Google is changing the data controller for its UK user data to Google LLC, placing the data under the jurisdiction of US regulators, the company announced today. The change is being made due to the UK’s exit from the EU, which has created uncertainty around the future of data protection regulation in the country. Alongside the changes, Google is also updating its terms of service for users worldwide, which it says will make them easier for its users to understand.
Since 2019, shortly after Europe’s GDPR privacy rules were enacted, the official service provider and data controller for UK users had been Google’s Irish subsidiary. According to Reuters, the change in data controller could have implications for the extent of legal protection over Google’s UK user data. While Ireland is covered by the EU’s strict GDPR data protection regulations, the USA’s privacy protections are comparatively weaker. Reuters says the shift could make it easier for British authorities to obtain the data, in instances such as criminal investigations. The USA’s recent Cloud Act, it notes, could make this easier still.
However, Reuters also says that the UK’s privacy rules will continue to apply when British authorities request user data, regardless of the fact that they’ll now be directed at Google’s US headquarters. For the foreseeable future, these rules are likely to be aligned with GDPR.
The UK’s privacy rules are aligned with GDPR during the UK’s current transitional period, according to the UK’s data watchdog, the Information Commissioner’s Office (ICO). Data protection in the UK is regulated by its 2018 Data Protection Act, which is the UK’s implementation of GDPR. At the end of 2020 when the transition period comes to an end, the ICO says the UK government’s current plan is to bring GDPR into UK law as “UK GDPR.” However, until a final deal is negotiated, it says that there could be changes to particular issues like the transfer of data between the UK and EU.
The ICO confirmed that any UK user data is still covered by the UK’s existing regulations. In a statement given to The Verge, a spokesperson said, “Any organisation dealing with UK users’ personal data should do so in line with the UK Data Protection Act 2018 and the GDPR which will continue to be the law unless otherwise stated by UK Government.”
Google maintains that it is not making any changes to its data protection standards for UK users. It says there will be no change to how it processes user data, no changes to privacy settings, and no change to the way it treats user information. “We’re not changing the way our products work, or how we collect or process data,” Google spokesperson Shannon Newberry said.
Google does intend to require its British users to acknowledge new terms of service, including the change in jurisdiction, according to Reuters.
Google is not the only company that will face decisions like this in the wake of Brexit. Facebook and other large US tech companies will have to address the new realities of managing UK user data.
Alongside the changes affecting UK user data, Google is also updating its Terms of Service today with its first major revision since 2012, which it says will “make them easier for people around the world to read and understand.” It says these changes, applied globally, are being made in response to recent court decisions in France and Germany which criticized how the company obtains its users’ informed consent to process their data. The new terms of service are over a thousand words longer, and now cover more services such as Google Chrome and Google Drive. The company says it’s also adding a description of how its business works to the About Google page.
Google says its new Terms of Service will take effect at the end of March, and adds that it will be notifying users via email, in an update to its homepage, and through notifications in its apps.
Update February 20th, 9:20AM ET: Updated with statement from the UK’s Information Commissioner’s Office.