- Reuters reported Wednesday that Google is planning to ship its UK user data from its European headquarters in Ireland to the US.
- The move was prompted by uncertainty surrounding the UK's data laws after Brexit.
- Experts told Business Insider the problem boils down to whether the UK can obtain an "adequacy agreement" with the EU which would guarantee that EU citizens' data would be protected with the same rigor as under GDPR.
- Although originally the UK said it would adhere to GDPR standards, Google's decision suggests it doesn't trust Britain to achieve an adequacy agreement.
- Visit Business Insider's homepage for more stories.
News broke on Wednesday that Google has decided to migrate its UK user data from Ireland (where it's currently kept) to the US, prompted by Brexit uncertainty.
Ireland is part of the European Union, and so its data laws are subject to the EU's robust General Data Protection Regulation (GDPR) laws which came into force in 2018.
Three sources told Reuters that Google's decision was prompted by uncertainty surrounding Britain's exit from the EU, because it is now unclear whether the UK will adopt GDPR-like rules or set its own standards on data protection.
This isn't immediately a big deal for user privacy. UK users remain protected by Europe's strict privacy rules for now, even if their data is legally owned by a US entity. It does, however, raise the specter of reduced privacy in future if a post-Brexit UK alters its laws to become less privacy-oriented.
Business Insider spoke to privacy and data policy experts to get an idea of what this decision means for UK citizens.
1. It shows Google doesn't have faith in the UK achieving "adequacy"
Part of what the UK will have to negotiate with the EU in its Brexit talks is whether it continues to cleave to the GDPR, or something like it.
One of the provisions of GDPR is that EU citizens' data has to be safeguarded to European standards even if it is held outside the EU - as is the case with most large American social media companies.
Tech policy expert Heather Burns told Business Insider this happens in one of two ways.
"The first is that a company - say, a US social media business - which collects and processes European citizens' data does so under contractual clauses, corporate agreements, or the like. The second is that a third country as a whole commits to a legally recognised system of adequacy, such as the U.S. Privacy Shield system, which is mandatory for any US company collecting European data," she said.
Originally Britain maintained that it would seek the second option, otherwise known as an "adequacy agreement," with the EU. This would mean Europe accepts that the UK provides data protection that's up to the EU's standards.
Whether the UK will actually get such an agreement has become more and more uncertain, and Prime Minister Boris Johnson said in a statement earlier this month that the UK would develop a "separate and independent" data protection policy.
Broader threats that the UK might leave the EU without a deal exacerbate the possibility that it might not get an adequacy agreement, according to Burns.
"That political context is critical to understanding Google's decision. This is not the action of a company which believes the UK will secure an adequacy agreement or intends to continue aligning itself with the European data protection framework and its user rights. They are moving fast on that belief, and it's safe to say they are not engaging in this work out of a concern for UK citizens' human rights," said Burns.
"My reading of Google's plans is that it, like many data protection and privacy academics, is sceptical of the UK's ability to be accepted for and retain the 'adequacy' status with the European Union which would allow free flow of data," said digital rights expert Michael Veale.
"Furthermore, by remaining in Ireland, Google risks double-jeopardy for fines and other sanctions in relation to any breach of data protection affecting those in the UK, as it would be a breach of both EU law (as the data was processed in the EU) and UK law (as the data concerned UK residents). Moving its contractual body to the US would somewhat remedy this," he added.
Google sources said the move could help law enforcement
Reuters' sources said that moving user data to the US would make it easier for UK law enforcement to request access to data for investigations than if the data were left in Ireland due to the CLOUD (Clarifying Lawful Overseas Use of Data) act agreement signed between the US and Britain in October 2019.
The agreement was designed to allow US and UK law enforcement to demand data from tech companies based in the other country.
Burns was unconvinced by this.
"Google's announcement is about moving user data outside the EU data protection framework, which is a completely separate thing from the CLOUD Act. This is about everyday data, even the information on your phone right now, and where it lives and how it is protected, well outside the realm of law enforcement," she said.
"Google mentioning law enforcement at all in the Reuters announcement was a bit of a red herring, in other words, to distract from the everyday user data at stake," Burns added.
Jim Killock, head of the UK-based digital rights organisation Open Rights Group, voiced strong opposition to Google's decision.
"Moving people's personal information to the USA makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens. We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programmes through to attempts to politically and racially profile people for alleged extremist links," he said.
For the time being however the UK - and by extension UK citizens' Google data - still falls under GDPR.
Get the latest Google stock price here.