As Google announces plans to ship all UK users’ data to the US and away from Dublin, one leading data protection specialist weighs in with their thoughts.
The rationale for this move is unlikely to have anything to do with Brexit, the EU GDPR or uncertainty of what will happen with UK data protection laws, writes Toni Vitale, Head of Data Protection, JMW Solicitors.
This is speculation but recent tax changes in the US made it more attractive to onshore jobs to the USA so this may also be part of the reason. (Google is taking the opportunity to bundle any data collected via its Chrome browser, Chrome OS and Google Drive into the same set of terms and conditions.)
Google’s Data Controller Move: The Legal Background
UK organisations that process personal data are currently bound by two laws: the EU GDPR and the UK DPA (Data Protection Act) 2018. Both laws continue to apply until the end of the transition period on 31 December 2020. The EU GDPR will no longer apply directly in the UK at the end of the transition period.
However, UK organisations must still comply with its requirements after this point. This is because the DPA 2018 enacts the EU GDPR’s requirements in UK law. The UK government has issued a statutory instrument – the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019.
This amends the DPA 2018 and merges it with the requirements of the EU GDPR to form a data protection regime that will work in a UK context after Brexit. This new regime will be known as ‘the UK GDPR’.
There is very little material difference between the EU GDPR and the proposed UK GDPR. So, organisations that process personal data should continue to comply with the requirements of the EU GDPR. Now that it is no longer an EU member state, the UK has been reclassified as a “third country”.
This shouldn’t make any difference to UK organisations until the end of the transition period. Under the EU GDPR, the transfer of personal data from the EEA to third countries and international organisations is permitted only in certain circumstances:
• If the European Commission has issued an adequacy decision, stating that there is an adequate level of data protection.
• If appropriate safeguards are in place, such as BCRs (binding corporate rules) or SCCs (standard contractual clauses).
• Based on approved codes of conduct, such as the EU-US Privacy Shield. (No such code has been agreed for transfers from the EEA to the UK yet.)
Most organisations that provide goods or services to, or monitor the behaviour of, EU residents will also have to appoint an EU representative, under Article 27 of the EU GDPR. The UK hopes that by enacting the EU GDPR’s requirements in domestic law it should be able to demonstrate that it will continue to enforce international data protection requirements after leaving the EU.
Government has Shifted Position
The government’s position has shifted slightly though.
At first the government (under Theresa May) said they preferred a new data treaty rather than adequacy because adequacy was for third countries and the expectation was then that we would have closer alignment.
The rationale is that the UK adopted the GDPR into UK law, but countries that obtained adequacy such as Uruguay did not. The current position is that adequacy is likely and desirable and indeed possible by December 2020. However it is unlikely this is the reason to move the Ireland data centre.
The EU GDPR and the UK version in the Data protection act 2018 will apply to Google wherever it cites its data centre and UK user’s data. UK law enforcers (and EU ones) will still be able to take action against Google (but this is the same position as today – moving the data centres does not affect this).
Do you agree/disagree? Get in touch with our editor Ed Targett.