The EU Withdrawal Act 2018 will retain the General Data Protection Regulation (GDPR) in domestic law when the UK leaves the EU. The Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 use powers under that Act to correct deficiencies in the GDPR so that it remains operable in a purely domestic context. For example, the Regulations rename the GDPR as the ‘UK GDPR’, repatriate certain powers from the EU Commission to the Secretary of State and replace European terminology with UK equivalents.
Section 17A of the Data Protection Act 2018, as inserted by these Regulations, repatriates power from the EU Commission to the Secretary of State to make adequacy decisions for the purposes of Article 45 of the UK GDPR. Section 17B sets out the requirement for ongoing monitoring of adequate countries and for adequacy decisions to be reviewed at least every four years (maintaining the standards in Article 45 of the GDPR).
The EU Exit provisions of these Regulations have not yet been exercised because they only come into force on Exit Day.