Yesterday, Reuters (followed by the Guardian and Social Media) reported that next month, Google are moving personal data about its UK users to a Google company in Delaware in order to reduce the protection for UK data subjects. There are similar moves intended for Google’s related services such as YouTube, YouTube Paid Services and Google Play.
This blog goes into this assertion which I don’t think is wholly correct; in summary the provisions of the GDPR do apply but there appears to be doubt as to whether these rights and obligations can be enforced by the ICO or the UK Courts.
To be clear about “doubt”. Suppose a data subject exercises the “right to be forgotten” to a link processed by Google. If Google follow procedures that it normally follows and de-lists the link, then all is well. However, suppose Google refuse to de-list, and there is a follow-up appeal to the ICO or Court, who then orders de-listing and that this judgment is then ignored (and where further appeal by Google is not possible). This would be an example of my “doubts” about enforcement.
What are the allegations?
The Reuters report states:
SAN FRANCISCO (Reuters) - Google is planning to move its British users' accounts out of the control of European Union privacy regulators, placing them under U.S. jurisdiction instead, sources said.
The shift, prompted by Britain's exit from the EU, will leave the sensitive personal information of tens of millions with less protection and within easier reach of British law enforcement.
The change was described to Reuters by three people familiar with its plans. Google intends to require its British users to acknowledge new terms of service including the new jurisdiction.
Ireland, where Google and other U.S. tech companies have their European headquarters, is staying in the EU, which has one of the world's most aggressive data protection rules, the General Data Protection Regulation.
According to Google’s new T&Cs, all UK customers have to agree (if they want to use Google’s services) to become a customer of Google LLC, a company established in 2002 and “organized under the laws of the State of Delaware, USA, and operating under the laws of the USA”.
Google LLC will become the controller as far as UK users will be concerned and the controller will therefore not be established in the UK nor any EU state. By contrast, European citizens services are offered by Google Ireland Ltd (a company established in an EU state).
As an aside, I note that as Google LLC is not established in the UK, heated political questions about paying tax is likely to arise; I suspect the UK’s tax collectors might have a different view about “establishment”.
Application of the DPA2018 and UK_GDPR?
First, have a look at the Data Protection Act 2018 (DPA2018) which applies to the end of the year. Section 207(3) states that the Act applies where:
“(a) the processing is carried out in the context of the activities of an establishment of a controller or processor in a country or territory that is not a Member State, whether or not the processing takes place in such a country or territory,
(b) the personal data relates to a data subject who is in the United Kingdom when the processing takes place, and
(c) the processing activities are related to—
(i)the offering of goods or services to data subjects in the United Kingdom, whether or not for payment, or
(ii)the monitoring of data subjects' behaviour in the United Kingdom.”
Google LLC therefore is subject to this version of the DPA2018 until the end of the year.
So what happens after the Withdrawal Agreement ends and the UK_GDPR (and related DPA2018 modifications) kick in? In this case, the key provision is found in Article 3(2) of the UK_GDPR which states (rather like S.207(3) above) that:
“2. This Regulation applies to the relevant processing of personal data of data subjects who are in the United Kingdom by a controller or processor not established the United Kingdom where the processing activities are related to:
(a) the offering of goods or services, irrespective of whether a payment of the data subject is required, to such data subjects in the United Kingdom; or
(b) the monitoring of their behaviour as far as their behaviour takes place within the United Kingdom”.
The reference to “relevant processing of personal data” is not a concern. Its purpose is to limit the processing, subject to the UK_GDPR and revised DPA2018, to that processing described in Article 3(2)(a) or (b) above and to exclude manual unstructured processing of personal data held by an FOI public authority. In this latter category, I can’t think of a FOI public authority “not established the United Kingdom” so I am struggling provide of concrete example of excluded manual unstructured processing (something like an Embassy abroad, perhaps?).
However, the key thing is that Google LLC appears to be “caught” by the above and the data protection arrangements are, at first sight, unchanged. Of course, the UK Government might change the UK_GDPR rights and obligations when the UK leaves the Withdrawal Agreement (after December 2020), but Google LLC are obviously not responsible for them.
Google’s Privacy Policy
Under the heading “European Requirements”, Google LLC are subject to the following requirements of Google’s Privacy Policy:
“If European Union (EU) data protection law applies to the processing of your information, we provide the controls described in this policy so you can exercise your right to request access to, update, remove, and restrict the processing of your information. You also have the right to object to the processing of your information or export your information to another service.
For users based in the European Economic Area or Switzerland, the data controller responsible for your information is Google Ireland Limited, unless otherwise stated in a service-specific privacy notice. In other words, Google Ireland Limited is the Google affiliate that is responsible for processing your information and for complying with applicable privacy laws.”
The problem here is that the Policy does not explicitly cover the UK after the Withdrawal Agreement terminates at the end of the year (unless renewed). The first sentence of the first paragraph above relates to EU DP law (which does not apply to the UK_GDPR which is to become independent of the EU DP law); the first sentence of the second paragraph relates to users based in the EEA (which does not apply to users in the UK).
The above Policy could easily be updated to include the UK DP arrangements but this is not the case (as of today). Failure to update would have the impact of excluding the application of these Policy safeguards from the UK DP environment.
