Google has confirmed that its US business will be the controller of UK users’ data from next month, instead of Google Ireland Ltd.
The news confirms Reuters reports earlier this week.
Google cited Brexit uncertainty for the move, in a statement that was greeted with some confusion by the legal community.
The move will arguably mean the personal information of tens of millions of the UK’s Google users faces less robust privacy protections.
“Because the UK is leaving the EU, we’ve updated our Terms so that a United States based company, Google LLC, is now your service provider instead of Google Ireland Limited”, it said in updated terms today.
(Google is adding Google Chrome, Google Chrome OS and Google Drive to the updated privacy Terms as well, standardising them across services).
What Data is This, Anyway?
When you’re not signed in to a Google Account, Google stores the information it collects with unique identifiers tied to the browser, application, or device you’re using. When you’re signed in, it also collects information that it stores with your Google Account, “which we treat as personal information.”
This includes your precise location, referrer URL of your request, browser type, IP address, telephony log information.
As Google notes: “We use various technologies to collect and store information, including cookies, pixel tags, local storage, such as browser web storage or application data caches, databases, and server logs.”
(There is no blanket ban on European user’s data leaving the EU under GDPR, however the individuals whose PII data potentially leaves the EU need to be informed and allowed to opt out, controls need to be in place to ensure their data is tracked, secured, and protected by everyone in the chain who may process the data, and if their data is potentially disclosed then they need to be informed of it”. Many take this as short-hand for EU PII data staying put!)
For business users based in the UK, “then the Terms don’t affect the rights you may have as a business user under the EU Platform-to-Business Regulation” Google added, referring to a set of rules introduced last summer intended to create a “fair, transparent and predictable business environment for smaller businesses and traders on online platforms.”
Google said in an FAQ that those unhappy with the change have a simple solution to deal with it: “If you don’t agree to the new terms, you should remove your content and stop using the services. You can also end your relationship with us at any time by deleting your Google Account.”
Toni Vitale, partner and head of data protection, JMW Solicitors, told Computer Business Review that he found the move puzzling.
He said: “I find it strange that there’s [considered to be] a data protection law rationale for this. [In the UK] we have replicated GDPR word-for-word. Google may not want different regime in UK and EU. But lots of companies are living with that. I can see that Google may want to have one single entity operating as Data Controller for all of its different products and part of the move today looks like a step towards that. But under GDPR it will still need to have a representative office in the EU. It doesn’t make a lot of logical sense.”
Editors note: Those with a more cynical bent suspect that Google sees the UK struggling (or intentional declining) to gain so-called “adequacy” with the EU under which local data protections broadly align with GDPR.
It seems unlikely, with a government intent on as much market liberalisation as possible, that the UK will end up with a policy regime stronger than GDPR. Having UK user’s data outside Europe, as a result, could significantly weaken privacy and commercial protections and allow both law enforcement and businesses improved access to a significant dataset in future.