So the protections of the GDPR are unlikely to disappear from UK law any time soon, and Google will be required to comply with its substantive provisions.
Claims that Google will be able to use UK citizens’ data completely free from GDPR requirements are, for now at least, overblown and hyperbolic.
However, the UK will be able to amend data protection rules set out under the UK GDPR, as it can with any other national legislation.
In theory, this will include the ability to establish lower data protection standards than are currently demanded by the EU, including those related to international data transfers.
The EU GDPR currently bans data transfers to non-EU countries that do not provide adequate levels of data protection.
Although the US and the EU do have a data transfer agreement, it is being challenged by privacy and data protection interest groups who think US data protection law isn’t strong enough.
In particular, they are worried that transferred data could be caught up in the US government’s mass surveillance initiatives.
Another practical change is that enforcing data protection law in the UK will be entirely up to the ICO.
And it is perhaps doubtful that this regulator will be as effective as the might of European data protection authorities, backed by the European Court of Justice.
Will other firms follow suit?
Tech firms often view data protection law as a bureaucratic hindrance to their business models. For these sorts of companies, the fewer rules and conditions attached to the processing of their users’ data, the better.
If Google moves UK user data from Ireland to the US then, for the reasons explained above, the data could eventually be subject to lower standards and levels of enforcement.
This means there is an obvious and clear incentive for Google to make this shift. In many ways it would be foolish for them not to. And it is probably only a matter of time before we see other tech firms doing the same.
However, it all depends on what the UK actually does after the Brexit transition period. The government may set lower data protection standards, perhaps as a condition of a potential trade deal with the US.
But if the standards fall below what the EU deems adequate then it could ban data transfers to the UK, which would be hugely disruptive for many companies with operations in the UK.
On the other hand, there is nothing to stop the UK from adopting higher standards than those of the EU. Given the lack of political interest in matters of data protection, this is perhaps unlikely.
At this point, it is too early to say what is likely to happen in the long term. We simply have to wait and see.
But for now, the protections established by the GDPR will play a significant role. Google won’t just be able to do whatever it likes with your data.