
Not so much DuckDuckGo...
...more F***F***You Google.
Google's UK users will see their data shifted to a US-based data controller from the end of next month with the ad giant blaming Brexit for the move. In a statement, Google said that UK users will now have Google LLC – the US-based operation – as the legal controller of their data instead of Google Ireland Limited. Google …
Meh. Google does not and never has had any control of my privacy.
I'm not sure that's true. I've never had a facebook account, but I bet Zuckerberg knows all about me - friends have accounts so data about me leaks, and it'll be the same with google. Got a mate with GMail?
No, the UK doesn't have a data rights or protections agreement with the EU. However, the UK doesn't have one with the U.S. either, as that was agreed between the EU and the U.S.
So Google moved their data on UK residents to the jurisdiction where they could get the biggest return from selling it, because there was some convenient ambiguity. Then they blamed Brexit for their actions.
I have a German friend who lived in the UK 20 years ago.... problem with the English is they are living in a 3rd world country...
And yet your German friend would prefer to live here rather than the Fatherland? It seems most likely that he's never been to a third world country and was merely tweaking his prejudices to better fit with what he perceives is your world view. He thinks you hate England so he pretends he does too. Nobody leaves a first world country to live in "a third world country" because they like British beer.
It does and the DPA 2018 still covers the UK, so if Google classes the data as no longer European, they would have to store it in the UK, until the UK has a treaty with the USA, otherwise they are breaking the DPA 2018 (the UK implementation of GDPR, which will remain in effect until it is changed by Parliament).
No they wouldn't. There's no requirement in the GDPR or DPA 2018 restricting location of storage, only a requirement that adequate protection (and that means rights protection, not just "security") is in place where the data is processed (and that includes storage) if that place is outside the EEA and does not have an adequacy decision. The US has Privacy Shield (for what it's worth) so any such data transfers as this are lawful.
GDPR states protection equivalent or better than the EU/UK. The US is a looooooong way off from providing that!
https://gdpr-info.eu/issues/third-countries/
one must check in a second step whether transfer to the third country is permitted. One must differentiate between secure and unsecure third countries. Secure third countries are those for which the European Commission has confirmed a suitable level of data protection on the basis of an adequacy decision. In those countries, national laws provide a level of protection for personal data which is comparable to those of EU law.
...
Andorra, Argentina, Canada (only commercial organisations), Faroe Islands, Guernsey, Israel, Isle of Man, Jersey, New Zealand, Switzerland, Uruguay, Japan and USA (if the recipient belongs to the Privacy Shield).
But the UK is no longer part of the EU and therefore Privacy Shield does not apply to UK data, so a new treaty between the USA and the UK will be needed, before UK data can legally be transferred to the USA. And the USA is still dragging its heels on Privacy Shield, they still aren't compliant with the treaty after nearly 4 years - for example they still haven't assigned a permanent ombudsman for privacy matters, as required under Privacy Shield.
The US's Privacy Shield is as worthless as the previous US data protection nonsense. In essence there is no worthwhile data protection in the US regime for natives or non-natives. "Privacy Shield" is a worthless voluntary piece of fluff with no backing in US law, non-US natives cannot prosecute a US organisation for a voluntary agreement, and you can imagine just how well an "alien" would be received trying to presecute a glorious US organisation in a US court.
Yes, you know it's a load of b***ocks, I know it's a load of b***ocks, I think all of us here know it's a laod of b***ocks. But for the moment, authorities in the EU have declared that Privacy ShieldFigleaf is valid - and therefore the transfer would be legal.
When Privacy ShieldFigleaf gets blown out of the water, which will happen in due course, then things will be different. Until then, it's legal. As Max Screms has shown, the wheels of the legal system turn slowly.
The ICO should be involved.
The difficulty will also be with EU citizens personal data using google services. I am Irish, living currently in Northern Ireland, but I have a gmail.com email addy -
Under GDPR, my (Republic of Ireland) rights under GDPR remain - how in the name of sweet bejesus would Google work out if I am EU or UK?
Further, I might recieve other peoples personal data to my google drive - and how do I respect eu citizens rights ?
Finally - the latency to Ireland from London is around 20-30 ms. Its 90 to New York. Is this an opportunity for Microsoft?
The difficulty will also be with EU citizens personal data using google services. I am Irish, living currently in Northern Ireland, but I have a gmail.com email addy -
The Good Friday Agreement strikes again!
Actually, they should have to deal with that anyway, EU citizens are covered worldwide by GDPR (of course companies only have to worry about that if they do business in the EU, but Google clearly do), so a Frenchman living in London would still be covered. This also somewhat illustrates the practicality of having such legislation at a continent rather than country level.
