Google has announced it will move all its data about British users of its services, including Gmail, YouTube and the Android Play store, from Ireland to the US, as it seeks to avoid legal risks after Brexit.
On Thursday, it told users that because the UK "is leaving the European Union, Google LLC [its US headquarters] will now be . . . the data controller responsible for your information".
• Google's newest phone is literally just a piece of paper
• Google's new solution for phone addiction is to seal it in an envelope
• Sonos sues Google for allegedly swiping speaker tech
• 1000 stunning new Google Earth View pictures added to collection
Experts said the Silicon Valley company had probably decided to store data in the US, rather than the UK, to avoid any turbulence in upcoming Brexit negotiations.
If London and Brussels fail to agree a data-sharing deal by December 31, when the post-Brexit transition period ends, it will be illegal to transfer and process data between the UK and the EU.
"My reading is that Google — like many privacy and data protection experts — is sceptical of the UK's ability to retain its 'adequacy' status with the European Union which would allow free flow of data," said Michael Veale, lecturer in digital rights and regulation at University College London Faculty of Laws.
"Google would be exposed to considerable risk of illegality in relation to data transfers between Ireland and the UK, as it would have to find another way to legalise the processing — and these ways are fast disappearing."
While the UK has implemented the EU's General Data Protection Regulation (GDPR) into domestic law, Brussels may have concerns over the UK's highly contentious and intrusive spying regime, which renders its citizens' fundamental data protection rights far weaker than those in the EU, according to legal experts.
Since the EU rules forbid the sharing of personal data with countries that do not meet its strict data privacy standards, Britain could now struggle to convince the EU that corporates should be allowed to move their users' personal data between the two regions — raising substantial risks for multinationals dealing with huge amounts of personal data such as Google, Facebook and others.
These groups will be looking at the precedent of the US, which has repeatedly come up against such rules. In 2016, officials on both sides of the Atlantic had to put in place a new deal on data transfers after a previous one — itself a result of laborious negotiation — was struck down by the European courts.
The new deal, known as Privacy Shield, was essential to provide a legal means for businesses to transfer personal data online — whether payslips, pictures or healthcare data — from the EU to the US, without falling foul of Europe's privacy regulations.
Google said UK data held in the US would still be treated according to UK regulations. "The protections of the UK GDPR will still apply to these users."
Facebook declined to comment on whether it was considering a similar move.
The European Court of Justice has already signalled strongly that British intelligence's surveillance law, the Investigatory Powers Act, is illegal. In January this year, the Advocates General of the ECJ said that MI5, MI6 and GCHQ conducted "general and indiscriminate retention" of citizens' personal data that was incompatible with European law. The non-binding opinion will be considered by the ECJ within the next six months.
Mr Veale also said by remaining in Ireland, Google risks double-jeopardy for fines and other sanctions for any data protection cases affecting those in the UK, as it would be a breach of both EU law, where the data is processed, and UK law, where a user resides.
"It's a perfectly sensible move from Google, it doesn't want these legal risks," he said.
Written by: Madhumita Murgia,
© Financial Times 2020