Google's UK To US Data Switch Is About Avoiding Massive EU Fines

The decision at Google to move UK customer data to America has given rise to a lot of debate this week.

As ever, a lot of it misses the point, but some is worth listening to. At the same time, virtually nobody is asking the really difficult question. What does this mean for EU citizens living in the UK?

The first point to bear in mind is that if anyone is removing data from the guaranteed protection of the EU law, it's the UK Government.

Britain voted to leave the EU, and in so doing, will need to decide its future stance on privacy. Given that the UK already has the GDPR enshrined in law and will want to continue to be used as a base for brands working across the EU, it is highly unlikely there will be a significant step back from the current law.

It might even be worth pointing out at this stage that there was actually very little in GDPR that wasn't already enshrined in UK law under the previous Data Protection Act. There was an attempt to get everyone using consent, but the legitimate interests usage basis was still maintained.

Special categories of protected data, the right for data portability and more transparency on how data was used to make decisions were the main new rights. What really changed was the level of fines.

Which brings us to Google, which only last week started what will likely be a series of appeals against fines from the EU that have run into the billions of dollars.

Asking Google why it's taking UK customer data out of the EU is a little like asking a tech giant why would it possibly want to derisk a customer database from the potential of billions of dollars of fines. It's not the toughest question, is it?

You can read as much as you like into the decision but usually the simplest explanation is the best. If you could take customer data out of a regime that's fining you billions of dollars, why wouldn't you?

The bad steer in all of this is privacy campaigners claiming that Google is trying to pull a fast one. Sure, it might be, but you can't get around the fact there will still be data protection laws in the UK that will likely maintain the protections of GDPR.

It might have been easier all round if Google had taken the data out of Ireland and stored it in the UK but, regardless of what you think of the US move, UK laws will still apply to the use of customer data.

So what changes? The regulator, of course. I can't think of a single tech giant that would rather deal with the EU, via Dublin, than go back to the far friendlier days when the Information Commissioner's Office (ICO) ran the show out of London.

Before GDPR was brought in, punishments were at the ICO's discretion and the body had a reputation for always trying to help businesses do the right thing. Companies that had tried their best and were holding their hands up to a failing were generally dealt with far more fairly than the current EU regime where local watchdogs have less leeway in determining fines.

So, sorry to break it to every conspiracy theorist out there. Yes, Google might well be hoping UK law becomes a little softer than that found across the EU,but there will still be laws that need to be adhered to and they are unlikely to break with GDPR to any great degree.

You need to look at what will change and you see Google is choosing to deal with the ICO rather than the EU for British data.

A watchdog with more discretionary powers is what this all comes down to. They want a conversation when things go wrong, not an automatic billion-dollar fine.

And that brings us on to the real thorny issue. EU Citizens are offered protection under GDPR, but there is not geographic limitation in the law. There is no extra sentence stipulating "'and living in the EU."

So what happens to millions of current and future EU citizens who come to work and live in the UK? What rights apply to their data?

For me, that's the real question to ask here, and one can only expect it will be the focus of much debate in the year ahead. 

Next story loading loading..