While many businesses are holding out to see the data implications and changes following the completion of the Brexit transition period (31st December 2020), Google is reportedly planning to move its British users’ accounts out of the control of European Union regulators and place them under US jurisdiction instead.

The change means that UK users will have their data controlled by Google LLC, instead of Google Ireland, as it was before the UK left the European Union. Google state that this is because it has to prepare for Brexit, and it is unclear whether Britain will follow GDPR or other rules will come into effect that will impact the handling of user data. However, this quickly became big news, and raised a host of additional questions about how UK businesses will be affected.

Google Server
– Google

GDPR and the US CLOUD Act – what’s the issue?

The EU has long been at the forefront of data protection, moving data privacy legislation forward and ensuring consumer protection is a priority with the introduction of GDPR. However, the US adheres to the lesser known US CLOUD Act, and since the legislation was passed by congress in early 2018, several conflicts between this and GDPR have been raised.

With the United States having laxer data protection standards that some other major economies, many are seeing this shift from Google as a real cause for concern.

As British Google account users’ data will now fall under the US CLOUD Act legislation, it will make it easier than ever for governments to access the data of Google UK users. The US CLOUD Act means that no matter where data is stored, US cloud companies must turn over US individuals’ and companies’ data if requested by a US warrant. The legislation also grants foreign governments the power to ask US cloud providers for access to the data of their own citizens, but only for law enforcement reasons. Therefore, now that Google LLC is the controller of data for UK users, UK government has easier access to legally gain UK citizens data.

What’s next for data legislation?

Data security and protection should be of paramount importance to any business or data center, and an essential pillar of data management. With that in mind, it’s vital that business and datacenters bring themselves up to speed and consider the implications of Google’s data shift, and weigh up the risk for their individual business.

Google’s switch could be the start of a new wave of changes that data centers must closely monitor. Lessons can be taken from how previous data legislation, such as GDPR, has been implemented to help predict how these new laws may impact data management in the future.

GDPR saw a greater focus on the ‘processer’ of the data to help the ‘controller’ protect private information and data centers must continue to assess how legislation could change relationships with clients and the services offered.

Data centers will need to be transparent, stay up to date with the latest legislative changes and provide guidance for customers. This will mean working closely with customers to make sure they are fully aware of the rights and are clear on where their information is stored.

For any EU companies in doubt about what is best for managing data, choosing a cloud provider with headquarters and data centers in Europe can offer sufficient guarantees in terms of security and confidentiality as they only have to adhere to GDPR.

For now it’s businesses that must be aware of the implications and adapt accordingly. When terms and conditions change, like they have with Google, they must re-evaluate whether they still meet the business requirements and what the wider implications are.

It could be that we see more companies follow in Google’s footsteps over the next year as technology companies look to make sure they are not caught between different government legislation. However, for now, GDPR will still apply and it is likely that the UK will continue to strive for this high level of protection.

Further reading