File Received: Google moves the UK’s user data to the US
March 31, 2020
3 min read
What's going on here?
Google recently announced that it will transfer its data relating to British users from Ireland to the US. This includes Google services such as YouTube, Gmail and the Android Play store.
What does this mean?
Google’s headquarters in the US (Google LLC) will now act as the data controller, the person who determines the purposes and means of processing data, for UK users instead of Google Ireland Limited.
Outside of European jurisdiction, Google can limit its exposure to the EU’s decisions. At present, the EU’s flagship data protection legislation, the General Data Protection Regulation (GDPR), requires that the EU grant non-EU nations “data adequacy” to ensure the extra-European data transfer is legal. It is now uncertain as to whether the EU will grant the UK “data adequacy”. If the EU does not grant the UK data adequacy, any movement of data between Ireland and the UK will become illegal.
And this is a very real risk. The European Court of Justice recently signalled that British intelligence surveillance laws are not compatible with EU law. These British laws currently allow MI5, MI6 and GCHQ to carry out “general and indiscriminate retention” of citizens’ personal data.
The risk of illegality is dangerous for any business involved in international data transfers with the EU, none more so that Google. And the price to pay is not insignificant. GDPR increased the maximum fine from half a million pounds to €20 million or 4% of any guilty party’s worldwide turnover (whichever is larger). This has led to some eye-watering fines for companies that Google wants to avoid (to see our article on that, click here).
What's the big picture effect?
Many have decried the loss of British citizens’ data rights as a certain consequence of this move. The move away from European jurisdiction and GDPR takes British data outside of the world’s best data protection laws. By default, users are losing the complete European gold standard of data rights enshrined by GDPR. This means it will be harder for British citizens to hold Google accountable for stewarding their data and it will be more difficult to make Google delete or correct that data at this point in time.
But fearful comments of the large-scale loss of data rights are potentially overblown. The idea that Google is entirely free from GDPR is untrue. In fact, the British government has underlined its commitment to following key elements of GDPR, enshrined in UK law via the Data Protection Act 2018. Furthermore, when the Brexit transition period ends on 31 December 2020, the Data Protection, Privacy and Electronic Communications Regulations 2019 will enact a new British-style GDPR.
At the moment, it is uncertain what will happen to British data protection and international data transfers in the coming years. Brexit means that, with legislative independence, the UK will be able to decide whether it increases or reduces its citizens’ data rights compared to the EU’s standard. It also places a lot of emphasis on the Information Commissioner’s Office (ICO), the UK’s data privacy regulator, as the sole enforcer of the UK’s new data privacy standards. In light of trade negotiations with the EU and the US, British rules could be subject to external pressures and trade-offs. Yet it remains to be seen how the British government approaches data rights and international data transfers.
Report written by Will Holmes
Share this now!
Check out our recent reports!