In February 2020, Google announced its intention to move all its data about British users of its services, including Gmail, YouTube and the Android Play store, to the US. But how will this affect GDPR compliancy of small businesses? And how will it affect the privacy of UK Google app users?
As with all of these topics, nothing is ever as straightforward as it seems.
Why does Google want to move the data?
The main reason they’ve taken this decision is because data sharing is part of the ongoing UK/EU negotiations to finalise the Brexit relationship by the end of 2020. If they fail to reach a decision on data sharing by 31st December, then it will be illegal for data to be transferred between the UK and the EU after that date.
However, the US and the EU already have a data sharing deal (called ‘Privacy Shield’), so once UK data is on US servers then the terms of that deal will apply instead of either EU or UK data processing legislation.
The eagle-eyed amongst you will have noticed at this point that this is a much wider issue than just Google data. If you have customers in Europe and you transfer customer data from Europe to the UK (for example by taking customers’ delivery addresses or payment details), then, in the event of no data sharing deal this will become illegal.
But why do we need a deal if we have already adopted GDPR legislation into domestic law?
Good question! Put simply, it’s because we also have the 2016 Investigatory Powers Act, which was introduced following the 2013 Edward Snowden revelations and gave Britain’s spying agencies wide ranging powers to intercept and retain citizens’ digital data in the interests of protecting national security.
The degree of ‘snooping’ powers the UK has is far greater than that used by any other EU country, and is currently the subject of investigation by the European Court of Justice which, in January this year, said that MI5, MI6 and GCHQ conducted “general and indiscriminate retention” of citizens’ personal data that was incompatible with European law, though no decision has yet been reached on what to do about it – that decision will become clearer within the next few months.
Although any final decision reached by the ECJ will no longer apply to the UK, it does mean that there is a strong likelihood that, in the event of no changes, the EU could forbid the sharing of personal data with the UK as it would be deemed to not meet its strict data privacy standards.
If Google left UK data in Ireland, and the EU forbade data sharing with the UK, and Google suffered a data breach, then Google would get a double hit of fines: fines from the EU where the data is processed, and from the UK where the user resides.
Where does that leave UK small business users?
Google’s intention to move UK data out of Ireland to the US will have very little, if any, impact on small business data processing. What is more of a worry is whether or not the EU and UK reach a data sharing deal before the end of the year.
But in the words of the great Douglas Adams: DON’T PANIC!!! In my opinion (and it is just my opinion), the likelihood of a deal not being reached is vanishingly slim, because it affects any organisation that transfers data to Europe – like airlines, delivery companies, Eurostar, banks and so on.
Not only that, but both the US and Switzerland are already covered by Privacy Shield, so there is a precedent for the EU sharing data with countries with less strict data privacy laws.
This is definitely a topic to watch, but not worth losing sleep over – yet!