Google is moving the data of its UK users over to US servers, evidently to remove it from the jurisdiction of the EU’s data protection laws. Is this actually the case? And what does that mean, in concrete terms, for Google users in the UK? Does the GDPR still apply?

Welcome to the second month of The Private Citizen! I’m back from my holiday in Cape Verde and ready to discuss privacy topics once more. Today, I’m looking at the recent news of Google planning to move the data of its UK customers from Ireland to the US, in the wake of Brexit. What does that actually mean for Google users in the UK and why are they doing this? The answers are not as clear as some of the reports in the media would have you believe.

But before we get into that topic, I would like to quickly revisit episode 4 of this podcast, in light of the news that Let’s Encrypt is revoking 3 million certificates tonight. Which plays right into my “SSL isn’t as easy as everyone said it was” argument from that episode. Couldn’t have written this script better myself…

Google is Moving its UK User Data

But on to the main topic of today’s show. As first reported by Reuters, Google is moving the user data of its UK users from its subsidiary in Ireland to the main company in the US.

Google is planning to move its British users’ accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead, sources said.

The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement.

The change was described to Reuters by three people familiar with its plans. Google intends to require its British users to acknowledge new terms of service including the new jurisdiction. Ireland, where Google and other U.S. tech companies have their European headquarters, is staying in the EU, which has one of the world’s most aggressive data protection rules, the General Data Protection Regulation. Google has decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data, the people said.

But is this actually true? Google has confirmed that it is moving the data by 31 March but does the analysis of the consequences put forward by Reuters actually bear out? The Verge has a few more details and a better analysis:

The UK’s privacy rules are aligned with GDPR during the UK’s current transitional period, according to the UK’s data watchdog, the Information Commissioner’s Office (ICO). Data protection in the UK is regulated by its 2018 Data Protection Act, which is the UK’s implementation of GDPR. At the end of 2020 when the transition period comes to an end, the ICO says the UK government’s current plan is to bring GDPR into UK law as “UK GDPR.” However, until a final deal is negotiated, it says that there could be changes to particular issues like the transfer of data between the UK and EU.

The ICO confirmed that any UK user data is still covered by the UK’s existing regulations. In a statement given to The Verge, a spokesperson said, “Any organisation dealing with UK users' personal data should do so in line with the UK Data Protection Act 2018 and the GDPR which will continue to be the law unless otherwise stated by UK Government.”

This is somewhat in line with what Google itself says.

Google maintains that it is not making any changes to its data protection standards for UK users. It says there will be no change to how it processes user data, no changes to privacy settings, and no change to the way it treats user information. “We’re not changing the way our products work, or how we collect or process data,” Google spokesperson Shannon Newberry said.

The GDPR, Brexit and the UK

So what is going on here? First, let’s look at the current situation: The UK has implemented local laws that enforce the GDPR and these laws are currently in effect. They will be, until a deal for the terms of how the UK leaves the EU is negotiated – currently this is expected to be at the end of December 2020.

So this means, that until that deal is negotiated, UK Google users are subject to UK regulations that implement the EU’s GDPR. Google moving the user data out of the EU to the US doesn’t change that. It does complicate matters, though, since the United States are a third party country in terms of the GDPR and data stored there is treated differently than data stored in the EU (or UK, for the purposes of the current legal situation). It follows, that from 31 March until the Brexit deal is finalised, data of UK Gooogle users will be subject to the EU-US Privacy Shield regulations. These regulations guarantee certain rights for these users if the US company in question is covered by Privacy Shield, which Google currently is.

What Happens after Brexit is Finalised?

So what will happen after the EU/UK Brexit deal is finally negotiated and comes into effect, presumably on 1 January 2021? The current stance of the UK government is, that the UK will implement its own version of the GDPR, currently known as UK GDPR, which will guarantee similar rights to UK citizens.

During the transition period the GDPR will continue to apply in the UK and you won’t need to take any immediate action. You should continue to follow existing guidance on the GDPR.

The GDPR is an EU Regulation and, in principle, it will no longer apply to the UK from the end of the transition period. However, if you operate inside the UK, you will need to comply with UK data protection law. The government intends to incorporate the GDPR into UK data protection law from the end of the transition period – so in practice there will be little change to the core data protection principles, rights and obligations found in the GDPR.

The ICO will not be the regulator for any European-specific activities caught by the EU version of the GDPR, although we hope to continue working closely with European supervisory authorities.

This means that, if everything goes according to the current plans, there will be two (virtually identical) versions of the GDPR: One for the EU and one for the UK. It seems prudent that regulators on both sides will want to keep these two jurisdictions interoperable when it comes to exchanging data between them, but we don’t know that yet. If the UK implements its own, equivalent GDPR, it seems likely though, that both jurisdictions will see each other as countries providing adequate protection.

