Be careful if you “Google” it

  • Posted

Whilst post-Brexit Personal Data Compliance remains an uncertain source, Google may go ahead with a pretty alarming relocation of UK users data.

Currently, UK personal data is stored in Ireland, along with other US tech giant’s servers.  Ireland has been the tech companies’ European headquarters.  Now that the UK is no longer in the EU, our personal data held by Google won’t be either.

UK Data Law post-Brexit

There is a lot of uncertainty as to whether the UK will be adopting new data rules, or sticking with what we have under the General Data Protection Regulation (GDPR).  GDPR is a world leading regulation in terms of protecting our personal data.  Personal data is now one of the most lucrative assets a company can hold, and concerns over protecting our individual privacy have mostly been consoled by GDPR.

The UK government have suggested they may implement new data protection rules (it was previously understood that these would “mirror” GDPR and the UK would then be recognised by the EU as a third country under the regulation), and it is unknown if the EU will recognise and accept our new rules enabling personal data to flow from the EU to the UK.

This has prompted Google’s move from Ireland, not to the UK, but to the US.

What does this mean for Business?

There is currently very little protection of UK Citizens’ personal data in the US.  We know that under the Cloud Act (which has been passed in the US), it will be much easier for British authorities to obtain personal data from US based companies.

Google has one of the largest stores of personal data.  It is expected that Google will circulate new terms and conditions authorising the move of UK Citizens’ personal data.  Of course, no-one is obliged to sign up to the new terms nor to continue to use the service.

A statement issued by Google reads: “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information.  The protections of the UK GDPR will still apply to these users.”

It is difficult to say what this might mean for small businesses who may Google people or places as part of their trade.  It would be prudent to include in company terms and conditions a section that brings your customers’ and clients’ attention to the fact that you may “Google” their names/addresses, for directions or identification purposes perhaps, and will therefore be passing their personal data into the US jurisdiction.

If you would like to discuss this further, please contact our Commercial Team on 01273 324041 or email enquiries@griffithsmith.co.uk

Author: Griffith Smith LLP