A new report by Reuters suggests that Google is planning to move UK user data from the EU to the US post-Brexit.
One of the many questions raised by Britain’s departure from the EU is what the future of data storage and protection is going to look like post-Brexit, particularly due to the fact that the EU has stronger data protection laws than other regions, such as the US.
On Wednesday (19 February), Reuters reported that Google could be planning to move the data of British users out of the EU and into the US, which “will leave the sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement”.
Reuters spoke to three different sources familiar with Google’s plan, which would involve asking British users to agree to new terms of service in the new jurisdiction where Google intends to store the data.
Before the year is out, other US tech companies will have to make similar decisions for how British data will be handled post-Brexit.
Moving data from Ireland to the US
Before Brexit, Google dealt with British users’ data in Ireland, where its European headquarters is based. Now, the company may be planning to move user data, as it is not yet known whether the UK will continue to follow the EU’s General Data Protection Regulation (GDPR), or develop new rules regarding the handling of data. A Google spokesperson declined to comment ahead of a public announcement.
Reuters noted that the US “has among the weakest privacy protections of any major economy”.
Lea Kissner, Google’s former lead for global privacy technology, told Reuters: “There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super messy.”
Kissner, who is now chief privacy officer at Humu, is an advocate of GDPR-style data protection laws and has spoken about the need for them in the US before.
Speaking to Siliconrepublic.com in November 2019, Kissner said: “GDPR-style legislation is the gold standard around the world and we should 100pc have a federal law in the US along those lines. Though I’d love a few tweaks.
“The level of privacy protections in the US should be higher, and uniform legal protections will lead to better protection in practice than a patchwork of laws. Speaking as an engineer, contradictory high-stakes requirements are prone to bugs in the system.”
Google warns shareholders
Two weeks ago, Google warned shareholders that Brexit is likely to have a negative impact on the company’s revenue, while subjecting the company to new regulatory fines and technical challenges.
A spokesperson for the company said: “Like many companies, we have to prepare for Brexit. Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protection of the UK General Data Protection Regulation will still apply to these users.”
Speaking to the Telegraph, data protection expert and founder of data law firm AWO, Ravi Naik, said: “There is no legal reason to process UK data in the EU post-Brexit, so it is a foreseeable if regrettable post-Brexit reality. And such developments are very troubling for British data protection, and for the prospects of an adequacy decision from Europe.”
Naik said that the development is “troubling and should be a concern” in terms of data protection.