UK Google data moving to the US – what does this mean for UK organisations?



Neil Thacker, CISO EMEA and LATAM at Netskope by Neil Thacker, CISO EMEA and LATAM at Netskope

On 31st March this year, in response to the UK leaving the EU, the US arm of Google will become the data controller responsible for Google UK customer data. This change in residency of customers’ data was unexpected – customers were told of this in late February – and it will see data jurisdiction move from within the EU (Ireland) to the US.

While consumers may not read the updated terms of service, professionals have been more cautious. Reaction among CISOs and Data Protection Officers has been varied as they try to discern the impact of the move on their rights as data owners.

US Cloud Act

For enterprises that are concerned by the US Cloud Act, remember that the Act requires confirmation that the data subject at the centre of an order is a US citizen.  Further assessments take place as part of the order, such as; whether the request to the cloud provider breaches local law; whether there is an executive agreement in place; whether there are defeating arguments in place against the order; and whether there is a need for a comity analysis by a US court. These steps easily debunk myths that the US Cloud Act simply allows the US to demand access to any information. 

GDPR and the UK Data Protection Act 2018

For organisations with employees that remain in the EU post-Brexit, existing GDPR regulations allow you to store and process data in a jurisdiction as long as that data is processed in compliance with the GDPR. There is a 12 month negotiation period during which all EU protections are still afforded to UK citizens, but by the time the clock runs down we will be hoping to see the UK government review and ratify the Data Protection Act 2018 as part of its comprehensive review of all legislation that is impacted by the country’s exit from the EU. This Act was finalised as the UK enactment of the EU GDPR legislation, so should provide a lot of reassurances about the protection of UK data, but it will still also need to go to the EU for ratification of ‘adequacy approval’ to confirm its equivalency to GDPR to allow for UK-EU and EU-UK data transfers.

Privacy Shield

Another important data protection mechanism to watch in the coming year will be the status of a UK – US Privacy Shield framework agreement. Privacy Shield replaced the US Safe Harbor agreement and promises that ‘HR and non-HR’ data transferred to the US has the same protection as if it is held in an EU jurisdiction. Until now, UK organisations were able to sign up for EU-US Privacy Shield, but as the UK has left the EU this protection will need clarifying over the next few months. Switzerland has its own Privacy Shield agreement with the US and the most obvious model would be for the UK to do likewise. 


Newsletter

Time is precious, but news has no time. Sign up today to receive daily free updates in your email box from the Data Economy Newsroom.


Standard Contractual Clauses

Standard Contractual Clauses (SCCs) are the fall back for organisations wanting a contractual agreement that covers the fundamentals of data protection. A review of existing GSuite contracts to determine which international data transfer agreement is in place is recommended. This is something that should be done for all cloud services in use by an organisation – both sanctioned and shadow – to ensure that organisational data is being kept in compliance with the necessary global regulations.

In the face of these new Terms of Service, we will not see an exodus of enterprise Google customers looking to replace their infrastructure with local service providers. The complex web of international data protection laws means there is no clear need. However, we may see very large enterprise GSuite customers in a good position to make demands about where their own data is held, for their stakeholders’ reassurance, even if these demands fall outside of the normal Google operational model. There are significant flagship GSuite customers in the UK and it may be that they can attain exceptions for their own data residency. 

For GSuite customers who are not so powerful, but are still uncomfortable with their data potentially sitting within the US jurisdiction, the EUUG is a fascinating model to consider.  EUUG is the European User Group for Enterprise and Cloud Data Protection, and it was formed to give some of Europe’s financial institutions unionised empowerment in negotiations with Microsoft.  UK CISOs can perhaps take heart from the naming of this group and the fact that they are still in Europe even if they are no longer in the EU.

Perhaps complexity around international data protection will see more organisational coalitions formed in the future, with cloud customers creating groups of organisations that can resist unilateral decisions around data residency and jurisdiction. With global political alliances and trading agreements shifting, we are likely to continue to see national and multi-national data protection case law being tested. On the surface however, there is currently no immediate need for panic around Google’s new terms of service for UK customers.

Read the latest from the Data Economy Newsroom: