Last month the UK finally went through with Brexit which placed the country in a transition period set to expire on 31st December 2020. During the transition period, the UK and EU will renegotiate their relationship and companies will have a chance to take appropriate action to ensure they are ready to be excluded from the EU.
While there are still 10 months left, Google has decided to jump the gun and take appropriate action. Thanks to Brexit, the company has decided to move the data of UK Google users from EU to US which will exclude them from GDPR. The General Data Protection Regulation (GDPR) is a data and privacy protection act implemented in 2018. The act protects the misuse or sharing of user data by the private entities and allows users to request and delete their personal information from a company’s server.
Google currently has headquarters in Ireland who is staying in the EU making it a safe place for user data storage as it’s protected by GDPR. However, Google’s decision to move to the US will leave UK Google users vulnerable. The US also has passed the CLOUD Act which will allow the British government to subpoena Google to recover user data to assist with an investigation.
Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the UK GDPR will still apply to these users.
Google is assumed to have taken the decision because it’s not clear if Britain will adopt GDPR after the transition period or will introduce their own set of privacy laws. Google’s former lead for global privacy, Lea Kissner said she would have been surprised if Google had decided to keep the data in Ireland with the UK no longer being a member.
There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy. Never discount the desire of tech companies not be caught in between two different governments.
– Lea Kissner
This is because Ireland will follow GDPR which means the British government can’t ask Google to share data. However, the story changes when the data is moved to the US as the US has one of the weakest privacy laws when compared to other developed countries.
Moving people’s personal information to the USA makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens.
Google’s decision should worry everyone who thinks tech companies are too powerful and know too much about us. The UK must commit to European data protection standards or we are likely to see our rights being swiftly undermined by ‘anything goes’ US privacy practices.
– Jim Killock, Executive Director, Open Rights Group
Google will be sending users a new Terms of Service agreement once the data migration is done. Moreover, Britain needs to act swiftly and adopt GDPR or propose a similar bill to protect user privacy. If neither is done then the UK will need extensive data-sharing agreements to protect user privacy and ensure the data is handled properly. In the coming months, we will be seeing other companies make similar decisions to prepare for the end of the transition period.