UK possibly to lose GDPR protections as Google shifts UK data to the US

[Delicieuxz]

Exclusive: Google users in UK to lose EU data protection - sources

Quote

Google is planning to move its British users’ accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead, sources said.

 

The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement.

 

...

 

Ireland, where Google and other U.S. tech companies have their European headquarters, is staying in the EU, which has one of the world’s most aggressive data protection rules, the General Data Protection Regulation.

 

Google has decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data, the people said.

 

If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations.

 

The recent Cloud Act in the United States, however, is expected to make it easier for British authorities to obtain data from U.S. companies. Britain and the United States are also on track to negotiate a broader trade agreement.

 

...

 

An employee familiar with the planned move said that British privacy rules, which at least for now track GDPR, would continue to apply to that government’s requests for data from Google’s U.S. headquarters.

 

Google has amassed one of the largest stores of information about people on the planet, using the data to tailor services and sell advertising.

 

Google could also have had British accounts answer to a British subsidiary, but has opted not to, the people said.

 

...

 

In coming months, other U.S. tech companies will have to make similar choices, according to people involved in internal discussions elsewhere.

 

That's an unfortunate side-effect of the UK's departure from the EU. But as the article mentions, the UK hasn't yet chosen what new data rights protections it will create, if any. Possibly, the Google move can be made futile by the UK adopting something similar to GDPR or California's CCPA.

 

California has data privacy rules even more strict than GDPR and is set to strengthen their data rights protections even further with the CPREA. And I think the people behind California's rules want to push for them to be adopted in the US nationwide. Hopefully, there will eventually be no place for companies to flee with people's data to while aiming to avoid privacy and data rights.

[Nowak]

I do hope we can get privacy regulations as robust as GDPR here in the States.

[lewdicrous]

Just now, Nowak said:

I do hope we can get privacy regulations as robust as GDPR here in the States.

One could only hope for robust international privacy regulations..

[Nowak]

Just now, lewdicrous said:

One could only hope for robust international privacy regulations..

true

[SpaceGhostC2C]

13 minutes ago, lewdicrous said:

One could only hope for robust international privacy regulations..

That's the main issue with most regulation of large corporations, be it taxation, privacy, etc., but especially when it comes to digital / internet-based businesses: successful regulation needs to be international, or at least somewhat coordinated at very large block levels. Otherwise it's an endless whack-a-mole game, good ol' divide&conquer.

 

Just as an example, I've been to countries where Uber is not legal (as in they don't have a license to offer transportation services, and Uber drivers receive fines or worse if caught), yet everyone uses it, and even pays for it with credit cards that make payments to Uber US in u$s (so not your typical cash-only shadow economy), no need to hide it... I guess Uber does disguise its payments to the drivers (but how much, I wonder?), but in any case the point is: the local regulation gets completely circumvented in plain sight.

[porina]

GDPR in itself isn't always positive. To properly service people covered by it is no trivial task. Some non-EU companies chose simply to cut their losses when it was implemented and we lose out, because of GDPR. It was less pain to them to lose existing and potential customers than it was to comply.

 

The wider problem is that while regulations such as GDPR are drafted by good intentions, they often are short sighted in the practicalities of what it means in the real world.

 

Not 100% on the details of Brexit deal as it currently stands, but my understanding is UK is in transition for the rest of this year, where existing EU rules continue to act in place. It is only in 2021 when things might change, for better or worse.

 

[mr moose]

I don't think this has anything to do with Brexit, if GDPR was a problem then the UK leaving would make it a better place. The GDPR still applies no matter where you store the data, as it is applied to services within the EU not locality of the data.   I would be more looking at either cost of to do business or some other local UK condition that make it a better move. 

[RonnieOP]

Just now, mr moose said:

I don't think this has anything to do with Brexit, if GDPR was a problem then the UK leaving would make it a better place. The GDPR still applies no matter where you store the data, as it is applied to services within the EU not locality of the data.   I would be more looking at either cost of to do business or some other local UK condition that make it a better move. 

the GDPR is an EU regulation correct?

 

So if they move to the UK they would no longer be regulated by it since its not part of the EU?

 

Or am i misunderstanding that?

[dalekphalm]

4 minutes ago, RonnieOP said:

the GDPR is an EU regulation correct?

 

So if they move to the UK they would no longer be regulated by it since its not part of the EU?

 

Or am i misunderstanding that?

What he's saying is that the location of the end user dictates whether GDPR applies.

 

If you're an EU citizen, you're covered by GDPR by default - regardless of where the data is stored.

