UK Google users are set to lose the protections they had received from the General Data Protection Regulation (GDPR) given that the country has embarked on an exit from the EU, where the law is applicable.
According to exclusive information provided to Reuters, the UK is set to shift from the EU’s legal jurisdiction on privacy protection over to that of the US—which is notably laxer in nature.
The move has prompted some concern around the loss of privacy protection for UK Google users, leaving their personal data more susceptible to misuse by private and public actors, including by British law enforcement.
“Nothing about our services or our approach to privacy will change,” a Google statement reads on the subject, “including how we collect or process data, and how we respond to law enforcement demands for users’ information.”
“The protections of the UK GDPR will still apply to these users,” it adds.
UK Google users in murky waters
Google has allegedly decided to move British users’ accounts out of the Irish jurisdiction (where Google houses its European headquarters) due to the lack of clarity over which data rules the post-Brexit UK will come to adhere to. To this end, Google has opted not to move UK users under the jurisdiction of UK privacy bodies, Reuters reports.
In effect, this means that the tech giant will force British users to acknowledge new terms of service in relation to privacy protection.
So far as the relationship between the US and the UK goes on the subject, it would seem that closer ties are being pursued on more than mere issues of trade. The so-called CLOUD Act, for example, which was signed into law by the US Congress in 2018, allows UK authorities to more easily access personal data stored by US companies.
The shift is set to mark the biggest major revision to the tech giant’s Terms and Conditions for UK Google users since 2012, with Google already in the process of updating its T&Cs in response to litigation from EU privacy groups.
Prompted last year when German consumer rights organizations took the tech giant to court over its use of “overly vague” terms—Google has since been forced to realign its terms in response to mounting pressure from the GDPR.
The litigation was dragged on after a French court forced Google to pay a fine of €30,000 last year for its use of unfair terms. This follows on from the longstanding position of the European Commission in favor of Google amending its terms of use in relation to the GDPR and to other EU laws.
It is in precisely this way that EU data protection—specifically in the form of GDPR guidelines—is playing a pivotal role in reshaping the way in which Google users receive and understand Google’s business model.
A farewell to the GDPR in Britain
The decision to move UK Google users out of the scope of the GDPR is expected to bear significant consequences for the state of British privacy and data protection going forward.
There is some speculation, for example, that the British government will decide to forge ahead with its own legal framework in the near future relating to privacy protection which stands in contrast to both existing EU and US regulations.
In a statement given to the House of Commons on 3 February on the subject of UK-EU relations more generally, UK prime minister Boris Johnson wrote that the UK “will in future develop separate and independent policies” on a number of key issues—explicitly touching on data protection as one such example.
For the time being, however, the UK Google users are left in a precarious position. On the one hand, there is an opportunity for the UK to formulate data protection policies of its own in place of the GDPR, and potentially woo back big tech companies like Google. On the other hand, however, the longer such a process takes, the more the privacy of UK citizens is left at risk.
Jim Killock, Executive Director of the digital rights organization Open Rights Group, told The Guardian that the transfer of personal data from UK Google users to the US “makes it easier for mass surveillance programs to access it,” and that there is “nearly no privacy protection for non-US citizens.”
“Google’s decision should worry everyone who thinks tech companies are too powerful and know too much about us,” Killock says. “The UK must commit to [GDPR] standards or we are likely to see our rights being swiftly undermined by ‘anything goes’ US privacy practices.”
As time goes by, other big tech companies apart from Google will be forced to make similar decisions, and will likely chose to follow suit. And as Google’s decision indicates, while the UK is still in the interim, it ought to act swiftly to put in place new regulations that secure the privacy of its citizens.