The UK will remain subject to Union law until at least 31 December 2020 (which marks the expiry of the Transition Period), given that it has the option to extend Transition once. GDPR and the ePrivacy Directive will continue to apply during Transition.
Decisions of the European Court of Justice (ECJ) will continue to bind the UK and questions of interpretation of Union data protection law will continue to be decided by the ECJ during Transition. UK courts will have to continue interpreting GDPR (and other Union laws) in line with wider Union law principles.
International data transfers will remain unaffected during Transition as the UK will continue to be treated as a Member State during that time. Whilst the ICO will continue to be treated as a Supervisory Authority, it will not be allowed to participate in decision-making or governance. Its role will therefore be much reduced, to that of observer.
Insofar as data originating within the Union during the Transition Period is concerned, any processing taking place in the UK after the end of Transition will still be covered by GDPR (thus maintaining the rights of individuals within the EU), but this will fall away if the UK secures an “adequacy” decision.
In addition to the Withdrawal Agreement, the UK and the EU has issued a non-binding joint declaration, designed to set out a framework for future cooperation. It is clear from that document and the subsequently leaked strategy memorandum that the European Commission is willing to assess the UK for “adequacy”, with a view to the UK obtaining a decision before the end of Transition, or shortly thereafter. The ability of the UK to secure that decision will be crucial to the free flow of data between the UK and the EU after Transition.
If the Withdrawal Agreement is not approved by Parliament (and indeed by the EU Member States), then there is a real risk that the UK will leave the Union in March 2019 without any “adequacy” decision and would be treated as a “third country” for the purposes of international transfers of personal data. In that scenario, businesses would need to ensure that standard contractual clauses or other similar mechanisms (such as Binding Corporate Rules) were in place. However, if a deal can be reached, then regulatory certainty will be maintained for at least the next two years.
From the Crown Dependencies’ perspective, we already have “adequacy” decisions and so any transfers between our islands and the EU (and indeed from the UK to our respective islands) will be unaffected. Indeed, with our new laws being modelled on GDPR, we are in a good position to weather any Brexit storm. The issue surrounds transfers from Guernsey, Jersey and the Isle of Man to the UK, since its status as a Member State will cease in the (possibly near) future.
Both Jersey and the Isle of Man would likely have to treat the UK as a “third country”, utilising standard contractual clauses or similar mechanisms to ensure the lawfulness of the transfers. Fortunately, in drafting the Data Protection (Bailiwick of Guernsey) Law, 2017, the drafting team took account of Brexit looming and ensured that the UK is (and will be) treated as an “equivalent” jurisdiction, even after Brexit, so these mechanisms would not be required for Guernsey-UK transfers. Only if the European Commission was to find that the UK was not suitable for international transfers, or if Guernsey’s acceptance of the UK’s regime affected its “adequacy” status would we need to review our stance in relation to international transfers to the UK.