Labour condemns Google data plans

Shadow digital minister Chi Onwurah has called on the government to step in and halt Google’s plans to move data on its UK users from Ireland to the US, at least until the implications for British citizens become clearer.

Onwurah said the migration plan raised significant concerns for UK citizen data rights after Brexit and showed how little control Britons have over their personal data.

“Google collects a staggering amount of data on the lives of millions of people across the UK,” said Onwurah, who has represented Newcastle-upon-Tyne Central at Westminster since the 2010 election. “With this announcement, Google will be moving swathes of private information out of the UK without, apparently, consulting British people or their representatives.

“This raises so many questions that need answering by Google and the government. Why is our data being moved? Is it for the benefit of Google or British people? What advantage is it to British Google users to have their data thousands of miles away in the US, rather than here in Europe? What are the longer-term implications as EU data laws evolve?”

Onwurah added: “UK businesses and consumers are in the dark over the implications and motives for this and are left questioning whether Google will only be the first of many to make the move in the light of upcoming US trade talks. Google claims that people can refuse to accept the new terms and conditions, but given that Google has an effective monopoly in so many services, what real choice is there?

“To make such a move without consultation or any effective accountability sounds a long way from taking back digital control.”

A spokesperson for the Department for Digital, Culture, Media and Sport (DCMS) said: “We are committed to high data protection standards. Any online service provider dealing with UK users’ personal data must comply with data protection legislation in the UK, which is enforced by the Information Commissioner’s Office [ICO].”

Google first moved UK data into Ireland into 2018 in order to streamline its own compliance with the EU’s General Data Protection Regulation (GDPR), but it is important to note that the concerns being raised do not really centre on the GDPR, but rather on the potential for the misuse and abuse of the data.

This is because the UK has signed up to the GDPR – and the 2018 Data Protection Act derives from it – so it follows that any data held outside the EU on UK citizens must legally be treated as subject to the GDPR, just as if it remained in the EU.

But it is still unclear whether the GDPR will continue to be applied in the same way in the UK after the transition period expires at the end of 2020.

Both the government and the ICO have long maintained that the GDPR will be fully incorporated into British law when the transition period ends.

However, much still depends on whether the EU can be satisfied that the UK has now, and will maintain, an adequate level of data protection after Brexit, hence the decision to put UK data under the control of Google LLC in the US, rather than Google Ireland Ltd.

Toni Vitale, partner and head of data protection at JMW Solicitors, said: “Both the UK and the EU hope to complete the adequacy decision process within the Brexit transition period. 

“Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines – up to €20m or 4% of annual global turnover, whichever is greater.

“Organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached, but moving their data to another jurisdiction is not necessary and may be too drastic an option.”

Vitale added: “The UK wants the free and unhindered flow of data between the EU and the UK to continue, as it believes it is crucial for the economy.

“Although an adequacy decision would enable this, the UK has argued that the adequacy approach ‘would not reflect the breadth and depth of the UK-EU relationship’. One option previously considered is something more bespoke than adequacy.

“This bilateral treaty would encompass mutual recognition of data protection standards and would have status in international law. The UK intends to recognise the EU’s data protection system as adequate, even in a no-deal scenario, which means that Brexit should not affect UK to EEA data flows.”

Richard Searle, senior security architect at Fortanix, said there were steps businesses that use Google in their IT can take to further enhance the security of their data.

“There are ways that public cloud customers can take back control of their data by encrypting it and managing their keys externally,” he said. “For example, Google has pioneered the use of external key management, which was announced in November 2019 with PayPal at the Google Next Conference, allowing users of enabled services to retain control of data encryption keys outside the key vault offered by the Google Cloud Platform.

“In this way, wherever the data resides within Google, the data owner can ensure it is protected and inaccessible to anyone without authorisation.”

Searle added: “This support for off-platform key management should become the default position for public cloud services. Once data is pushed to the cloud, if it is not adequately protected by security that is controlled by the owner, it must be regarded as inherently insecure.”

Google said the new terms will come into effect on 31 March 2020, and stressed that users who do not want their data to be transferred have the option to cease using its services altogether.