It was recently reported that Google was planning to move the personal data of its UK users out of the EU and into the US. Several outlets reporting on this story have suggested that this would mean that, as Britain has left the EU, the data would no longer be covered by the EU’s world-leading data protection law, the GDPR.
If this were the case, it would make it much harder to access personal data Google holds on you or to work out how, why and for what purposes the data was being used. It would also make it more difficult to make Google correct or delete that data and Google would be able to process your data free from the conditions currently imposed by the GDPR. But this representation of the situation is misleading.
The key message of the UK government has always been that the substance of the GDPR, if not the GDPR itself, will continue to apply in the UK after Brexit. In fact, the main tenets of the GDPR have already been enshrined into UK law with the Data Protection Act 2018.
This legislation will continue to be enforced in its current form by the UK’s data regulator, the Information Commissioner’s Office (ICO), until the end of the Brexit transition period on Dec 31 2020. To all intents and purposes, the UK will still be treated as if it were a part of the EU until this time. That means data processing activities involving UK citizens will still be subject to EU regulatory and judicial bodies (such as the European Court of Justice).
After the transition period elapses, the Data Protection, Privacy, and Electronic Communications Regulations 2019 will come into force and introduce a new “UK GDPR”, which will replicate the majority of the EU GDPR’s substantive features.
So the protections of the GDPR are unlikely to disappear from UK law any time soon, and Google will be required to comply with its substantive provisions. Claims that Google will be able to use UK citizens’ data completely free from GDPR requirements are, for now at least, overblown and hyperbolic.
However, the UK will be able to amend data protection rules set out under the UK GDPR, as it can with any other national legislation. In theory, this will include the ability to establish lower data protection standards than are currently demanded by the EU, including those related to international data transfers.
The EU GDPR currently bans data transfers to non-EU countries that do not provide adequate levels of data protection. Although the US and the EU do have a data transfer agreement, it is being challenged by privacy and data protection interest groups who think US data protection law isn’t strong enough. In particular, they are worried that transferred data could be caught up in the US government’s mass surveillance initiatives.
Another practical change is that enforcing data protection law in the UK will be entirely up to the ICO. And it is perhaps doubtful that this regulator will be as effective as the might of European data protection authorities, backed by the European Court of Justice.
Will other firms follow suit?
Tech firms often view data protection law as a bureaucratic hindrance to their business models. For these sorts of companies, the fewer rules and conditions attached to the processing of their users’ data, the better. If Google moves UK user data from Ireland to the US then, for the reasons explained above, the data could eventually be subject to lower standards and levels of enforcement.
This means there is an obvious and clear incentive for Google to make this shift. In many ways it would be foolish for them not to. And it is probably only a matter of time before we see other tech firms doing the same.
However, it all depends on what the UK actually does after the Brexit transition period. The government may set lower data protection standards, perhaps as a condition of a potential trade deal with the US. But if the standards fall below what the EU deems adequate then it could ban data transfers to the UK, which would be hugely disruptive for many companies with operations in the UK.
On the other hand, there is nothing to stop the UK from adopting higher standards than those of the EU. Given the lack of political interest in matters of data protection, this is perhaps unlikely.
At this point, it is too early to say what is likely to happen in the long term. We simply have to wait and see. But for now, the protections established by the GDPR will play a significant role. Google won’t just be able to do whatever it likes with your data.


Meta Seeks Legal Shield From Child-Harm Lawsuits Amid KOSA Talks
Foxconn Q2 Revenue Surges Nearly 40% on Strong AI Server Demand
Trump Threatens ABC News Lawsuit Over Lincoln Memorial Reflecting Pool Coverage
Switch Seeks $2 Billion Funding at Nearly $50 Billion Valuation Ahead of Potential IPO
Trump Orders DOJ Investigation Into Exxon, Chevron Over High Gas Prices
Brazil Supreme Court Convicts Eduardo Bolsonaro Over U.S. Lobbying Efforts
Super Micro Employees Detained in Taiwan AI Server Export Investigation
Pedro Sanchez’s Wife Ordered to Stand Trial in Spain Corruption Case
China 618 Smartphone Sales Drop 13% as Higher Prices Hurt Demand, Huawei Gains Market Share
LG Energy Solution Q2 Profit Plunges 77% Despite Revenue Growth on Weak EV Demand
ICC Judges Sue Trump Administration Over Sanctions, Calling Measures Unlawful
DOJ Seeks Dismissal of Fraud Charges Against Gautam Adani in U.S. Court
South Korea Alleges Google Abused Android App Store Dominance, Eyes Major Fine
Apple Expands iPhone Lineup, Boosts Foldable iPhone Production Plans Through 2027
US Appeals Court Limits ICE Detention Without Bond Hearings After 90 Days
Samsung Q2 Profit Seen Soaring as AI Memory Demand Keeps Chip Prices Elevated 



