Google’s recently announced that – due to Brexit – it’s changing data controller for UK users from Google Ireland to Google USA. This has led to some alarmist reporting. What’s the real impact on you?
If you use Google (rhetorical, I know), you’ll have received a message from Google like this one:
What’s the TL;DR?
In practice, little to worry about and little you’d do about it anyway. Individuals are still covered by GDPR this year and by UK GDPR after that, not US laws.
Why’s Google USA becoming my data controller?
Google states that the trigger for this move is Brexit. As the UK is leaving the EEA, although it will adopt the GDPR as the ‘UK GDPR’ at the end of 2020 (the current transition period), over time the UK law may differ. How best to handle that?
In summary, GDPR applies to you if you’re established in the EEA (like Google Ireland, but now not Google UK) or if you are outside the EEA but target or monitor individuals in the EEA. That second test has caught Google LLC before, making it subject to GDPR fines (probably a minor concern) and investigation (probably the major concern given their relationship with European authorities). So Google LLC made a point of empowering Google Ireland as the data controller of EEA personal data, so ring-fencing Google LLC from GDPR to a large degree.
We imagine the thought process for this latest move went something like this:
why saddle Google Ireland with complying with the EU GDPR and the UK GDPR, let’s keep Google Ireland’s processes ‘simple’ and focussed on ‘just’ complying with EU GDPR.
Google USA is already dealing with the California Consumer Privacy Act (CCPA) which is a GDPR-ish law, and facing more new, ‘similar but different’ laws from Washington and other states. The UK GDPR can be treated as just one more regional variation.
the UK is our friend, yes? Much more than the EU for sure, so we may get better treatment from UK authorities than EU ones, plus the USA may be getting a trade agreement with the UK soon which can scoop up data protection and perhaps some aspect of big tech protection.
So it’s a trick to escape GDPR and we’re going to have no protection under US law?
No. Google have made clear that English law will apply if you’re in the UK, and the EU GDPR is English law until the end of 2020 when the UK GDPR will take over. So the GDPR, in one form or another, will continue to protect your data (unless and until the UK waters down the UK GDPR, which is very unlikely in our view).
As Google’s FAQs stress:
Big change on fines though, yes?
Some have noted enforcement will shift (for UK data subjects) from the Irish data protection authority (the DPC) to the UK one (the ICO) and suggested the ICO is not as strict. BA probably doesn’t agree! But fines aren’t the main reason for compliance: even the €50m fine on Google LLC by the French DPA (CNIL) is nothing to Google, and UK GDPR keeps the same fine size and structure as GDPR.
The main enforcer for GDPR/UK GDPR isn’t the regulator – it’s the customer, the investor, the auditor driving internal compliance practices. Google’s fought hard to get its privacy practices on a par with its competitors and acceptable to large customers. With corporates under pressure with GDPR (and soon UK GDPR) compliance, they’re reviewing supplier processes and contracts more and more.
Can they just export my data outside Europe like that?
GDPR requires its protections to travel with data if it’s exported (or ‘transferred’) outside Europe. For transfers to the USA, there’s the Privacy Shield structure, which was put in place to allow for transfers from the EEA to organisations in the USA that have essentially signed up to EEA oversight and EEA data protection principles. Here’s Google LLC on the register maintained by the US Dept of Commerce:
OK, so is there going to be any practical impact?
Computer says no:
Great! I’m feeling better now. But what if I’m not happy?
Well, that’s not so good. If you’re not happy then you have to stop using Google.
That’s not very realistic. On the plus side, the services will be the same and you still have EU GDPR protection through 2020 then UK GDPR, so any delta shouldn’t be a concern – until it is.
In a very welcome speech on 12 September 2018 to the CBI Cyber Security: Business Insight Conference, James Dipple-Johnstone (ICO Deputy Commissioner, Operations) summarised the UK ICO’s approach to security under GDPR and…