With Brexit official as of January 31, the UK and the EU now have just 10 months to hammer out the policy details of their separation. In the meantime, rules — including those applicable to data privacy — will continue to apply as normal. However, Google isn’t waiting for the end of the transition period to update its terms and conditions as they relate to privacy; the tech giant just announced that, since the United Kingdom is leaving the EU, as of March 31, 2020, Google LLC (Google’s US entity) will become the service provider and the data controller responsible for its UK users’ accounts — in lieu of Google’s European entity.
If you think that this is just a detail for lawyers and data protection specialists, think again! This decision may not result in an immediate, material change to UK users’ privacy, but it will in the near future. Making Google LLC the data controller for UK personal data means that:
- Google’s UK business will be out of the reach of European data protection regulators. Because of the extraterritorial effect of GDPR, Google LLC will still need to comply with these rules as far as the personal data of its UK users is concerned.[i] However, any future decisions or enforcement actions brought to Google Ireland by any of the EU data protection authorities (DPAs) will not affect Google’s business in the UK. Google’s decision comes at time when a number of DPAs are investigating its privacy practices across Europe. This means UK users may or may not see any benefit from these actions, while European users will.
- The case for the UK’s adequacy status just became more complicated. The UK ICO (Information Commissioner’s Office) clarified that GDPR will apply until the transition period is complete and potentially even after that. This is not only about the rules that will apply to personal data in the UK in the future, but it’s also about the future of data transfers from the EU to the UK. In fact, the UK regulatory regime will be a factor in the European Commission’s decision to recognize adequacy status to the UK. However, if other tech giants follow Google’s lead, this is likely because they expect the UK to alter privacy standards in such a way as to benefit them. If this does turn out to be true, the case for UK adequacy becomes certainly more complicated if the EU feels the UK has changed its standards too much. And this will be a headache for all businesses that rely on data transfers from the EU to the UK.
- It will be even easier for the government to access the data of Google UK users. As for any other US-based businesses, Google LLC is subject to laws, such as the 2018 US-UK CLOUD Act, that require US companies to turn over US citizens’ data requested by a US warrant or subpoena — regardless of where it is stored. Via bilateral agreements, the 2018 CLOUD Act also allows foreign governments to ask US cloud providers directly for access to data of their citizens for law enforcement purposes. With Google LLC becoming the data controller for UK users, it makes it even easier for the UK government to legally gain access to citizens’ data under the control of Google LLC.
Companies doing business with Google in the EU and in the UK must analyze these implications carefully. Because of its decision to effectively move UK users away from the protection of European data protection authorities, risk and privacy professionals must reassess their third-party risk plans and update their mitigation measures if necessary. Companies that do not partner with Google directly must also consider how this decision plays out in the broader discussion about EU-UK data transfers. Organizations must:
- Review EU-UK data transfer agreements. If the business community shows that it shares Google’s expectation of a potential change of data protection standards in the UK, an adequacy decision from the European Commission might be less likely. Organizations that transfer data of EU citizens to the UK — using cloud infrastructure in the UK from any provider — must prepare for additional red tape. To ensure these data transfers still happen lawfully, companies must choose among a small set of available options. Standard Contractual Clauses (SCCs) remain one of the best. The other alternative, even if more drastic and cumbersome, would be to avoid the transfer altogether.
- Be ready to fill the gap proactively if UK users feel they are worse off. Let’s forget for a moment about data protection rules and think about the privacy expectations of UK consumers. Our data suggests that UK users are very well aware of their privacy rights and that they would stop engaging with a company if they didn’t like its privacy practices. When we ask them about the values that are important to them when choosing a company to do business with, data privacy and confidentiality top the list. These consumers are likely to take issue with the fact that their personal data is less protected than it has traditionally been. Ensure that your company offers a clear explanation of how it will fill that gap and provide them credible alternatives.
[i] Until the transition period is complete, GDPR will still apply in the UK. In addition, the UK government announced plans to adopt the “UK GDPR.” As the name suggests, this set of rules will be closely aligned to the exiting EU GDPR and will accompany the existing UK’s Data Protection Act 2018. Most likely, the ICO and UK courts alone will be in charge of the enforcement of these rules. See the following blog: No-Deal Brexit: The Privacy Regulatory Landscape Is About To Become More Complex Than Ever