Last week, Google announced plans to move UK user data out of Irish jurisdiction and place it under control of US regulators. The announcement was somewhat buried in an email sent to Google’s UK users informing them of the company's updated terms of service. But what are the long-term implications of such a move—and what does it mean for the rights of UK residents in post-Brexit Britain?
There can be no doubt that Brexit is responsible for Google’s decision. Google’s statement informs British users they will be served by the US-based Google LLC instead of Google Ireland. According to the Guardian, it is understood that Google decided to move its British users out of Irish jurisdiction because it is still unclear whether Britain will continue to follow the General Data Protection Regulation (GDPR), a 2018 EU law that regulates the use of personal information and provides some of the strongest privacy protections in the world. Now the UK is out of the EU, it could choose to adopt other rules.
Google has sought to quell people’s fears over their decision. A spokesman told TechCrunch: “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the UK GDPR will still apply to these users.”
Attempts to quell fears
And yet with public trust in tech companies already low, it’s been met with caution—Reuters reported that the shift "will leave sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement."
GDPR is designed to protect the privacy and information of citizens and importantly, give users more control over how their data is collected. A key area of concern is the future of GDPR in the UK after Brexit. Britain has been in a transition period since it formally left the EU and will remain in it until at least 31 December 2020. This means that existing GDPR protections will also remain in force until then, even if users’ data is moved to the US, according to Laura Lazaro Cabrera, legal officer at the charity Privacy International. “This is because GDPR applies to companies based outside the EU when they provide services to EU-based users, and the UK will continue to be treated as an EU member state during the transition period for GDPR purposes,” she says.
“Google cannot shift responsibility for users to its US entity merely by changing the terms of use—if in practice Google Ireland is exercising data controller activities, GDPR will continue to apply, regardless of what users are told.”
Laxer regulation in the US
That Google is handing over jurisdiction to the US, rather than a country with stronger privacy laws, is perhaps the most worrying issue. The US has no federal privacy law and the corresponding state laws are significantly weaker than in the UK or EU. (The California Consumer Privacy Act, the first and only law in the US to address consumer data, came into effect this year—but critics believe it is simply not robust or far-reaching enough.)
If and when GDPR protections are substituted by a US regulatory framework, says Cabrera, the reality is that users will lose out: “There is no comprehensive, nationwide US privacy legislation, or a plenary data protection regulator. US privacy protection standards are derived from a patchwork of laws and are substantially lower than those in Europe, providing limited rights for users to access, rectify or erase data held by US companies—rights which are well-established in the EU.”
Because there is no cast-iron guarantee that the UK government will continue to uphold GDPR after the transition period ends, it is possible other companies might follow Google’s lead on transferring control of data. To determine how likely that is, we should consider tech companies’ previous behaviour around privacy issues, says Cabrera. She notes: “GDPR provides robust protections and guarantees to data subjects. The other side of the coin is that it imposes significant restrictions on companies’ use of people’s data, giving them a strong incentive to avoid its application—and history tells us that they will seize the opportunity to do so.”
“In 2018, Facebook pre-emptively moved responsibility for 1.5 billion non-EU users from Ireland to the US before these users and their data were caught by GDPR, despite previously stating that it intended to apply the ‘spirit’ of the legislation. LinkedIn did the same.” (Facebook responded to the news at the time saying “We apply the same privacy protections everywhere, regardless of whether your agreement is with Facebook Inc or Facebook Ireland,” while LinkedIn commented “We’ve simply streamlined the contract location to ensure all members understand the LinkedIn entity responsible for their personal data.”)
Being proactive
It's a confusing time for citizens as the uncertainties Brexit has created around data privacy may not be fully resolved for some time. But users should be reassured that, at present, the level of protection afforded to them has not changed. Anyone who is worried about data breaches should raise concerns with the organisation they believe is mishandling their data, says Cabrera. “Users must ensure that the request is sent to the correct department, include all relevant information and set a deadline for reply. If their concerns remain unresolved, users should not hesitate to approach the Information Commissioner’s Office (ICO),” she adds.
Our privacy laws may not be perfect but they have had some success in holding big tech firms to account: Facebook was fined £500,000 by the ICO for its role in the Cambridge Analytica data breach in 2018, and Google was fined €50 million by the ICO’s French counterpart in 2019 for lack of transparency concerning ads personalisation. These cases demonstrate why Britons are unlikely to give up their hard-won digital privacy rights without a fight.