Representative and the lack of enforceability
Article 27 of the UK_GDPR deals with the appointment of a Representative when a controller (like Google LLC) is not in the UK. A.27 states:
Where Article 3(2) applies the controller or the processor shall designate in writing a representative in the United Kingdom ......
...The representative shall be mandated by the controller or processor to be addressed in addition to or instead of the controller or the processor by, in particular, the Commissioner and data subjects, on all issues related to processing, for the purposes of ensuring compliance with this Regulation (my emphasis).
Breaches of any data protection obligation can be “addressed” to the Google LLC’s representative in the UK; but does the word “addressed” mean that such breaches can be enforced?
Well Recital 80 of the “real” GDPR states that the “representative should be subject to enforcement proceedings in the event of non-compliance by the controller or processor". This was used by the European Data Protection Board (EDPB) to issue Guidance which stated that at data protection authorities should be able to "initiate enforcement action against a representative in the same way as against controllers or processors. This includes the possibility to impose administrative fines and penalties, and to hold representatives liable".
So it’s all hunky-dory then? The answer is “NO”.
This is made clear at the end of the revised Guidance of the EDPB (issued last November; Guidelines 3/2018, version 2.0). This states:
“the designation of a representative in the Union does not affect the responsibility and liability of the controller or of the processor under the GDPR and shall be without prejudice to legal actions which could be initiated against the controller or the processor themselves. The GDPR does not establish a substitutive liability of the representative in place of the controller or processor it represents in the Union.” (my emphasis).
The Guidelines also note that the original intention was “to enable supervisory authorities to initiate enforcement proceedings through the representative designated by the controllers or processors not established in the Union”. However, this has been replaced by Article 50 of the GDPR which “aims at facilitating the enforcement of legislation in relation to third countries and international organisation” by “the development of further international cooperation mechanisms”.
What “international co-operation” mechanism?
Note that there is no “international cooperation mechanism” currently in place, so enforcement of the DPA2018 and the GDPR by the ICO could be a problem now (i.e. even before the Withdrawal Agreement ends).
In addition, there is no federal data protection law in the USA. However, the State of Delaware has adopted a “Delaware Online Privacy and Protection Act” that provides online privacy protection for Delaware residents. Sadly, UK citizens are not residents of Delaware (except on holiday) – so no help there.
One “international organisation” that could intervene is the Federal Trade Commission (FTC). On its website it states:
The Federal Trade Commission Act allows the FTC to act in the interest of all consumers to prevent deceptive and unfair acts or practices. In interpreting Section 5 of the Act, the Commission has determined that a representation, omission or practice is deceptive if it is likely to:
-
- mislead consumers and
- affect consumers' behavior or decisions about the product or service.
If Google’s Privacy Policy (“European Requirements” – see above) applied to the processing of personal data about UK citizens and if they proved to be false, then consumers would be able to argue that they were misled into thinking that their “rights” were protected. Given it was the FTC that fined Facebook $5 billion for mishandling users' personal data, it would be in Google LLC’s interest to maintain UK DP rights.
However, FTC’s website states that its mission is to “PROTECT AMERICA’S CONSUMERS”, so I am not really convinced that the FTC would protect British Consumers given that the controller (Google LLC) is in the USA and we exist in an era of “America First”.
Additionally, the FTC website statement does not extend to data protection obligations that are not rights (e.g. towards Data Protection by Design or Default), so there is a question mark about what the FTC would do (or could do) with respect to such obligations specified in legislation that does not apply in the USA.
What can be done?
That is why I have come to the conclusion that there are real question marks about enforceability of obligations and rights, even though these rights and obligations apply on the face of the applicable UK law.
I note that the transfer of personal data to Google LLC has to be operative by the end of next month. Unlike the Facebook, where any transfer of personal data of non-EU citizens occurred under Directive 95/46/EC, the Google transfers are subject to the GDPR and relate to UK citizens.
That is why I also conclude (P.D.Q. in my view) that it falls to the ICO to be satisfied how GDPR/UK_GDPR rights and obligations are to be met and enforced. A public statement in this regard might be useful including a commentary of the circumstances when Google LLC is obliged to disclose personal data by law and whether UK business controllers have to explain transfers to USA in their A.13/A.14 privacy notices.
If the ICO is not satisfied with the responses, she can consider what steps can be taken to prohibit any transfer of personal data to the USA. She has the power (but it’s too late after March 31st).
Upcoming Data Protection Courses (in London)
All courses lead to the relevant BCS qualification:
- Data Protection Foundation: April 21-23 (3 days)
- Data Protection Practitioner: May 11-15 and June 2-4, 16-18
- Data Protection Upgrade Practitioner: June 23-24 (2 days)
Full details on www.amberhawk.com of by emailing [email protected]
References
Reuters report: https://www.businessinsider.com/exclusive-google-users-in-uk-to-lose-eu-data-protection-sources-2020-2?r=US&IR=T
New Google T&Cs: https://policies.google.com/terms?hl=en-US
Guidelines 3/2018 on the territorial scope of the GDPR (Article 3), Version 2.0 (12 November 2019) (from EDPB website: https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en
Readers chasing details of the UK_GDPR and the post-Brexit DP nirvana are referred to my blog: https://amberhawk.typepad.com/amberhawk/2019/12/chuck-the-dpa2018-and-gdpr-away-say-hello-to-the-uk_gdpr-and-a-revised-dpa2018-in-february-next-year.html