Google has updated its terms of service, explaining its plan to move the account of its users in the UK out of the GDPR ambit and place them under US jurisdiction.
Legal experts have noted the ambiguity in the explanations about the need of the move and its ramifications, while privacy experts warn that the move will set a bad precedent for mega corporations moving away from stricter data-management obligations.
“Because the United Kingdom (UK) is leaving the European Union, we changed the Google company that you’re contracting with and that provides the services that you use from Google Ireland Limited to Google LLC (a company based in the United States),” said the section that identifies the name and location of the company that users will have to deal with.
“The move is due primarily to the fact that the company does not appear to have much faith in the UK government coming to an adequacy agreement with the EU in enforcing sufficiently robust data privacy laws as the GDPR. By keeping the data in Ireland, Google would have been subject to both EU and UK data protection laws,” said Attila Tomaschek, digital privacy expert at ProPrivacy.
The much more lenient US data protection laws offer more control and less responsibilities, Tomaschek told SC Media UK. Though regulations such as the California Consumer Privacy Act exist, their jurisdiction is limited. Other US states are working on similar legislation, CCPA is currently the only active data privacy law in the country that comes close to what the GDPR offers.
“Generally speaking, data privacy laws throughout the US are certainly much more lenient than the data privacy laws in the EU. What’s more, the US doesn’t have a national privacy law that protects the data privacy of all American residents uniformly,” Tomaschek pointed out.
“The problem is that federal lawmakers have been unable to bridge the partisan divide on a few key issues related to national privacy legislation. The lack of agreement on these issues has heavily delayed any progress and has left the US without a robust set of data privacy laws the likes of what we see in Europe.”
Whether other UK firms would potentially follow suit is unclear, but other US tech companies almost certainly will take the same route as Google has, for essentially the same reasons, he said.
“Since Google’s move is likely to spur other tech giants to take similar measures and transfer UK users’ data to US jurisdiction, there is a very real possibility that GDPR protections will be used as a bargaining chip in the ongoing post-Brexit trade negotiations between the two countries.”
For the time being, UK users’ data remains under GDPR protection. It will end once the transition period concludes at the end of this year.
“The best that users can hope for in the UK is that the government retains similarly robust GDPR-like data protections for its citizens,” Tomaschek said.
At this point, the UK government can do little to object to this move. Post-Brexit, the UK’s best move on data protection and maintaining a free flow of information between the UK and the EU would be to push for an adequacy agreement. Doing so would indicate the UK’s commitment to maintaining adequate data privacy protections and ensure a free flow of data between the two, he said.
According to Tomaschek, the major issue centers around the fact that the move puts UK citizens’ data in a much more vulnerable position, despite Google’s assurances that the same GDPR protections will still apply after the transfer to US jurisdiction.
“The move certainly makes sense for Google, but it is yet another example of a tech giant sidelining its commitment to fully protect the privacy of its users in favor of catering to its best interests as a company. This is highlighted by the fact that Google had other viable options at its disposal, including transferring the data to a British subsidiary; a route the company chose not to take.”