedule 7 Ministers of the Crown exercising sections 8(1), 9 and 23(1) or jointly exercising powers in Schedule 2 Explain the good reasons for making the instrument and that what is being done is a reasonable course of action. Equalities Sub-paragraphs (4) and (5) of paragraph 28, Schedule 7 Ministers of the Crown exercising sections 8(1), 9 and 23(1) or jointly exercising powers in Schedule 2 Explain what, if any, amendment, repeals or revocations are being made to the Equalities Acts 2006 and 2010 and legislation made under them. State that the Minister has had due regard to the need to eliminate discrimination and other conduct prohibited under the Equality Act 2010. Explanations Sub-paragraph (6) of paragraph 28, Schedule 7 Ministers of the Crown exercising sections 8(1), 9 and 23(1) or jointly exercising powers in Schedule 2 In addition to the statutory obligation the Government has made a political commitment to include these statements alongside all EUWA SIs Explain the instrument, identify the relevant law before exit day, explain the instrument’s effect on retained EU law and give information about the purpose of the instrument, e.g., whether minor or technical changes only are intended to the EU retained law. Criminal offences Sub-paragraphs (3) and (7) of paragraph 28, Schedule 7 Ministers of the Crown exercising sections 8(1), 9, and Set out the ‘good reasons’ for creating a criminal offence, and the penalty attached. DExEU/EM/7-2018.2 7 23(1) or jointly exercising powers in Schedule 2 to create a criminal offence Sub- delegation Paragraph 30, Schedule 7 Ministers of the Crown exercising sections 10(1), 12 and part 1 of Schedule 4 to create a legislative power exercisable not by a Minister of the Crown or a Devolved Authority by Statutory Instrument. State why it is appropriate to create such a sub-delegated power. Urgency Paragraph 34, Schedule 7 Ministers of the Crown using the urgent procedure in paragraphs 4 or 14, Schedule 7. Statement of the reasons for the Minister’s opinion that the SI is urgent. Explanations where amending regulations under 2(2) ECA 1972 Paragraph 13, Schedule 8 Anybody making an SI after exit day under powers outside the European Union (Withdrawal) Act 2018 which modifies subordinate legislation made under s. 2(2) ECA Statement explaining the good reasons for modifying the instrument made under s. 2(2) ECA, identifying the relevant law before exit day, and explaining the instrument’s effect on retained EU law. Scrutiny statement where amending regulations under 2(2) ECA 1972 Paragraph 16, Schedule 8 Anybody making an SI after exit day under powers outside the European Union (Withdrawal) Act 2018 which modifies subordinate legislation made under s. 2(2) ECA Statement setting out: a) the steps which the relevant authority has taken to make the draft instrument published in accordance with paragraph 16(2), Schedule 8 available to each House of Parliament, b) containing information about the relevant authority’s response to— (i) any recommendations made by a committee of either House of Parliament about the published draft instrument, and (ii) any other representations made to the relevant authority about the published draft instrument, and, c) containing any other information that the relevant authority considers appropriate in relation to the scrutiny of the instrument or draft instrument which is to be laid.