With Brexit official as of Jan. 31, the UK and the EU now have just 10 months to hammer out the policy details of their separation. In the meantime, rules -- including those applicable to data privacy[1] -- will continue to apply as normal. However, Google isn't waiting for the end of the transition period to update its terms and conditions[2] as they relate to privacy; the tech giant just announced[3] that, since the United Kingdom is leaving the EU, as of March 31, 2020, Google LLC (Google's US entity) will become the service provider and the data controller responsible for its UK users' accounts -- in lieu of Google's European entity.
If you think that this is just a detail for lawyers and data protection specialists, think again! This decision may not result in an immediate, material change to UK users' privacy, but it will soon. Making Google LLC the data controller for UK personal data means that:
- Google's UK business will be out of the reach of European data protection regulators. Because of the extraterritorial effect of GDPR, Google LLC will still need to comply with these rules as far as the personal data of its UK users is concerned.[i] However, any future decisions or enforcement actions[4] brought to Google Ireland by any of the EU data protection authorities (DPAs) will not affect Google's business in the UK. Google's decision comes at time when a number of DPAs are investigating its privacy practices[5] across Europe. This means UK users may or may not see any benefit from these actions, while European users will.
- The case for the UK's adequacy status just became more complicated. The UK ICO (Information Commissioner's Office) clarified that GDPR will apply until the transition period is complete