What Does This Mean for Google Users in the UK Right Now?

Taking all of this into account, what will actually change for UK users of Google’s services on 31 March? On the surface little, as they are still covered by the EU’s GDPR. With the changeover, their data will be stored under the Privacy Shield rules and they will enjoy the protections guaranteed by this.

In practice, however, there might be drawbacks. The EU has repeatedly come under fire by lawyers and privacy experts for the implementation of Privacy Shield – which is based on the itself much-citicised Safe Harbor Privacy Principles. According to the critics, Privacy Shield only guarantees a subset of the GDPR protections and is badly policed. There are many unanswered questions when it comes to US government intervention. Can law enforcement agencies and intelligence services in the US gain access to the data? And if they can, what oversight is there from the side of the EU? And how are they prevented from gaining access anyway? It seems the EU has almost no leverage here and is having a hard time even checking that the companies that are certified under Privacy Shield are keeping up their side of the bargain.

This is especially relevant in the current case because of the tricks the Five Eyes play to get around barriers that prevent them from spying on their own citizens. Since many US intelligence services are not allowed to spy on US citizens and UK services are barred from spying on UK citizens, the US services will spy on UK citizens and vice versa. The Snowden revelations tell us that there is an avid exchange of such data for the mutual benefit of all intelligence services involved – and the detriment of everyone’s privacy.

Therefore, there are open questions if the move of the UK user data to the US opens it up to being subject to surveillance by clandestine government services and law enforcement agencies. It is probable that UK users are affected by such espionage being made easier for US agencies (and their allies in the UK and elsewhere) come 31 March.

The Guardian come to the same conclusion:

If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations. The recent Cloud Act in the US, however, is expected to make it easier for British authorities to obtain data from US companies. Britain and the US are also on track to negotiate a broader trade agreement.

Google could have prevented many of these effects by moving the data to its UK entity, but obviously decided against this.

Further Reading

Data Protection under GDPR, The European Union
Brexit and GDPR, The Law Society Gazette

Feedback

Fadi Mansour writes and says he really likes the word Datensparsamkeit. He adds on the subject of TLS and privacy:

I’m surprised if you’re getting such strong hate for it. My assessment: swollen amygdalas. ;-)

Martin Köhler wrote me an nice email with information on mixed HTTP/HTTPS content. He ran some experiments and says that when creating an example HTTPS site and embedding an episode of the podcast (served over HTTP), both Firefox 72 and Chrome 65 (which is quite an old version) play the file without errors. Firefox gives him a warning next to the URL bar, Chrome only warns in the developer console.

Martin says this is because the <audio> tag is classed as “Mixed Passive/Display Content” and doesn’t count as “Mixed Active/Scripting Content” as per Google and Mozilla.

Additionally, Martin commented on sites being served without TLS. He sees the problem as the user losing a measure of control. If a user visits a website and are forced to connect via HTTP, they don’t know beforehand what JavaScript will be loaded and have to trust that the server isn’t requesting confidential information over the unsecure connection. In that case they might trust the person running the website, but suddenly they also have to trust everyone on the route of the traffic through the internet.

If you also have thoughts on the things discussed here, please feel free to contact me.

Toss a Coin to Your Podcaster

I am a freelance journalist and writer, volunteering my free time because I love digging into stories and because I love podcasting. If you want to help keep The Private Citizen on the air, consider becoming one of my Patreon supporters.

You can also support the show by sending money to via PayPal, if you prefer.

This is entirely optional. This show operates under the value-for-value model, meaning I want you to give back only what you feel this show is worth to you. If that comes down to nothing, that’s OK with me, pard. But if you help out, it’s more likely that I’ll be able to keep doing this indefinitely.

Thanks and Credits

I like to credit everyone who’s helped with any aspect of this production and thus became a part of the show.

Aside from the people who have provided feedback and research and are credited as such above, I’m thankful to Raúl Cabezalí, who composed and recorded the show’s theme, a song called Acoustic Routes. I am also thankful to Bytemark, who are providing the hosting for this episode’s audio file.

But above all, I’d like to thank the following people, who have supported this episode through Patreon or PayPal and thus keep this show on the air: Niall Donegan, Michael Mullan-Jensen, Jonathan M. Hethey, Georges Walther, Dave, Kai Siers, Matt Jelliman, Fadi Mansour, Joe Poser, Mark Holland, Steve Hoos, Butterbeans, Shelby Cruver, Dave Umrysh, Vytautas Sadauskas, RikyM, drivezero and Ali Buchan.