As others have said, there should be no problem with them continuing to hold UK citizen's data in ROI. In fact the UK is supposedly retaining GDPR-based legislation, so even if we're no longer recognised as a place where EU data can be held it should be possible to hold it in the EU (a situation that comes about because we want to be recognised as adequate for GDPR). If not in the EU then the UK is the only place it could be held. Google are very much trying it on.
"Why? Would your GDPR rights still exist if you lived in Mexico, which is also not in the EU? I.e. - are your rights connected to citizenship rather than country of residence?"
Of course the rights exist. Enforcing them might be a different kettle of fish though. The USA have been attempting to apply their laws worldwide for quite some time now. Why should other jurisdiction not try the same thing?
Interestingly, nothing changes, legally, because of Brexit. The UK DPA 2018 is the implementation of the GDPR in UK law, so it still stands, until repealed. Therefore, moving the data to the US would be illegal, but I'm guessing that Google reckons that they can hoodwink the UK public and Government, before they realise what is going on.
I'm reasonably confident that all they want is my money.
Not defending Google here (I hate their methods as much as the next IT person) but have you read the Microsoft EULA?
Yes, they want a lot more than your money. Why else do they give themselves the right to go through your data, and just for an added insult delete anything they don't like?
I wonder what criteria Google will use to decide whether someone is British or not?
They won't know the nationality of many of their users. They may know residency but even that could be uncertain (or deliberately faked). If you are an EU Citizen living in Manchester, will you now be considered a Brit for Google purposes? If you are a Brit living in Dublin, are you still a Brit for Google? If you're a Brit living in the UK but made your account when you were still living in Berlin, does Google think you are German?
And, of course, most importantly. What can a poor sod with UK nationality, living in the UK, do to let Google think you are not British?
I have gone out of my way to give Google as limited information as possible (never stay logged into Google, always destroy their cookies, disable as much activity tracking as they allow me to).
I have just set my language to English (Ireland) but couldn't find any place they set my location. Until I found Google Wallet that I have never used and found it populated with an old address and other stuff. How did that get there and can I just remove my Wallet profile altogether?
Google along with Amazon knows everything possible about you already.
They even know things that you have forgotten.
It will already have been packaged up and sold on.
Just get used to you being called by scam artists from the USA alongside the ones from India.
A fact of life in Doris's post BREXIT Blighty. This is the new norm. Get used to it.
UK law is the Data Protection Act 2018.
I'm not convinced that Google's actions are legal under that Act and will be inviting the ICO to take a look.
(Which is obviously a waste of my time because the ICO are even less effective and less interested in actually doing their job than the Electoral Commission.)
Yes, but GDPR applies to companies processing the data of an EU citizen, location doesn't matter for that purpose.
(As mentioned it also seems incompatible with UK law, quite possibly it's a move from Google simply because they don't believe we can enforce it now.)
I wonder what criteria Google will use to decide whether someone is British or not?
Nationality is irrelevant, as the article says this is about "UK users". GDPR, and it's UK implementation, refer only to 'data subjects', which are defined as people present (not even resident) in the specified area. If you're a US citizen on holiday in the EU any data collected about you while you're there is subject to GDPR.
I do not have any agreement with Google, I do not use its services. However: I suspect that it has a lot of data about me.
If they have no agreement then they do not have my permission to move what they have about me out of the UK/EU. How are they going to manage this ?
I expect that they will just move my data to the USA and that there is feck all that I can do about it.
'.. I expect that they will just move my data to the USA and that there is feck all that I can do about it.'
I suspect the aggregate data that Google have gathered and tagged as 'you' was already on servers in the USA, just like all the rest of the data they hold on everyone, everywhere..irrespective of whatever laws have been passed to try stop this.
I suspect that all this truly means is that rather than having the CIA/NSA trawl through the UK data held on their US servers tagged as legally 'foreign', now, as the tag has changed to legally 'USian', the FBI,DHS etc can also get to play silly fuckers with it..
I'm now waiting for the post-Brexit legal fun to start with my remaining email accounts etc hosted in EU countries, mostly Germany..
All bets are off after 31st December mind...
Nope. GDPR is enshrined in UK law, and that law will apply until Parliament explicitly changes it. Brexit simply makes it possible for Parliament to do so if it wants to, and since UK consumer protection law is generally tougher than EU minimums there's no obvious reason why Parliament would want to do so.
> Brexit simply makes it possible for Parliament to do so if it wants to, and since UK consumer protection law is generally tougher than EU minimums there's no obvious reason why Parliament would want to do so.
Usually, money or the ability to spy/control the population are sufficient. In this case, it is both. Expect a new (watered down) DPA sometime in the next couple of years.
