Google has buried a major change in legal jurisdiction for its U.K. users, moving them out from being covered by the European Union’s data protection framework and under U.S. jurisdiction, as part of a wider update to its terms and conditions that’s been announced today which it says is intended to make its conditions of use clearer for all users.
It says the update to its T&Cs is the first major revision since 2012 — with Google saying it wanted to ensure the policy reflects its current products and applicable laws.
Google says it undertook a major review of the terms, similar to the revision of its privacy policy in 2018, when the EU’s General Data Protection Regulation started being applied. But while it claims the new T&Cs are easier for users to understand — rewritten using simpler language and a clearer structure — there are no other changes involved, such as to how it handles people’s data.
“We’ve updated our Terms of Service to make them easier for people around the world to read and understand — with clearer language, improved organization, and greater transparency about changes we make to our services and products. We’re not changing the way our products work, or how we collect or process data,” Google spokesperson Shannon Newberry said in a statement.
Users of Google products are being asked to review and accept the new terms before March 31 when they are due to take effect.
Reuters reported on the move late yesterday — citing sources familiar with the update who suggested the change of jurisdiction for U.K. users will weaken legal protections around their data.
However, Google disputes there will be any change in privacy standards for U.K. users as a result of the shift. It told us there will be no change to how it process U.K. users’ data; no change to their privacy settings; and no change to the way it treats their information as a result of the move.
We asked the company for further comment on this — including why it chose not to make a U.K. subsidiary the legal base for U.K. users — and a spokesperson told us it is making the change as part of its preparations for the U.K. to leave the European Union (aka Brexit).
“Like many companies, we have to prepare for Brexit,” Google said. “Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users’ information. The protections of the U.K. GDPR will still apply to these users.”
Heather Burns, a tech policy specialist based in Glasgow, Scotland — who runs a website dedicated to tracking U.K. policy shifts around the Brexit process — also believes Google has essentially been forced to make the move because the U.K. government has recently signaled its intent to diverge from European Union standards in the future, including on data protection.
“What has changed since January 31 has been [U.K. prime minister] Boris Johnson making a unilateral statement that the U.K. will go its own way on data protection, in direct contrast to everything the U.K.’s data protection regulator and government has said since the referendum,” she told us. “These bombastic, off-the-cuff statements play to his anti-EU base but businesses act on them. They have to.”
“Google’s transfer of U.K. accounts from the EU to the U.S. is an indication that they do not believe the U.K. will either seek or receive a data protection adequacy agreement at the end of the transition period. They are choosing to deal with that headache now rather than later. We shouldn’t underestimate how strong a statement this is from the tech sector regarding its confidence in the Johnson premiership,” she added.
Asked whether she believes there will be a reduction in protections for U.K. users in the future as a result of the shift, Burns suggested that will largely depend on Google.
So — in other words — Brexit means, er, trust Google to look after your data.
“The European data protection framework is based around a set of fundamental user rights and controls over the uses of personal data — the everyday data flows to and from all of our accounts. Those fundamental rights have been transposed into U.K. domestic law through the Data Protection Act 2018, and they will stay, for now. But with the Johnson premiership clearly ready to jettison the European-derived system of user rights for the U.S.-style anything goes model,” Burns suggested.
“Google saying there is no change to the way we process users’ data, no change to their privacy settings and no change to the way we treat their information can be taken as an indication that they stand willing to continue providing U.K. users with European-style rights over their data — albeit from a different jurisdiction — regardless of any government intention to erode the domestic legal basis for those rights.”
Reuters’ report also raises concerns about the impact of the Cloud Act agreement between the U.K. and the U.S. — which is due to come into effect this summer — suggesting it will pose a threat to the safety of U.K. Google users’ data once it’s moved out of an EU jurisdiction (in this case Ireland) to the U.S. where the Act will apply.
The Cloud Act is intended to make it quicker and easier for law enforcement to obtain data stored in the cloud by companies based in the other legal jurisdiction.
So in the future, it might be easier for U.K. authorities to obtain U.K. Google users’ data using this legal instrument applied to Google U.S.
It certainly seems clear that as the U.K. moves away from EU standards as a result of Brexit, it is opening up the possibility of the country replacing long-standing data protection rights for citizens with a regime of supercharged mass surveillance. (The U.K. government has already legislated to give its intelligence agencies unprecedented powers to snoop on ordinary citizens’ digital comms — so it has a proven appetite for bulk data.)
Again, Google told us the shift of legal base for its U.K. users will make no difference to how it handles law enforcement requests — a process it talks about here — and further claimed this will be true even when the Cloud Act applies. Which is a weasely way of saying it will do exactly what the law requires.
Google confirmed that GDPR will continue to apply for U.K. users during the transition period between the old and new terms. After that it said U.K. data protection law will continue to apply — emphasizing that this is modeled after the GDPR. But of course in the post-Brexit future, the U.K. government might choose to model it after something very different.
Asked to confirm whether it’s committing to maintain current data standards for U.K. users in perpetuity, the company told us it cannot speculate as to what privacy laws the U.K. will adopt in the future… 😬
We also asked why it hasn’t chosen to elect a U.K. subsidiary as the legal base for U.K. users. To which it gave a nonsensical response — saying this is because the U.K. is no longer in the EU. Which begs the question when did the U.K. suddenly become the 51st American state?
Returning to the wider T&Cs revision, Google said it’s making the changes in a response to litigation in the European Union targeted at its terms.
This includes a case in Germany where consumer rights groups successfully sued the tech giant over its use of overly broad terms, which the court agreed last year were largely illegal.
In another case a year ago in France, a court ordered Google to pay €30,000 for unfair terms — and ordered it to obtain valid consent from users for tracking their location and online activity.
Since at least 2016 the European Commission has also been pressuring tech giants, including Google, to fix consumer rights issues buried in their T&Cs — including unfair terms. A variety of EU laws apply in this area.
In another change being bundled with the new T&Cs Google has added a description about how its business works to the About Google page — where it explains its business model and how it makes money.
Here, among the usual “dead cat” claims about not “selling your information” (tl;dr adtech giants rent attention; they don’t need to sell actual surveillance dossiers), Google writes that it doesn’t use “your emails, documents, photos or confidential information (such as race, religion or sexual orientation) to personalize the ads we show you.”
Though it could be using all that personal stuff to help it build new products it can serve ads alongside.
Even further toward the end of its business model screed it includes the claim that “if you don’t want to see personalized ads of any kind, you can deactivate them at any time.” So, yes, buried somewhere in Google’s labyrinthine setting exists an opt out.
The change in how Google articulates its business model comes in response to growing political and regulatory scrutiny of adtech business models such as Google’s — including on data protection and antitrust grounds.
Comment