For those who came in late, Google isn’t waiting for the end of the Brexit transition period to update its terms and conditions as they relate to privacy; the tech giant just announced that, since the United Kingdom is leaving the EU, as of March 31, 2020, Google LLC (Google’s US entity) will become the service provider and the data controller responsible for its UK users’ accounts — in lieu of Google’s European entity.
It means that Google LLC is the data controller for UK personal data and that Google’s UK business will be out of the reach of European data protection regulators.
Iannopollo said that because of the extraterritorial effect of GDPR, Google LLC will still need to comply with these rules as far as the personal data of its UK users is concerned. However, any future decisions or enforcement actions brought to Google Ireland by any of the EU data protection authorities (DPAs) will not affect Google’s business in the UK. Google’s decision comes at time when a number of DPAs are investigating its privacy practices across Europe. This means UK users may or may not see any benefit from these actions, while European users will.
The UK ICO (Information Commissioner’s Office) clarified that GDPR will apply until the transition period is complete and potentially even after that. This is not only about the rules that will apply to personal data in the UK in the future, but it’s also about the future of data transfers from the EU to the UK. In fact, the UK regulatory regime will be a factor in the European Commission’s decision to recognise adequacy status to the UK. However, if other tech giants follow Google’s lead, this is likely because they expect the UK to alter privacy standards in such a way as to benefit them. If this does turn out to be true, the case for UK adequacy becomes certainly more complicated if the EU feels the UK has changed its standards too much. And this will be a headache for all businesses that rely on data transfers from the EU to the UK, she said.
Iannopollo says this makes it easier for the government to access the data of Google UK users. As for any other US-based businesses, Google LLC is subject to laws, such as the 2018 US-UK CLOUD Act, that require US companies to turn over US citizens’ data requested by a US warrant or subpoena — regardless of where it is stored. Via bilateral agreements, the 2018 CLOUD Act also allows foreign governments to ask US cloud providers directly for access to data of their citizens for law enforcement purposes. With Google LLC becoming the data controller for UK users, it makes it even easier for the UK government to legally gain access to citizens’ data under the control of Google LLC.
Companies doing business with Google in the EU and in the UK must analyse these implications carefully. Because of its decision to effectively move UK users away from the protection of European data protection authorities, risk and privacy professionals must reassess their third-party risk plans and update their mitigation measures if necessary. Companies that do not partner with Google directly must also consider how this decision plays out in the broader discussion about EU-UK data transfers.
She warned all organisations to review EU-UK data transfer agreements. If the business community shows that it shares Google’s expectation of a potential change of data protection standards in the UK, an adequacy decision from the European Commission might be less likely. Organizations that transfer data of EU citizens to the UK — using cloud infrastructure in the UK from any provider — must prepare for additional red tape. To ensure these data transfers still happen lawfully, companies must choose among a small set of available options. Standard Contractual Clauses (SCCs) remain one of the best. The other alternative, even if more drastic and cumbersome, would be to avoid the transfer altogether.
Businesses much be ready to fill the gap if UK users feel they are worse off.