The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) (No. 2) Regulations 2019 SI 2019/485 have been made.
They have been made in exercise of the powers conferred by section 8(1) of the European Union (Withdrawal) Act 2018 to address failures of retained EU law to operate effectively and other deficiencies (in particular under section 8(2)(d)) arising from the withdrawal of the UK from the EU.
The Regulations amend the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 (SI 2019/419) to reflect arrangements made for personal data to continue to be transferred from the UK to organisations in the USA participating in the Privacy Shield Framework, where the participating organisation’s privacy policy includes personal data transferred from the UK in its Privacy Shield commitments.
The effect of these Regulations is that transfers of personal data from the UK in reliance on Privacy Shield can only take place after 29 March 2019 in a no deal scenario, if the certified Privacy Shield company has a privacy policy which includes a commitment to comply with the Privacy Shield Principles in relation to personal data transferred from the UK. This aims to maintain consistency with arrangements before the UK’s withdrawal from the EU
An explanatory memorandum has also been published.