View all newsletters
Receive our newsletter - data, insights and analysis delivered to you
  1. Policy
February 21, 2020

Google’s Data Controller Move “Unlikely to do with Brexit, GDPR, or UK Data Protection Uncertainty”

As Google announces plans to ship all UK users' data to the US and away from Dublin, one leading data protection specialist weighs in with their thoughts.

By CBR Staff Writer

The rationale for this move is unlikely to have anything to do with Brexit, the EU GDPR or uncertainty of what will happen with UK data protection laws, writes Toni Vitale, Head of Data Protection, JMW Solicitors.

This is speculation but recent tax changes in the US made it more attractive to onshore jobs to the USA so this may also be part of the reason. (Google is taking the opportunity to bundle any data collected via its Chrome browser, Chrome OS and Google Drive into the same set of terms and conditions.)

Google’s Data Controller Move: The Legal Background

UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018.  Both laws continue to apply until the end of the transition period on 31 December 2020. The EU GDPR will no longer apply directly in the UK at the end of the transition period.

Toni Vitale, Head of Data Protection, JMW Solicitors. 

However, UK organisations must still comply with its requirements after this point. This is because the DPA 2018 enacts the EU GDPR’s requirements in UK law. The UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.

This amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit. This new regime will be known as ‘the UK GDPR’.

There is very little material difference between the EU GDPR and the proposed UK GDPR. So, organisations that process personal data should continue to comply with the requirements of the EU GDPR. Now that it is no longer an EU member state, the UK has been reclassified as a “third country”.

This shouldn’t make any difference to UK organisations until the end of the transition period.  Under the EU GDPR, the transfer of personal data from the EEA to third countries and international organisations is permitted only in certain circumstances:

Content from our partners
Unlocking growth through hybrid cloud: 5 key takeaways
How businesses can safeguard themselves on the cyber frontline
How hackers’ tactics are evolving in an increasingly complex landscape

• If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.

• If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).

• Based on approved codes of conduct, such as the EU-US Privacy Shield. (No such code has been agreed for transfers from the EEA to the UK yet.)

Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR. The UK hopes that by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after leaving the EU.

Government has Shifted Position 

The government’s position has shifted slightly though.

At first the government (under Theresa May) said they preferred a new data treaty rather than adequacy because adequacy was for third countries and the expectation was then that we would have closer alignment.

The rationale is that the UK adopted the GDPR into UK law, but countries that obtained adequacy such as Uruguay did not.  The current position is that adequacy is likely and desirable and indeed possible by December 2020.  However it is unlikely this is the reason to move the Ireland data centre.

The EU GDPR and the UK version in the Data protection act 2018 will apply to Google wherever it cites its data centre and UK user’s data. UK law enforcers (and EU ones) will still be able to take action against Google (but this is the same position as today – moving the data centres does not affect this).

Do you agree/disagree? Get in touch with our editor Ed Targett. 

Websites in our network
Select and enter your corporate email address Tech Monitor's research, insight and analysis examines the frontiers of digital transformation to help tech leaders navigate the future. Our Changelog newsletter delivers our best work to your inbox every week.
  • CIO
  • CTO
  • CISO
  • CSO
  • CFO
  • CDO
  • CEO
  • Architect Founder
  • MD
  • Director
  • Manager
  • Other
Visit our privacy policy for more information about our services, how New Statesman Media Group may use, process and share your personal data, including information on your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.
THANK YOU