While Brexit could have a significant impact on companies in the UK, it is unlikely to have a noticeable impact on data protection in Jersey. Like other Crown Dependencies, Jersey has always been outside the EU and has its own data protection law that will remain in effect. Brexit will not change any of the rights of individual or obligations of companies or public authorities under the Data Protection (Jersey) Law 2018. It will have no effect on how the Jersey Office of the Information Commissioner will administer the Law.
The risk of a ‘No-Deal’ Brexit is that the UK will become a third country for the purposes of GDPR without adequacy. This means that European Companies will not be able to transfer data to the UK without Corporate Binding Rules or Standard Contractual Clauses covering data protection. This will not be an issue for companies in Jersey. To preserve the interests of Jersey companies, Jersey has amended the Law to permit them to transfer personal data freely to the UK until the end of December 2020. Jersey hopes that, during this period, the European Commission will be able to complete an adequacy assessment of the UK. In addition, European companies will be able to continue to transfer personal data to Jersey pending the outcome of an adequacy review of Jersey by the European Commission.
Once the UK is outside of the EU, UK companies that target EU customers or monitor their behaviour will have to nominate a representative in the EU. Jersey companies performing these functions already have this obligation regardless of the outcome of Brexit.