GDPR entered UK law as the
Data Protection Act (2018) which is not far off a cut and paste of the EU legal text with a few local clarifiers. For example the EU text refers to "independant supervisory bodies" enforcing the rules, whereas the DPA states the Information Commisioners Office specifically. Amendments to the law to ensure it still works after the transition period have already been made, mostly in the form of the
Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which amends certain elements to refer to the UK courts as the arbiter of legal cases rather than EU courts and various similar items. The crucial part for our purposes is around data transfers to outside the UK.
Under GDPR data can be transferred to any other country within the EU without needing any additional safeguards. All other countries are referred to as "third countries" and there are 3 legal methods for transferring to them. We will become a 3rd country to the EU and they become 3rd countries to us the day the transition period ends, and our own laws have been adapted accordingly. 2 of the methods involve rules and clauses being built into individual contracts for any data moved, which is a labourious task. The final method works at a nation to nation level and so makes the overhead for individual organisations disappear. This method is called an adequacy decision.
An adequacy decision (
article 45). This means the EU have looked at the data and related laws of a given country and decided that they meet or exceed the standards of GDPR OR they put special legal measures in place for EU data that don't apply to their domestic citizens data. The current list of countries deemed adequate
is here, mostly those that border the EU, have trade deals in place or have put special measures in place, in particular the USAs
Privacy Shield framework. The UK has compiled its own list of "adequate" countries for after the transition as every other country on earth becomes a 3rd country from our POV. That list contains all those already within the EU, the EEA and the EUs list, including the USA if under Privacy Shield. HOWEVER, the EU will NOT automatically recognise the UK as adequate, we will have to go through their process. This takes time and while our data law is identical to theirs they have long believed that the
Investigatory Powers Act (2016) (aka the Snoopers Charter,) does not sufficently protect the rights & freedoms of citizens personal data. While we were a member this was moot but when we're outside it could count against adequacy. This could result in the Uk being free to transfer data to EU countries as we've recognised them, but them unable to do the same to us without contracts and safeguards at least until adequacy is agreed (if it ever is.)
So if you're Google and currently administer UK data from Irish jurastiction, you could face a huge headache trying to do so post transition as you'll have to generate huge swathes of clauses and documents any time you change a service for UK users or implement a new one. This could be a large and ongoing cost depending on how long we're not deemed adequate. Your alternative is to bring UK data under US jurastiction. The UK recognises US adequacy under Privacy Shield in one direction and given US standards on data protection are MUCH lower than ours they aren't going to find our laws lacking. So in this case you do a one off piece of work and the ongoing cost is zero.
This does NOT mean that GPDR/DPA protections will no longer apply to UK data held by Google under US jurastiction. As the Reuters article states:
So under Privacy Shield Google (or any other US based organisation handling UK data this way,) would be legally obliged to handle that data in accordance with the DPA or any future new UK data legislation. We'd lose no protections unless the UK parliment passes laws removing them. All Google is doing is moving the administrative burden to a country that is not going to quibble about whether our data laws are robust enough. I don't doubt that the US will try to use our data laws as a bargaining chip on trade, and make no predictions as to whether we alter them in future, but the above is my read on the current situation.
TL;DR - This move doesn't actually have any impact on the rights of Googles UK customers and is a logical move by Google to minimise the impact of Brexit on the administration of their UK data.