Google is planning to move its British users’ accounts out of the control of European Union privacy regulators, the tech giant has confirmed.
The company will reportedly be moving its British users out of Irish jurisdiction and placing them under US jurisdiction instead.
The decision, confirmed by Google and first reported by Reuters based on ‘people familiar with the plans’, has been prompted by Britain’s exit from the EU.
The shift will leave the sensitive personal information of tens of millions of Brits with less protection and within easier reach of British law enforcement.
The EU has one of the world’s most aggressive data protection rules, the General Data Protection Regulation.
The probe was the result of a number of submissions against the company, the Irish Data Protection Commissioner said. This includes from privacy-focused web browser Brave
Google and other US tech companies have their European headquarters in Ireland and the Irish Data Protection Commissioner is the lead regulator of the search giant in Europe.
Google has decided to move its British users out of Irish jurisdiction because it is unclear whether Britain will follow GDPR or adopt other rules that could affect the handling of user data, the people said.
Google intends to require its British users to acknowledge new terms of service including the new jurisdiction, according to people familiar with the plans.
‘Like many companies, we have to prepare for Brexit,’ Google said in an emailed statement to MailOnline.
‘Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information,’
There will be no change to the way Google processes users’ data, privacy settings or the way it treats their information, Google said.
‘However, our data protection standards remain in place for UK users – same as under GDPR.
‘The protections of the UK GDPR will still apply to these users.’
Google could have had British accounts answer to a British subsidiary, but has opted not to.
If British Google users have their data kept in Ireland, it would be more difficult for British authorities to recover it in criminal investigations.
The recent Cloud Act in the United States, however, is expected to make it easier for British authorities to obtain data from US companies.
Britain and the US are also on track to negotiate a broader trade agreement.
The US has among the weakest privacy protections of any major economy, with no broad law despite years of advocacy by consumer protection groups.
Even though the UK left the EU at the end of January, the UK will still need to comply GDPR requirements
Google has amassed one of the largest stores of information about people on the planet, using the data to tailor services and sell advertising.
Lea Kissner, Google’s former lead for global privacy technology, said she would have been surprised if the company had kept British accounts controlled in an EU country with the UK no longer a member.
‘There’s a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland’s scope sounds super-messy,’ Kissner said.
‘Never discount the desire of tech companies not be caught in between two different governments.’
In coming months, other US tech companies will have to make similar choices, according to people involved in internal discussions elsewhere.
Facebook, which has a similar set-up to Google, did not immediately respond to requests for comment.
Ireland’s Data Protection Commissioner launched its first privacy probe last May over how it handles data for advertising.
The probe was the result of a number of submissions against the company, the Irish Data Protection Commissioner said, including one from privacy-focused web browser Brave.