 

The UK is still covered under all EU conditions and policies until the end of 2020, so the GDPR therefore still applies in theory (for the time being). Once the UK actually leaves at the end of 2020, then that's a whole different game.

[NineEyeRon]

OK, I work in Compliance in the UK and from our perspective we don’t directly follow GDPR we follow the UK Data Protection Act of 2018.

 

DPA 2018 is GDPR written into UK law and that article seems to me to just be scare mongering, yes it MAY happen but it would take a lot and TBH its really good for the UK to keep DPA 2018 mostly intact.

 

From the UK Compliance perspective GDPR is here to stay as the DPA 2018 and as far as I know Brexit won’t affect it.

 

[Crunchy Dragon]

-Thread cleaned-

 

Refrain from posting political content and flame-bait here.

[AlTech]

The UK will still follow GDPR because it was written into UK law as The Data Protection Act 2018. 

[AlTech]

Got some details from an email Google sent

[RejZoR]

On 2/20/2020 at 2:33 PM, Nowak said:

I do hope we can get privacy regulations as robust as GDPR here in the States.

Only if you live in California which now has similar privacy laws as EU.

[NineEyeRon]

22 hours ago, AluminiumTech said:

The UK will still follow GDPR because it was written into UK law as The Data Protection Act 2018. 

 

Its amazing how few know that, I give data privacy training every month and it often surprises them when I tell them that.

 

Yes when the UK leaves the EU it will have the freedom to change the DPA 2018, that is true. I don't see it happening however.

 

The core of the DPA 2018 is not too dissimilar to that of the DPA 1998 but with a lot of "bug fixes". I do think very little will change, maybe the fine scales might but I can't see much changing around consent management.

 

I will likely get a lot more info on this over the coming weeks as its literally my job.

 

[Citadelen]

‘taking back control’

[greenmax]

On 2/20/2020 at 12:33 PM, Nowak said:

I do hope we can get privacy regulations as robust as GDPR here in the States.

With the paid off lobbyists and the major corps, be very hard and almost impossible.

[hishnash]

Worth noting due to how the brexit laws were passed until the uk decide to do otherwise exiting EU law becomes UK law so GDPR appies to UK citizens. 

Also GDPR has nothing about the location of servers.

[straight_stewie]

On 2/20/2020 at 12:22 PM, Delicieuxz said:

 

That's an unfortunate side-effect of the UK's departure from the EU

I'm not convinced that the GDPR or the DPA ever really meant anything inside the borders of one of the founding members of the Five Eyes group anyway. I mean, sure, it requires companies to do things that might protect you from your neighbor, but I very seriously doubt that GCHQ stopped anything that they were doing.

 

3 hours ago, greenmax said:

paid off lobbyists

That's not how that works. Lobbyists do the paying off. They are not themselves "paid off", although I'm sure they earn salary and possibly a "commission" of sorts if they are successful.

[mr moose]

On 2/21/2020 at 9:31 AM, AluminiumTech said:

The UK will still follow GDPR because it was written into UK law as The Data Protection Act 2018. 

 

23 hours ago, NineEyeRon said:

 

Its amazing how few know that, I give data privacy training every month and it often surprises them when I tell them that.

 

Yes when the UK leaves the EU it will have the freedom to change the DPA 2018, that is true. I don't see it happening however.

 

The core of the DPA 2018 is not too dissimilar to that of the DPA 1998 but with a lot of "bug fixes". I do think very little will change, maybe the fine scales might but I can't see much changing around consent management.

 

I will likely get a lot more info on this over the coming weeks as its literally my job.

 

 

15 hours ago, hishnash said:

Worth noting due to how the brexit laws were passed until the uk decide to do otherwise exiting EU law becomes UK law so GDPR appies to UK citizens. 

Also GDPR has nothing about the location of servers.

 

I don't know if the title changed or not, but 3 people have pointed out the UK is not losing GDPR so the title should probably change.

[Master Disaster]

16 hours ago, AluminiumTech said:

Got some details from an email Google sent

I got this on all my Google owned pages yesterday (google.com & youtube).

[Curious Pineapple]

7 hours ago, Citadelen said:

‘taking back control’

What?

[Donut417]

On 2/20/2020 at 1:22 PM, Delicieuxz said:

California has data privacy rules even more strict than GDPR and is set to strengthen their data rights protections even further with the CPREA. And I think the people behind California's rules want to push for them to be adopted in the US nationwide. Hopefully, there will eventually be no place for companies to flee with people's data to while aiming to avoid privacy and data rights.

That will never happen any time soon. It would most  likely be other states that implement privacy rules than the Feds doing it.