Trying to walk through what I think may happen on the 29th of March 2019 in terms of data specific to citizens.

If we use the Pistonheads forum as an example:

Today, if a person in France wishes to advertise their car for sale in the UK they can navigate to the Pistonheads site, where they will enter their details, create an account and then advertise their car.

Come April 1st 2019 whether or not this can continue depends on a number of factors:

1. Where, physically, is Pistonheads hosted? If it's in the EU then everything is fine, and continues as normal
2. But if it's hosted in the UK it's now illegal to store and process the personally identifiable information from the French citizen - name, email address, telephone number, physical address etc
3. Unless Pistonheads has established Binding Corporate Rules, agreed with the EU DPA's, that cover it's use of EU citizen data, from the stroke of midnight on the 29th of March

Now- we currently are members of the EU and are covered by the same rules for data protection, therefore UK companies use BCR's when sending data to the US, alongside the redress mechanisms available to EU citizens via Privacy Shield.

What I'm unsure of is whether BCR's will be enough/ok on their own given the UK's Investigatory Powers act - which is only legal currently due to an EU states National Security exemptions, at the point at which we leave we lose that, and any chance of being granted equivalency, as bulk, indiscriminate surveillance cannot be made legal (for a third country) under EU rules.

So - does our indiscriminate surveillance invalidate a BCR, in the absence of a mechanism of redress such as Privacy Shield?

Or will a BCR be possible despite the surveillance regime?