Skip to main contentSkip to navigationSkip to navigation
Google
Google has amassed one of the largest stores of information about people on the planet, using the data to tailor services and sell advertising. Photograph: Jeff Chiu/AP
Google has amassed one of the largest stores of information about people on the planet, using the data to tailor services and sell advertising. Photograph: Jeff Chiu/AP

UK Google users could lose EU GDPR data protections

This article is more than 4 years old

Brexit prompts firm to move data and user accounts of British users from EU to US

Google is to move the data and user accounts of its British users from the EU to the US, placing them outside the strong privacy protections offered by European regulators.

The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions not covered by Europe’s world-leading General Data Protection Regulation (GDPR) and therefore with less protection and within easier reach of British law enforcement.

Google intends to require its British users to acknowledge new terms of service including the new jurisdiction, according to people familiar with the plans.

“Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information,” Google said in a statement. “The protections of the UK GDPR will still apply to these users.”

Ireland, where Google and other US tech companies have their European headquarters, is staying in the EU, which has one of the world’s most aggressive data protection rules, the GDPR.

It is understood that Google decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data.

If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations.

The recent Cloud Act in the US, however, is expected to make it easier for British authorities to obtain data from US companies. Britain and the US are also on track to negotiate a broader trade agreement.

Beyond that, the US has among the weakest privacy protections of any major economy, with no broad law despite years of advocacy by consumer protection groups.

Google has amassed one of the largest stores of information about people and uses the data to tailor services and sell advertising.

Google could also have had British accounts answer to a British subsidiary, but has opted not to do so.

Lea Kissner, Google’s former lead for global privacy technology, said she would have been surprised if the company had kept British accounts controlled in an EU country with the UK no longer a member.

“There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy,” Kissner said. “Never discount the desire of tech companies not be caught in between two different governments.”

Jim Killock, the executive director of the digital rights organisation Open Rights Group, said: “Moving people’s personal information to the USA makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens.

“Google’s decision should worry everyone who thinks tech companies are too powerful and know too much about us. The UK must commit to European data protection standards or we are likely to see our rights being swiftly undermined by ‘anything goes’ US privacy practices.”

The UK’s exit from the EU and its data protection regulations are likely to make the data-sharing agreements that cover transfer of user information from one part of a global business to another, or to other businesses, extremely complicated.

If the UK decides not to adopt rules that form equivalent data protections to that granted by GDPR, then extensive data-sharing agreements may be necessary. In coming months, other tech companies will have to make similar choices to Google.

Facebook, which has a similar setup to Google, did not immediately respond to requests for comment.

More on this story

More on this story

  • Joe Biden has just dealt a big defeat to big tech

  • Farage joins explosion in people using subject access requests

  • Facebook owner Meta fined €1.2bn for mishandling user information

  • Ex-minister predicts ‘battle royale’ over US firm’s bid for NHS data contract

  • Chinese firm got Covid contract despite trying to hack NHS data, minister says

  • Man files complaint accusing YouTube of harvesting UK children’s data

  • Trafficking victim wins landmark victory in Salvation Army data case

  • UK data watchdog to scale back fines for public bodies

  • Home Office’s visa service apologises for email address data breach

  • Cabinet Office fined £500,000 over New Year honours list data breach

Most viewed

Most viewed