Google cites Brexit as reason for moving UK users' data out of EU
The tech giant stated that UK users’ privacy standard will remain the same as under GDPR
Google is moving UK users' accounts outside of the control of EU data and privacy regulators as a result of Brexit.
From 31 March 2020 UK accounts will fall under the jurisdiction of the US, where its Cloud Act is expected to make it easier for British authorities to obtain data from US companies.
In a statement to CRN, Google said that its data protection standards for UK accounts would remain the same as under the EU-wide GDPR.
GDPR came into effect in 2018 and is renowned for providing some of the strongest privacy laws in the world.
"Like many companies, we have to prepare for Brexit. Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users' information," a Google representative said.
"The protections of the UK GDPR will still apply to these users."
UK users' account data was held in Ireland - which remains a part of the EU - but control of that information will move to the US-based Google LLC.
"We are doing this because the UK is no longer in the EU. And so, we are simply restoring Google LLC as the service provider and the data controller responsible for UK users' information," the spokesperson added.
Reuters - which broke the news - reported that people close to the matter said that Google had the option of having had British accounts answer to a British subsidiary, but decided against it.
The representative declined to comment on whether this was an interim measure until the UK government announces how data will be handled post-Brexit.
Some in the channel found the news concerning from both a personal and business point of view.
David Lannin, CTO at cybersecurity VAR Sapphire, said that he had anticipated the UK incorporating current EU law into its own legislation post-Brexit so that data would continue to have the same standard of protection.
"I think it's a bit short-sighted of Google to do this," he said.
"I think Google customers in the UK will be incredibly worried. It's not just about making it easy for UK authorities to access data that's resided in Google in US companies through this US Cloud Act.
"Privacy of data is a completely separate matter to access and being able to know that the proper controls and protections are in place for personal data, when it's residing in the US, is a world away from accessing data. It doesn't give any additional protections,
"On the face of it, it sounds like it's something that hasn't been particularly well thought out. And I'd say it's a premature - and even an immature - way of dealing with it."
Dan Bailey, director at cybersecurity MSP Altinet, added that there needed to be clarity around what exactly this move by Google means for UK users and where this leaves data privacy and protection in a post-Brexit UK.
"Our experience is that many UK organisations won't allow their data to be held in the US so there's definitely going to need to be clarity as this develops with Google, and others, as to whether data will actually be held in the US or whether there will be other legal arrangements as the UK leaves the EU," he stated.
Bailey urged lawmakers to hasten the process of implementing laws to clarify its position as Brexit has resulted in drawn-out and costly contractual discussions with customers in the security space.
He added that Brexit opens up the UK to potentially becoming a world leader in data protection.
"The more uncertainty and ambiguity there is with issues like data sovereignty then the lengthier discussions and contractual negotiations are required to ensure both sides are happy," he added.
"We're seeing this more and it's understandable from the customer's perspective, but quickly creating clear laws in this area will benefit everyone in the channel and our customers.
"As the UK leaves the EU I think we have the opportunity to be a world leader in security and data privacy."