Currently, as part of the EU, the UK is governed by the regime of the European Data Protection Supervisor (EDPS). Our laws relating to the transfer of data are compliant with the rules and regulations laid down by this regime. Data protection in the UK is overseen by the Information Commissioner’s Office (ICO).
The ICO defines its role as: “The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.” It is highly regarded for striking the right balance between the rights of the individual, the need for private and public bodies to transfer information about individuals and the needs of the state to regulate the whole ball game and keep abuses to a minimum, protecting privacy whilst regulating how state organs monitor us.
The ICO works on a daily basis with its EU counterpart.
The implications of the UK's exit from the EU are potentially far-reaching, as the EDPS sets the safety standards for data transfer and provided countries (inside or outside the UK) comply, data can be transferred.
What provisions will be negotiated and agreed between the UK and the EU on data safeguards will be interesting to see. The ramifications are profound. Many UK companies maintain servers in EU member states, and vice versa. Many of us purchase goods from countries in the EU online without so much as a second thought. All of this involves data transfer.
Having raised the question, I cannot supply any answers. Many will argue that UK ICO regulations are compliant and will be EU compliant at the time of exit, whilst others take the view that the ICO would need to satisfy the EDPS anew that all requirements are being met.
Whether or not the UK leaves the EU, it would seem that the UK must comply with EDPS governing regulations, such as that state that a transfer is necessary for the legitimate performance of the public tasks involved.