As EU and UK negotiators spend the next ten months thrashing out the terms of their future trading relationship, separate discussions will take place to determine if Britain will be granted “data adequacy” – the legal right to process European data after the transition period comes to an end.
While these discussions could have a major impact on the UK economy, the outcome is, at this stage, difficult to predict and may take some time to deliver; the Commission’s data protection chief has suggested Britain is 13th in line for a deal. But business moves faster than politics, and the tech giants are taking matters into their own hands.
Last night, Reuters reported (19 February) that Google is preparing to move British users’ accounts out of its data centres in Ireland, where the company has its European headquarters, and to the US. The move may save Google money in terms of hosting costs, but the company has a more pressing motive: the desire to avoid a high-stakes, post-Brexit legal battle about who has jurisdiction over UK users’ accounts, and how much privacy those users are entitled to.
Google is keen to frame this as a simple compliance issue. But it could have a profound impact on the privacy of the estimated 42 million UK-based users of the tech giant, whose tentacles – thanks to the success of not just only search engine but also Gmail, Maps, YouTube, Drive and its enterprise cloud-computing division – arguably extend further into people’s professional and personal lives than those of any other company in the world.
So what does the move mean in practice, and how concerned should you be for the privacy of your own data? Ultimately, it comes down to two key pieces of law: the General Data Protection Regulation (GDPR) and the US Cloud Act.
As an EU member, the UK signed GDPR into law in 2018, meaning data stored in the UK is currently held to the same high standards of privacy as it is in the EU. After the transition period ends, Britain has indicated it will continue to enforce GDPR, to maintain the “adequacy” that will allow data to flow freely between the UK and the EU.
If GDPR is kept, it won’t matter where UK Google account data is held, because it governs whose data is being protected. But some legal experts fear that the intrusiveness of British surveillance legislation, combined with the prospect of UK privacy law being watered down during trade negotiations with the US, could undermine its bid for data adequacy.
This could prove a major headache for a company like Google. Privacy campaigners could argue, for example, that practices mandated by the British government under the Investigatory Powers Act were illegal under EU law when applied to UK user data stored in Ireland. If the UK fails to achieve adequacy, The Commission or the European Courts of Justice has already concluded that the EU has jurisdiction over any data stored within its borders, so the fact that the data belongs to Brits is immaterial (This is why some tech companies stopped registering their non-EU international users in Ireland before GDPR came into effect.)
As Lea Kissner, a former privacy executive at Google, told Reuters: “There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super messy. Never discount the desire of tech companies not [to] be caught in between two different governments.”
But moving this data to the US, rather than the UK, means that Google will be caught between two different governments. The critical distinction is that, in this case, the second government is one with a significantly more relaxed approach to data privacy than either the UK or the EU. For Google, this could help it to avoid a legal dispute that would draw unwelcome attention to just how much it knows about how we live our lives.
The Cloud Act
The new US Cloud Act makes it significantly easier for law enforcement agencies in the UK to access data from US tech firms. British police forces no longer need to seek permission from US courts to access data for investigations. This accelerates the process of gaining access to potential evidence in criminal cases, which if you’re a police force or surveillance agency, is clearly a plus, but also raises serious privacy concerns.
Google, which had not responded to a request for comment at the time of publication, would likely contend that some of its services are encrypted, but Gmail – an email client used by thousands of the world’s biggest business and hundreds of millions of consumers – is not. The company’s decision to sideline the development of an encryption offering in 2017 may, reporters speculated at the time, have been driven by fear of a fight with the US government.
Nor is the Cloud Act the only piece of American legislation worth considering, however. The Foreign and Corrupt Practices Act (FCPA), which in the past has been used by the US government to prosecute companies for political gain, can be applied to firms that have no physical presence in America so long as they use a service that stores emails there. Under Google’s new rules, more British businesses may find themselves within its purview.
Privacy experts concerned about the US surveillance regime have also reacted with alarm to Reuters’ report. “Moving people’s personal information to the USA makes it easier for mass surveillance programmes to access it,” said Jim Killock, executive director of Open Rights Group. “There is nearly no privacy protection for non-US citizens.”
“We have no reason to trust a Donald Trump government with information about UK citizens,” Killock continued. “The possibilities for abuse are enormous, from US immigration programmes through to attempts to politically and racially profile people for alleged extremist links.”
When Google officially announces the move in the coming weeks, it will downplay the risks to British users’ privacy. It will likely note, as a source already has to Reuters, that UK users’ data will remain protected under the UK’s privacy rules. But if Google was entirely confident that the EU will deem British data protection standards equivalent to its own, it would not be making this move.
In recent years, Google and its fellow Silicon Valley giants have successfully marketed themselves not as advertising companies, but digital utility providers. In light of the Snowden revelations and the Cambridge Analytica scandal, they have also sought to burnish their data protection credentials. But profit, rather than privacy, will always remain their primary pursuit.
As in matters of taxation and competition, Google’s large and sophisticated legal and lobbying teams are renowned for finding ways to maximise returns without breaking the law. This case might concern data protection, but the company’s underlying motivations are no different, and other US firms – such as Apple, Netflix, Amazon, Facebook, LinkedIn, Microsoft – will be watching what happens next. Google may be the first US tech company to move UK data outside of the EU, but it will not be the last.