« Draconian powers in EU Withdrawal Bill can negate new Data Protection law | Main | Is the definition of “personal data” in new DP Bill correct? »



Feed You can follow this conversation by subscribing to the comment feed for this post.

Regarding Clause 20 and Schedule 6, it is important to note that these “apply” the GDPR only to the extent that it does not have direct effect. So the “applied GDPR” extends the GDPR (as modified by the schedule) to activities covered by UK law but not covered by EU law. Therefore, in EU terminology, it is not the case that “Clause 20(1)…transposes most of the GDPR into UK law”. The GDPR is an EU regulation which has direct effect without need for transposition (in contrast with an EU directive, such as the 1995 Data Protection Directive which the GDPR replaces). But Chapter 3 of Part 2 of the Bill (including Clause 20 and Schedule 6) creates a similar domestic scheme to avoid the need to constantly consider whether EU law is or is not in scope in any particular circumstance. This also ensures that the UK complies with its non-EU international obligations (in particular, Council of Europe “modernised Convention 108”)

In principle, Part 2 Chapter 3 also provides a model for post-Brexit continuation of the GDPR (mutatis mutandis). But in addition to the possibility of the Data Protection Bill itself being amended before being enacted, there is even more uncertainty as to how powers proposed under the European Union (Withdrawal) Bill might be used to make transitional or permanent modifications to the GDPR’s domestic effect (cf the Bill’s explanatory notes https://services.parliament.uk/bills/2017-19/dataprotection/documents.html at paragraph 35).

Of course that does not necessarily mean that the “applied GDPR” modifications are unimportant. And, frankly, I am not sure what circumstances they cover in practice, given that the Bill provides separate special provisions for national security (the most obvious non-EU field). But only in a very loose sense does the Bill modify the effect of the GDPR itself.

The comments to this entry are closed.

All materials on this website are the copyright of Amberhawk Training Limited, except where otherwise stated. If you want to use the information on the blog, all we ask is that you do so in an attributable manner.