The decision by Google to move UK data and accounts from the EU to the US will spell huge ramifications for its regulation.
As a result, UK-based users of Google and its services, including Gmail, YouTube and the Play Store, will need to agree to a new set of terms and conditions.
However, Google has stated that the current protection that its UK data receives from EU GDPR will continue to apply.
It’s believed that the decision was made due to uncertainty surrounding whether UK data would continue to follow GDPR or establish its own data regulation system.
How UK companies can prepare for a new national GDPR post-Brexit
Seth Wallis-Jones, principle analyst at Omdia, said: “Boris Johnson has stated that the UK will pursue its’ own independent data protection policy. It would be surprising if that did not push for restrictions on where that data can be stored.
“However, the Government has many major legislative tasks and negotiations ahead, and as highlighted by The Information Commissioners Office (ICO) just a few weeks ago, there is no clarity on what the data protection landscape will look like at the end of the transition period.”
Data flows to be unaffected
As discussions between the UK and EU regarding data regulation remain to be concluded, there is the possibility that data sharing between the two blocs will become illegal should negotiators on both sides fail to come to an agreement by December 31st 2020.
Brexit and the GDPR: what will happen to data transfers and data protection?
However, Toni Vitale, head of data protection at JMW Solicitors, believes that Brexit will not affect data flows, and while companies should remain vigilant, there is no need to follow Google’s lead.
“Infringements of the EU GDPR’s requirements for transferring personal data to third countries or international organisations are subject to the higher level of administrative fines: up to €20 million or 4% of annual global turnover, whichever is greater,” said Vitale. “Organisations that process EU residents’ personal data should therefore put measures in place to ensure they continue to comply with the law after 31 December 2020 in case no adequacy decision is reached, but moving their data to another jurisdiction is not necessary and may be too drastic an option.
“The UK wants the free and unhindered flow of data between the EU and the UK to continue, as it believes it is crucial for the economy. Although an adequacy decision would enable this, the UK has argued that the adequacy approach ‘would not reflect the breadth and depth of the UK-EU relationship’.
“One option previously considered is something more bespoke than adequacy. This bilateral treaty would encompass mutual recognition of data protection standards and would have status in international law.
“The UK intends to recognise the EU’s data protection system as adequate, even in a no-deal scenario, which means that Brexit should not affect UK to EEA data flows.”
A chance to assert principle
This announcement by Google also brings concerns that UK user data will be more exposed.
However, this may prove to be a chance for companies to crack down on data insecurities.
“Millions will have their personal data transferred from an environment of very high protection to the United States which has among the weakest privacy protections of any major economy,” said Ashley Friedlein, CEO of Guild.
“In the wake of this, British businesses will also need to take a stance. There is an opportunity for Britain, and British businesses, to stand for integrity and commit to the highest standards of personal data protection – either via the EU’s existing GDPR, or the UK could come up with something equivalent or better.”