Usually, money or the ability to spy/control the population are sufficient. In this case, it is both. Expect a new (watered down) DPA sometime in the next couple of years.
The UK has consistently had stronger consumer protection laws than the EU for decades. The first Sale of Good act was passed in the 19th century, the current one gives 6 year warranties versus the EU default of 2, etc. The previous pre-GDPR UK DPA had stiffer penalties than, say, the German one. There is absolutely no reason to think that leaving the EU would change that, given that even when a member of the EU the UK did not take advantage of weaker EU laws to weaken its own.
After years of therapy and mindfulness I thought I was healed.... But no! Once again my head is infested with a My fucking Chemical fucking <Paul Calf> Rrrrrrowmance</Calf> song. You will be hearing from my solicitors!
(Don't click this. Really: don't. Makes Flat Eric, Jonah Lewie and the Matey bubblebath jingle seem mildly annoying.)
...just realised I said that aloud, hastily toggled the anon flag. Whatever you so, please don't tell my wife..!
https://youtu.be/Ol63bo1mv6s
And not a single mention of this on the Beeb News website - well not yet and as expected FA from UK Gov!! This is truly worrying as the US data protection legislation is significantly inferior to EU legislation, and that's putting it mildly!
I understand that Google are in a bit of a bind here legally, damned if they do, damned it they don't; but the timing seems very off to me.
As far as Len's post goes the use of phrase European Union citizen is not helpful when dealing with GDPR because GDPR is not concerned with citizenship, instead it is concerned with where a person is located. The term EU resident is more useful, or a person located in the EU.
(quote from https://www.hipaajournal.com/does-gdpr-apply-to-eu-citizens-living-in-the-us/)
It goes on to state:
"GDPR requires the personal data of an individual residing in an EU country to be subject to certain safeguards and their data rights and freedoms must be protected. When an individual leaves an EU country and travels to a non-EU country, they are no longer protected by GDPR.
If an EU citizen travelled to the United States and interacted with an EU business, which required the collection of their personal data, their data rights and freedoms would be dictated by US federal and state laws. GDPR would not apply."
Any comments Boris??
Thanks Brexiteers, here's another fine mess you've got me in to!
And now for the hate mail........
Here's another 3 messes that brexit has already caused.. Again, largely ignored by the media...: https://www.theguardian.com/commentisfree/2020/feb/12/these-three-post-brexit-bills-bulldoze-a-hole-through-environmental-protections
Is there anything we can do right now?
I would have said a few months ago that the government would not be so stupid as to weaken data protection rules here in a way that put data exchange with the EU in jeopardy. Now I'm not nearly so sure. You presently have the right to ask for your data to be deleted (but no right to verify that), but the continued existence of that right is purely now a matter for the UK/British/English/London or whatever locus of independent government should emerge from the post-Brexit fragmentation.
You still have until the end of the year to establish residence in another EU country...
I have found this set of instructions, updated yesterday so probably in response to this development: How to reduce your Google footprint
You pay extra for Google Suite Business package to be able to decide where your data is at rest. This function is now being taken away so surely the package should become cheaper. Also, we are no longer members of the EU but still in the transition period so surely the data HAS to stay in the EU until the 31 December.
Also, isn't the location of at rest data also part of GDPR or have I got that part wrong?
Despite all this, having your data at rest in the EU as a business was semi pointless anyway. As despite having eu relays Google still sends all business EU email through their US servers first. I wonder if thats so the CIA can take a quick snoop. Funny how Microsoft has EU based servers and is still able to keep your data going through their EU servers in transit but Google can't.
The "transition period" covers the EU-UK relationship only, it's an agreement only between them.
But I believe since EU membership terminated on January 31th, other entities are fully free to consider UK no longer a EU member and thereby are bound only to UK laws, and treaties with UK.
GDPR applies to "EU residents" - I think it's hard to assert UK people are EU residents now. UK Data Protection laws still apply, of course, but that has to be enforced by UK alone, without any help from EU - Vestager has no power now to question Google about what happens in UK.
ICO has regained full control - tell them to ask Google to bring the data back.
But GDPR is part of UK law now and to trade with the EU, aren't we supposed to honour it? And data collected by several companies may hold data on EU nationals, especially local councils who use GSuite. So won't those local councils be breaking the GDPR law allowing EU nationals data to leave the UK?
So, what Google have *actually* said is that they are changing the location of the data controller, not that they are moving the data.
As GDPR is enshrined in the UK Data Protection legislation, Google are still bound by that i.e. GDPR still applies and will apply until such time as the law changes.
