Google is to move the data and user accounts of its British users from the EU to the US, placing them outside the strong privacy protections offered by European regulators.
The shift, prompted by Britain’s exit from the EU, will leave the sensitive personal information of tens of millions not covered by Europe’s world-leading General Data Protection Regulation (GDPR) and therefore with less protection and within easier reach of British law enforcement.
Google intends to require its British users to acknowledge new terms of service including the new jurisdiction, according to people familiar with the plans.
“Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information,” Google said in a statement. “The protections of the UK GDPR will still apply to these users.”
Ireland, where Google and other US tech companies have their European headquarters, is staying in the EU, which has one of the world’s most aggressive data protection rules, the GDPR.
It is understood that Google decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data.
If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations.
The recent Cloud Act in the US, however, is expected to make it easier for British authorities to obtain data from US companies. Britain and the US are also on track to negotiate a broader trade agreement.
Beyond that, the US has among the weakest privacy protections of any major economy, with no broad law despite years of advocacy by consumer protection groups.
Google has amassed one of the largest stores of information about people on the planet, using the data to tailor services and sell advertising.
Google could also have had British accounts answer to a British subsidiary, but has opted not to.
Lea Kissner, Google’s former lead for global privacy technology, said she would have been surprised if the company had kept British accounts controlled in an EU country with the UK no longer a member.
“There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy,” Kissner said. “Never discount the desire of tech companies not be caught in between two different governments.”
Jim Killock, executive director of the digital rights organisation Open Rights Group, said: “Moving people’s personal information to the USA makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens.
“Google’s decision should worry everyone who think tech companies are too powerful and know too much about us. The UK must commit to European data protection standards, or we are likely to see our rights being swiftly undermined by ‘anything goes’ US privacy practices.”
The UK’s exit from the EU and its data protection regulations are likely to make the data-sharing agreements that cover transfer of user information from one part of a global business to another, or to other businesses, extremely complicated.
If the UK decides not to adopt rules that form equivalent data protections to that granted by GDPR, then extensive data-sharing agreements may be necessary. In coming months, other tech companies will have to make similar choices to Google.
Facebook, which has a similar setup to Google, did not immediately respond to requests for comment.