Google has announced that it is changing its term and conditions in particular moving its UK data from Ireland to the US.
This has made the national media and has triggered a few emails to the Salford CVS offices. Hence this blog....
So why are Google doing this?
Well its essentially a business decision and it's linked to Brexit so expect to see more discussion around this in the next few months. There are a lot of things we don't know about Brexit as we head towards the end of the transition period on 31 December 2020. At present GDPR and the related EU legislation continues to apply as until 31 December as we are part of the EU. After that date essentially the existing standards of Data Protection are not going away as it is written into UK Law as part of the Data Protection Act 2018 and at present there is no proposed changes in legislation. Based on this we know the following:
- How we share data with non-EU countries (including the US isn't changing)
- Companies will not have to have a EU base to deal with UK customers (as we are not part of the EU anymore)
- We (the ICO) will lose some weight as a regulator (one nation v the whole of the EU)
- The UK potentially become a third nation in EU data protection terms (the same as many other countries) but that is not 100% known until any trade deals are confirmed. So whilst how the UK shares data with EU remains unchanged the requirements for EU to UK data sharing isnt set in stone yet.
As a business based in the US google obviously prefers to deal with legal certainties (how the UK can share with US) and ultimately its cheaper for them to host data in the US due to having a number of data servers held there! So expect other companies to make simialr moves over the next few months.
So is it lawful?
From a data protection legislation perspective, based on current UK legislation transfering data to the US actually isn’t that complicated. Moving data to the US is called an international data transfer. The ICO have various guidance available on this including the four mechanism that allows it to happen. The two most relevant to us and this situation are Privacy Shield and standard contract clauses.
- Privacy shield - essentially guarantees a level of security and rights for individuals. Most companies (including google) promote the fact they have it openly. But you can double check and look it up yourself too if in doubt
- Standard Contract Clauses - again most companies doing this type of data storage promote this fact. As your data processor you need to have a suitable agreement in place with them - this will be usual a document called a data processing agreement or it may form part of a contract or agreement of terms and services. No matter what its called you need to have a signed copy! In googles case there is available to sign and download online.
Last but certainly not least you need to make sure you have told people that their data is being held in the US. Make sure that you update all your privacy notices to include this, Being open and transparent with people about how you handle there data is a key principle of data protection so it could easily be argued that this is the most important step!
Is it ethical?
Much of the media debate has actually been focused on how Data in the US is more easily accessed by government agencies (both the US and UK government). This is lawful but is it ethical for organisations to knowingly but their data in the US? Its tricky and ultimately depend on you, your organisation and the types of data / individuals you work with.
What does this mean for charities?
The first priority will be checking that your data flows and making sure you have appropriate agreements in place and that your privacy notice is up to date. Its as simple as that!
After that it is a case of watch this space!
This is going to be a moveable feast of the next few months as the UK thrashes out its stance with both the EU and the US as part of broader trade agreements and comapnies make their own decisions and opinions. It will be very political as the UK has a mixed reputation in terms of privacy in part due to our approach to mass surveillance (CCTV etc). This doesn't affect our relationship with the US but it may potentially limit our data protection adequacy status with the EU. But then again we are a key trade and intelligence agency for the EU. You may wish to add this aspect to your organisation risk register as I can see a number of boards having to have a balanced discussion by Janurary 2021 once we know what is happening.
For many organisations it will be a debate between the cost savings offer by many of the "tech giants" versus the data ethics for their organisation and services. I can also see a number of companies offering their data storage services location as a key selling point (e.g EU or Canada) similar to what happened two years ago as GDPR first came in. Organisations will be able to lawfully hold their data in the US but longer term it is a question of if they want to especially if they work with particularly vulnerable groups such as migration or justice.