Google plan to move British user accounts from EU to US jurisdiction

The Cloud Act in the US could make it easier for British authorities to access users' data during investigations

Google is planning to shift British users' data away from hosting centres in Ireland, so it will no longer be subject to Europe's General Data Protection Regulation (GDPR).

According to Reuters, the shift is part of Google's post-Brexit planning

Three people familiar with the plan told the newswire that Google wants to shift the data into US jurisdiction, which current has relatively weaker data protections laws compared to EU.

The change will also mean that British authorities, in future, will need to negotiate with the US authorities in case they need information on British users during criminal investigations.

The US has recently introduced the Cloud Act, which should make it easier for British law enforcement agencies to access the data of users during investigations. Both countries are also currently discussing a broader trade agreement.

Google has given no statement on the matter so far, but it is understood that the company wants its British users to accept a set of changes to their terms of service, including the new jurisdiction.

Lea Kissner, former lead for global privacy technology at Google, said it would be surprising if the UK data was kept under EU jurisdiction after Brexit.

"There's a bunch of noise about the UK government possibly trading away enough data protection to lose adequacy under GDPR, at which point having them in Google Ireland's scope sounds super-messy," she said.

"Never discount the desire of tech companies not be caught in between two different governments," she added.

The European Union introduced GDPR in May 2018 with an aim to enhance trust by granting the members of the public more control over how their personal information is used. An important element of the control consists of making individuals' consent a prerequisite for the use of their personal data.

GDPR also enables regulators to fine organisations up to 20 million Euros, or four per cent of annual global turnover, whichever is higher.

Last year, French data protection regulator CNIL imposed a record €50 million fine on Google over non-compliance with GDPR.

Following a detailed investigation, CNIL concluded that French users were "not sufficiently informed" about how Google collected data to personalise advertising and had failed to obtain a valid legal basis to process user data.