People talk of "losing EU protection" - this is nonsense. GDPR regulations were published by EU and enshrined in our Acts - the same process all EU countries go through. EU would not have helped us before any more than now. Google would always be subject to UK law, which currently incorporates EU regulations.
Given the punitive fines allowable under the Act, Google would be very stupid to put UK data into a breach situation.
And yes, it was inevitable this would happen as we are decoupling from Europe; others such as Microsoft will follow. Once the new Data Protection legislation is out, there may well be a change again.
Don't believe all the hyped up news articles; hey I'm not defending Google, not at all. But 2 + 2 does not equal 5
This post has been deleted by its author
Google is concerned about double jeopardy.
If the UK is still subject to the ECJ and also any data protection rules the UK might enforce after the end of 2020 it might be sued in 2 jurisdictions. (UK and EU)
UK citizens have little protection against their data being used by big government anyway. The investigatory powers act allows GCHQ lots of power. The ECJ think the act is illegal.
At the end of the day, I suspect that the only way a UK citizen can protect their data is to remove it from Google (Facebook et al)
What I find most amusing - and charmingly naïve - about this is the way you-all assume that any of the privacy legislation is worth a damn. Sure, governments and corporations pay lip service to GDPR et al but did you really learn nothing from Edward Snowden? If they can access it, they will, and lie to you while they do so.
All your (data)Bases are belong to us.
Offshoring of Government data (that is any data held by Gov Depts being) has been fairly strictly controlled to a few countries. If memory serves me right it doesn't like any data going outside the EEA.
So I wonder if the Cabinet Office OGSIRO has issued a missive to Depts to ask which of them still us Google services. It wasn't all that long ago that some *large* ones did.
See also https://ico.org.uk/about-the-ico/news-and-events/news-and-blogs/2020/01/statement-on-data-protection-and-brexit-implementation-what-you-need-to-do/
and
https://ec.europa.eu/info/law/law-topic/data-protection/international-dimension-data-protection/brexit_en
The headline is factually incorrect.The UK is no longer in the EU, so we will not leave it after Google has transferred our data. We are in a transition period during which EU law, including GDPR still apply. If Google breaches GDPR before the end of 2020, it can expect to be very heavily fined by the UK Data Registrar. At the end of 2020, new UK GDPR rules come into effect which are virtually identical to EU GDPR rules, although the two may diverge over time. As I understand it, Google is certified as compliant under the EU–US Privacy Shield framework, in which case it could move all its EU data to the US if it wished.
data center here...
Must be to store all the US citizens data.. that way with our data in the US, the spies in this country can mine US citizens data, and the spies in the US can mine ours (and everyone elses), and thus prevent the ebil terrorists from completing their dastardly plans
Although quit how you stop the lone wolf loons armed with a knife/gun/rifle/50 cal machine gun seems beyond either government....
Anyone who utters this phrase against any changes as a result of Brexit needs to understand that this is EXACTLY what you voted for.
Everyone was warned of the potential impact and consequences that would occur. You voted for it. You only have yourself to blame.
@DontFeedTheTrolls
"Anyone who utters this phrase against any changes as a result of Brexit needs to understand that this is EXACTLY what you voted for."
Not really. The people who tend to come out with this are remainers who technically didnt vote for any of it.
Thanks Brexit Voters. We had GDPR blocking the worst excesses of unfettered commercialism and now that is going down the drain. I hope that they plaster your Youtube/Facebook/Instagram/Twitter/etc. accounts with loads of willy-pill and get-rich-quick spam. Sounds like I might have to start closing down some of my accounts.
When I got the notification email in my gmail account, just strip off the 'noreply' from the email address.
Dear Google,
I think you will find, as I am domiciled in the UK, that the laws of England and Wales will now be applicable to our service agreement, rather than U.S. jurisdiction.
Further to that, GDPR will still be applicable in the UK. I have not heard that this law will be repealed.
- Adam
No they haven't repealed it, GDPR is enshrined in the Act already and this bill has yet to be passed as law. If you read it you will see that the primary amendment is to allow continuity of provisions relating to the Privacy Shield, to ensure that there is parity between UK and Privacy Shield and EU and Privacy Shield.
Most Acts are going to be revisited over the next year as they contain provisions and references to the EU which no longer apply. This is housekeeping to ensure that there can be continuity.
So more hype and nonsense!
To be honest, I think that Google could claim that by offering termination of any contracts whereby the customer does not want Trump to be spaffing all over our personal data, Google are otherwise doing this under contract of it's customers.
The best solution, although they are well aware this is not available to the masses, is to end your relationship with Google and go with a company that values privacy and confidentiality.
It's very likely I will be ditching Android based on this move.
If enough customers start ending their contract Google will listen.