And so it begins...despite reassurances, Brexit brings ambiguity to UK’s data protection priorities

It was fairly soon after the result of the EU referendum over three years ago that the government stood up and proudly declared that despite the UK deciding to leave the European Union, data protection regulations would continue to align so that businesses and consumers could feel at ease post-Brexit. 

The EU’s General Data Protection Regulation (GDPR) is the most stringent and comprehensive of data protection laws in the world. The UK has implemented GDPR and will continue to do so during the transition period up until the end of 2020.

However, we are starting to see signs that the UK’s position on this perhaps isn’t as clear cut as previously thought. And by signs, I mean Prime Minister Boris Johnson stating earlier this week that Britain will not align automatically with the European Union’s rules and standards in any future trade deal. 

Perhaps not surprising given how much has changed since the referendum result and Boris Johnnson’s huge win during the recent general election. However, it’s still a far cry from the protections that consumers and businesses had assumed they were going to get. 

Concerns have been heightened this week after it was revealed by Reuters that Google is planning to move its British users’ accounts out of the control of EU regulators, placing them under US jurisdiction instead. 

The move, according to Reuters’ sources, has been directly prompted by Brexit. Ireland, where Google and other tech companies have their EU headquarters, will remain in the EU, which is compliant with GDPR. Keeping British users’ accounts in the EU creates complications. 

Why? There’s a lot at play here, but it’s likely that Google is looking for clarity if the UK does diverge away from the EU. Rather than having British accounts on EU territory, with differing regulatory landscapes, managed by a US company...you can see how it could get messy. 

But it is worth noting that Google hasn’t opted to let British users be answerable to a British subsidiary, instead opting for users to fall under US jurisdiction. 

British users of Google products will be asked to review and accept the new terms before the 31st March. 

Google - and other tech giants - have also faced a tough environment in the EU, with a number of cases targeting the use of the company’s unfair terms and the European Commission putting pressure on them to fix ‘unfair terms’. 

However, it has been noted too that if British authorities wanted access to data held by Google (for a criminal investigation, for example), this would be a lot more difficult if it had been kept in Ireland. 

The recent enactment of the CLOUD Act in the US, which was signed off by President Donald Trump and enables US authorities to demand data from US firms, could too now make it easier for British authorities to do something similar if the data is no longer kept under EU protections. 

As has been widely reported, the US also has weak data protection regulations compared to other major economies. 

Unsurprisingly, the announcement has sparked backlash from the government opposition party, Labour. Chi Onwurah MP, Labour’s Shadow Digital Minister, said:

Google collects a staggering amount of data on the lives of millions of people across the UK – which they now intend to move to the US without consulting British people or their representatives.

No consultation, no accountability and no action from our Government – this is a long way from taking back digital control.

Into the wilderness 

There’s a lot to digest in this news and the main key point to take away is that we ultimately don’t know how this will play out. If the British government had said that it was going to stay closely aligned with the EU’s regulations post-Brexit, in order to maintain a close relationship with the trading bloc, we’d have a pretty clear idea of how these data protection issues would play out. 

The UK would continue to tie itself to the stringent GDPR regime and the US would have to play ball. 

The concern is that if the UK goes its own way - which is looking increasingly likely - what does that mean for the current protections consumers and businesses benefit from? 

Interestingly even the ICO, which is the UK’s data regulator, notes that the end result will largely depend on the trade negotiations that will be taking place up until the end of the transition period at the end of this year. On it’s website, its guidance says: 

Now that the UK has a Withdrawal Agreement with the EU, there will be a transition period until the end of 2020 to allow time to negotiate a new relationship with the EU. During the transition period the GDPR will continue to apply in the UK and you won’t need to take any immediate action. You should continue to follow existing guidance on the GDPR.

What happens at the end of the transition period? That depends on negotiations during the transition period.

There are comments on the ICO’s website that indicate that it is working on the assumption that the UK will continue to operate according to GDPR regulation - but that is just an assumption. In reality no one knows how this is going to play out. 

That is particularly true when you take into consideration that the Prime Minister is looking to secure an ambitious trade deal with the United States. It’s not hard to imagine a scenario where the UK-EU trade negotiations fall apart and the US offers puts something appealing on the table, albeit with watered down data protections…(amongst other things). 

This is one of the first real tastes of what Brexit means for the UK. Lots of decisions to be made about where its loyalties lie and how it sees itself in the decades to come. Do we want to be a highly competitive, deregulated state like the US? Or do we want more protections and regulations, such as the EU? Do we even have much of a say in the matter? We aren’t likely to have a clearer idea until at least the end of the year..