Why is Google changing the way UK user data is processed?

The move is likely to encourage other US tech giants to follow suit as they see the lighter-touch approach to regulation compared with European Union nations.

Why is Google changing the way UK user data is processed?

Google has confirmed that it is changing the way UK user data into the UK is processed in Ireland in order to "prepare for Brexit".

The move is likely to encourage other US tech giants to follow suit as they see the lighter-touch approach to regulation compared with European Union nations like France and Ireland.

The world’s biggest advertising company is changing the data controller for UK users from Google Ireland Ltd to US based Google LLC. It is restoring Google LLC as the service provider and the data controller responsible for UK users’ information, as was the case before GDPR went into force in 2018.

However, the same data protection standards should remain in place for UK users (same as under GDPR), given that there is a UK GDPR following the country’s exit from the European Union, which created the data protection law.

Google said there would be no change to how it processed users’ data and no change to people’s privacy settings. 

A spokesman for Google said: "Like many companies, we have to prepare for Brexit. Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users' information. The protections of the UK GDPR will still apply to these users."

However, Mark Sherwood-Edwards, a legal expert in GDPR and founder of This is DPO, said Google was likely to be the first of many US tech companies to make a similar move. Even though the GDPR still exists in the UK as the UK GDPR after Brexit, the enforcement of GDPR in the UK (under the Information Commissioner’s Office) is likely to be friendlier to companies like Google than in a European Union member state like Ireland. 

He explained: "The main reason is that the ICO is generally viewed as a more business friendly and pragmatic regulator than some of the EU regulators (in particular the French and the German).  For example, although the EU GDPR does not provide that data subject consent is required prior to AI being applied to personal data, the EDPB (i.e. the EU regulators acting as a group) have taken the view that it does. The ICO is unlikely to follow this approach now the UK is out of the EU." 

For example, France’s data watchdog the CNIL fined Google 50 million euros even though Google was registered in Ireland. It did this because it apparently deemed Ireland’s DPC watchdog was too soft on Google and decided to take action itself. By moving British users’ data out of the European Union, Google protects itself against similar kinds of enforcement action by France. 

France has been among the most toughest European nations with regarding to regulating US tech companies, having introduced a digital services tax. 

Topics