As Google announces ideas to ship all Uk users’ data to the US and absent from Dublin, 1 foremost data security professional weighs in with their thoughts.
The rationale for this go is unlikely to have something to do with Brexit, the EU GDPR or uncertainty of what will occur with Uk data security rules, writes Toni Vitale, Head of Info Defense, JMW Solicitors.
This is speculation but modern tax modifications in the US built it much more beautiful to onshore work to the United states so this may also be part of the purpose. (Google is getting the prospect to bundle any data collected by way of its Chrome browser, Chrome OS and Google Push into the similar established of conditions and circumstances.)
Google’s Info Controller Transfer: The Lawful Track record
Uk organisations that approach own data are at the moment certain by two rules: the EU GDPR and the Uk DPA (Info Defense Act) 2018. Both of those rules continue to utilize till the close of the transition period of time on 31 December 2020. The EU GDPR will no longer utilize straight in the Uk at the close of the transition period of time.
However, Uk organisations must however comply with its necessities just after this position. This is since the DPA 2018 enacts the EU GDPR’s necessities in Uk regulation. The Uk federal government has issued a statutory instrument – the Info Defense, Privacy and Electronic Communications (Amendments and so forth) (EU Exit) Restrictions 2019.
This amends the DPA 2018 and merges it with the necessities of the EU GDPR to sort a data security regime that will do the job in a Uk context just after Brexit. This new regime will be known as ‘the Uk GDPR’.
There is extremely tiny product distinction among the EU GDPR and the proposed Uk GDPR. So, organisations that approach own data should continue to comply with the necessities of the EU GDPR. Now that it is no longer an EU member state, the Uk has been reclassified as a “third country”.
This should not make any distinction to Uk organisations till the close of the transition period of time. Underneath the EU GDPR, the transfer of own data from the EEA to 3rd countries and worldwide organisations is permitted only in specified circumstances:
• If the European Commission has issued an adequacy conclusion, stating that there is an ample level of data security.
• If appropriate safeguards are in location, these as BCRs (binding company policies) or SCCs (common contractual clauses).
• Based on authorised codes of carry out, these as the EU-US Privacy Defend. (No these code has been agreed for transfers from the EEA to the Uk still.)
Most organisations that supply goods or products and services to, or observe the behaviour of, EU citizens will also have to appoint an EU representative, under Write-up 27 of the EU GDPR. The Uk hopes that by enacting the EU GDPR’s necessities in domestic regulation it should be able to demonstrate that it will continue to enforce worldwide data security necessities just after leaving the EU.
Federal government has Shifted Position
The government’s position has shifted a little bit though.
At initial the federal government (under Theresa May well) said they most popular a new data treaty instead than adequacy since adequacy was for 3rd countries and the expectation was then that we would have closer alignment.
The rationale is that the Uk adopted the GDPR into Uk regulation, but countries that received adequacy these as Uruguay did not. The latest position is that adequacy is most likely and desirable and in fact doable by December 2020. However it is unlikely this is the purpose to go the Ireland data centre.
The EU GDPR and the Uk edition in the Info security act 2018 will utilize to Google anywhere it cites its data centre and Uk user’s data. Uk regulation enforcers (and EU types) will however be able to acquire action in opposition to Google (but this is the similar position as now – relocating the data centres does not have an impact on this).
Do you agree/disagree? Get in touch with our editor Ed Targett.