As published on infosecurity-magazine.com, Friday February 21, 2020.
Google is unlikely to be moving UK users’ data to the US because of Brexit-related uncertainty and GDPR privacy rights will continue to be protected after any such move, according to a leading data protection lawyer.
Reports this week claimed that the tech giant is looking to move user accounts to US datacenters following Brexit, because it’s unclear whether UK law will be aligned with the EU’s GDPR after the transition period ends this year, a status known as “adequacy.”
In such circumstances, it would be more difficult for UK law enforcers to request access to user data for criminal investigations if it were still stored in Google’s Irish datacenter, it was claimed.
However, the UK has already enshrined GDPR into its own law (Data Protection Act 2018) and intends to recognize the EU’s data protection system as adequate, even in a no-deal scenario, because it believes free data flows to the continent are vital to economic growth.
This means that “Brexit should not affect UK to EEA data flows,” according to Toni Vitale, partner and head of data protection at JMW Solicitors.
He told Infosecurity that a move across the Atlantic would not affect Google UK users’ privacy rights or the ability of the British authorities to access such data.
“The rationale for the move is unlikely to have anything to do with Brexit, the EU GDPR or uncertainty of what will happen with UK data protection laws,” Vitale argued.
“The current position is that adequacy is likely and desirable and indeed possible by December 2020. However, it is unlikely this is the reason to move the Ireland datacenter. The EU GDPR and the UK version in the Data Protection Act 2018 will apply to Google wherever it cites its datacenter. UK law enforcers will still be able to take action against Google — but this is the same position as today, moving the datacenters does not affect this.”
Google itself has released a statement confirming this.
“Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information,” it noted. “The protections of the UK GDPR will still apply to these users.”
However, there are still concerns that, once located in the US, data on UK users could be subject to the country’s mass surveillance apparatus.
“Moving people's personal information to the USA makes it easier for mass surveillance programs to access it. There is nearly no privacy protection for non-US citizens,” argued Open Rights Group executive director, Jim Killock.
“We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programs through to attempts to politically and racially profile people for alleged extremist links.”
Vitale speculated that Google’s move may be motivated more by a desire to consolidate user data across multiple services under a single US-based data controller.
“Recent tax changes in the US made it more attractive to onshore jobs to the US so this may also be part of the reason,” he added.