Google to shift UK user data to the US post-Brexit

The decision is driven by fears the UK may step out-of-sync with the EU's data protection laws

Google plans to migrate UK user accounts from Ireland to the US following Britain’s withdrawal from the EU. 

The sensitive data of tens of millions of users could be shifted away from Ireland, where it currently resides, according to Reuters. That's believed to be amid concerns from Google that the UK will loosen its data protection laws and fail to agree on a data-sharing agreement with EU, potentially making it difficult to transfer data between Ireland and the UK. 

The migration will involve asking UK users to agree to new terms of service, which includes consent to holding their data under the new jurisdiction. 

The move could mean UK authorities are better able to recover data for criminal investigations, thanks to the CLOUD Act that has made cross-border data transfers much easier. However, it raises concerns as the US has much weaker data protection laws than across the EU. While the Californian Consumer Privacy Act (CCPA), outlines some protections, there is no national federal data protection law with sufficient provisions akin to GDPR or the UK's Data Protection Act 2018.

According to the firm’s former global privacy technology lead, Lea Kissner, Google fears that the UK water will water down its data protection laws enough that it fails to reach an adequacy agreement with the EU. Without that agreement, data sharing will become more complex, and potentially require company by company contracts.  

"There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy,” Kissner told Reuters. "Never discount the desire of tech companies not be caught in between two different governments."

Legal director with UK law firm TLT, Ed Hayes, told IT Pro that it's no surprise Google is looking at ways to move UK user data away from the EU, given that GDPR limits the ways companies can monetise data. "Google’s plans seem to assume the UK will water down its data protection standards once the Brexit transition ends," he said. "But that would contradict UK Regulations passed in 2019 to incorporate GDPR into UK law after transition, and government statements to date about continuing GDPR compliance.

"It could be that Google is betting the UK’s need for a quick US trade deal will see those commitments dropped, and is seeking to boost its bottom line by moving UK users’ personal data under US law," he adds. "However, if Google gets that wrong, and simply changes the location of UK users’ personal data while GDPR-equivalent laws still apply, it’s unlikely to achieve the goal of taking itself outside GDPR – GDPR’s reach is controlled by user location not just by data storage location."

Related Resource

Digital Risk Report 2020

A global view into the impact of digital transformation on risk and security management

Download now

The question of data flow post-Brexit has been the source of much confusion for businesses. During the current transition period, which will expire January 2021, the Information Commissioner’s Office (ICO) has made assurances that data flow between the UK and the EU will continue as normal.

The terms of the UK’s future relationship with the EU will determine whether critical business information can continue to flow seamlessly. The suggestions that a future trade agreement between the UK and the US could weaken data protection laws are partially reinforced by leaked documents released last year. According to preliminary trade discussions, the US is currently lobbying for an agreement to ease international data transfers underlined by a set of common standards, but not to the extent that domestic laws are harmonised.

Featured Resources

Four cyber security essentials that your board of directors wants to know

The insights to help you deliver what they need

Download now

Data: A resource much too valuable to leave unprotected

Protect your data to protect your company

Download now

Improving cyber security for remote working

13 recommendations for security from any location

Download now

Why CEOS should care about the move to SAP S/4HANA

And how they can accelerate business value

Download now

Recommended

Google discloses actively-exploited Windows zero-day vulnerability
hacking

Google discloses actively-exploited Windows zero-day vulnerability

2 Nov 2020
UK data laws after Brexit: Your questions answered
General Data Protection Regulation (GDPR)

UK data laws after Brexit: Your questions answered

30 Oct 2020
Apple reportedly ramps up search engine development
iOS

Apple reportedly ramps up search engine development

29 Oct 2020
CEOs of Facebook, Twitter and Google face Senate hearing
Policy & legislation

CEOs of Facebook, Twitter and Google face Senate hearing

28 Oct 2020

Most Popular

Cisco acquires container security startup Banzai Cloud
Security

Cisco acquires container security startup Banzai Cloud

18 Nov 2020
macOS Big Sur is bricking some older MacBooks
operating systems

macOS Big Sur is bricking some older MacBooks

16 Nov 2020
46 million Animal Jam accounts leaked after comms software breach
Security

46 million Animal Jam accounts leaked after comms software breach

13 Nov 2020