One of our team came across this article yesterday morning, seemingly implying that Google are considering moving their British user base out of their Irish jurisdiction (weakening privacy) because it is unclear whether the UK will follow the GDPR.
This morning I received the email to the right, but what exactly does this mean for users of Google services?
As the above article suggests, Google LLC is now the legal Data Controller, so even though they're based in the USA, they still need to comply with the GDPR. Google do subscribe to Privacy Shield (the adequacy agreement), so for now nothing changes for Privacy. After December 31st however, things are a little unclear and I'll come to that in a moment.
Last week we posted on Social Media about Boris Johnson submitting a written statement to the House of Commons, saying "The UK will in future develop separate and independent policies in areas such as (but not limited to) the points-based immigration system, competition and subsidy policy, the environment, social policy, procurement, and data protection, maintaining high standards as we do so. ".
The media and "experts" have immediately jumped on this as a negative, saying the UK is barely compliant with the GDPR and the EU won't give us an Adequacy Agreement, which indeed they may not . . . but equally we are and they may!
Adequacy Agreements generally take time to be put in place, so the easiest way to achieve a continuing relationship is to absolutely mirror the GDPR and Data Protection Act 2018 as they stand now, if not build upon them further strengthening Privacy in the UK.
What is clear is that if the UK is to continue to trade with or serve EU customers, we'll still have to adhere to the GDPR and the EU are unlikely to trade data with us in the same way if our Privacy laws are not at least comparable to the GDPR.
Is there genuine reason for Google (or others) to be concerned?
At present, we don't honestly know for sure but we don't think so! That said, as experts in Business, Data and Data Protection, we need to know what's going to happen to deliver the control, stability and security our clients seek.
For three years now, Xynics have been a supporting sponsor of the annual Data Protection conference run by the Data and Marketing Association. This year that is next Friday 28th February, the DMA's Data 2020 conference in London. One of the subjects on the agenda is Brexit and Data Protection and this is expected to be discussed and debated at length.
The ICO will be there, as will many industry professionals and influencers of legislation, so we'll know more from the "horses mouth" on what the landscape might look like after this event.
I'm going to stick my neck out and make a prediction based on my own 25+ years and Xynics' 14 year experience in data processing and data protection.
- Until GDPR, the UK was always seen as the global leaders in data privacy. At the data conference in 2018, the ICO (UK's regulator) and the Data and Marketing industry shared a goal to cement the UK back at the top of that league table. We think that the industry (and government) will take this as an opportunity to focus on that goal.
- Last year the proposed ePrivacy Regulation once again failed to obtain EU Council approval as elements of its scope could not be agreed. Prior to the EU, the UK never had a specific ePrivacy law of its own, so this will be new and either incorporated into the Data Protection Act, or a separate law.
- The UK already has the Data Protection Act 2018 already extends upon the GDPR in many areas and only "weakens" it where such derogation is allowed in the GDPR. If the UK is to continue trading with the EU (exchanging data, staff and goods or services), we'll have to adhere to GDPR anyway,.
Considering this it's really not a massive leap to believe the UK won't be relaxing our laws and based on Boris Johnsons statement, we will be strengthening them so processing data of UK citizens outside the UK will likely still require adherence to the Data Protection Act, just as adherence to the GDPR is required now.
As for Google's decision, we think they've acted a little early. The formal notice to leave the EU only happened less than a month ago, starting that ticking clock to actual exit from the EU. If we were advising them, we'd say plan for such concerns, but unless there's a really good reason to do this now, hold on to September or October to see what's going to happen!
Who are Xynics?
Xynics are business and data consultants, and certified Data Protection Practitioners. Experts in helping businesses to understand, simplify and control information giving them control, stability and security for their business.
With knowhow and expertise stretching over almost every industry and business function, to help businesses to gather data, bring information together, analyse it and make informed decisions based upon it, by enabling control, stability and security in the business processes, ensuring everything they do is productive for the business and compliant with the law.