Maren Winter - stock.adobe.com
Google is scheming to get around the European Union’s (EU) General Data Protection Regulation (GDPR) by moving British user accounts beyond European control and into the US’s legal jurisdiction after Brexit, according to reports.
The changes, first revealed to news agency Reuters by people familiar with the plans, will see Google pull UK data out of Ireland – where it currently holds this information – and will force users in the UK to acknowledge a new set of terms of service.
The sources claimed Google had taken this decision as a direct result of Brexit, which has left it unclear as to whether the UK will maintain its commitment to GDPR or adopt its own divergent rules.
However, a Google spokesperson said: “Like many companies, we have to prepare for Brexit. Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the UK GDPR will still apply to these users.”
The shift in policy has nevertheless attracted anger because by moving data into the US, where data privacy protections are far more limited in their scope, Google will put sensitive data pertaining to its users within easy reach of the US government and law enforcement agencies.
Thanks to provisions in the recent Clarifying Lawful Overseas Use of Data Act (Cloud Act), which are expected to make it easier for the British authorities to obtain data from US tech companies, the implication is that UK law enforcement will also be able to access user data much more freely.
“Moving people’s personal information to the US makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens,” said Open Rights Group executive director Jim Killock.
“We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programmes through to attempts to politically and racially profile people for alleged extremist links,” he added.
Jim Killock, Open Rights Group
“Data protection rights will also become more fragile and are likely to be attacked in trade agreements pushing ‘data flows’. Google’s decision should worry everyone who thinks tech companies are too powerful and know too much about us,” said Killock. “The UK must commit to European data protection standards, or we are likely to see our rights being swiftly undermined by ‘anything goes’ US privacy practices.”
Tom Chivers, digital privacy advocate at ProPrivacy, described the move as a glimpse of a “thoroughly depressing future” for UK data protection.
“Though the move won’t come as a surprise – after all, Google will always look after its own interests first, and will only offer consumers the data protection it is legally required to, allowing it to take advantage of the UK’s now weakened stance on data protection after Brexit,” said Chivers.
“Wherever the data is held, it is subject to the data laws of that jurisdiction. US privacy protections are far weaker than those afforded to the EU, meaning Google is likely just the first of the big tech giants to move UK consumer data stateside. Once based in the US, it is out from under the close watch of GDPR legislation. This means we could well be about to see UK GDPR protections used as a bargaining chip when it comes to negotiating a trade deal with the US,” he said.
According to Reuters, Lea Kissner, a former head of global privacy at Google and now chief privacy officer at HR tech firm Humu, said she would have been surprised had Google chosen to leave UK user data subject to EU laws.
Kissner described a situation where the UK government diverged in its approach to data protection in such a way that Britain loses adequacy under GDPR, which she said would create a “super messy” situation for Google.
Seth Wallis-Jones, principle analyst at Omdia, said: “The UK is currently under transitional arrangements with the EU so will still be covered by GDPR until the end of the year. The current UK Data Protection Act of 2018 reflects and relies on the EU policy, though it was drafted in the context of Brexit. That legislation contains many restrictions on the transfer of data to a third country, such as that it ‘ensures an adequate level of protection of personal data’.
“Boris Johnson has stated that the UK will pursue its own independent data protection policy – it would be surprising if that did not push for restrictions on where that data can be stored,” said Wallis-Jones. “However, the government has many major legislative tasks and negotiations ahead, and as highlighted by the Information Commissioner’s Office (ICO) just a few weeks ago, there is no clarity on what the data protection landscape will look like at the end of the transition period.”
News of Google’s plans emerged on the same day that the European Commission (EC) lifted the wraps on its digital strategy to strengthen Europe’s data economy and reduce the reliance of EU member states on services and products developed by US tech giants such as Facebook and Google.
The EC hopes that the so-called “single data market” will help European tech firms compete on a level playing field against American and Chinese tech giants and end the stranglehold that Silicon Valley has on the data of EU citizens.
Read more about the General Data Protection Regulation
- Fines totalling €114m have already been collected under GDPR, and this figure will spike in 2020 if the UK regulator succeeds in imposing record fines on BA and Marriott.
- Norwegian Consumer Council files complaints about LGBTQ+ social networking app, alleging it is in breach of GDPR.
- Security consultants claim their software platform will address a pressing need for an effective and efficient means of complying with GDPR.