UK Googlers to lose GDPR protections says Report

[philehidiot]

Thank you Spaceman for providing the nuance which was sorely lacking.

Unfortunately, I suspect we are in for this kind of thing ad nauseam as people jump and shout about something which is changing for perfectly sensible legal / business continuity reasons post-Brexit. I suspect those who didn't want it to happen are going to get upset at every change and I don't think we'll have someone with your kind of insight to provide the resolution needed to understand these decisions for every issue that comes up.

Alternatively, those who did want us to leave will just go "it's part of the process, stop whining" and we may well miss an opportunistic government taking advantage.

I think the lesson here is to not jump up and down with rage at every little change but also to be vigilant so that we don't lose even more rights or take backwards steps in certain areas.

[Iota]

GDPR entered UK law as the Data Protection Act (2018) which is not far off a cut and paste of the EU legal text with a few local clarifiers. For example the EU text refers to "independant supervisory bodies" enforcing the rules, whereas the DPA states the Information Commisioners Office specifically. Amendments to the law to ensure it still works after the transition period have already been made, mostly in the form of the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations 2019 which amends certain elements to refer to the UK courts as the arbiter of legal cases rather than EU courts and various similar items. The crucial part for our purposes is around data transfers to outside the UK.

Under GDPR data can be transferred to any other country within the EU without needing any additional safeguards. All other countries are referred to as "third countries" and there are 3 legal methods for transferring to them. We will become a 3rd country to the EU and they become 3rd countries to us the day the transition period ends, and our own laws have been adapted accordingly. 2 of the methods involve rules and clauses being built into individual contracts for any data moved, which is a labourious task. The final method works at a nation to nation level and so makes the overhead for individual organisations disappear. This method is called an adequacy decision.

An adequacy decision (article 45). This means the EU have looked at the data and related laws of a given country and decided that they meet or exceed the standards of GDPR OR they put special legal measures in place for EU data that don't apply to their domestic citizens data. The current list of countries deemed adequate is here, mostly those that border the EU, have trade deals in place or have put special measures in place, in particular the USAs Privacy Shield framework. The UK has compiled its own list of "adequate" countries for after the transition as every other country on earth becomes a 3rd country from our POV. That list contains all those already within the EU, the EEA and the EUs list, including the USA if under Privacy Shield. HOWEVER, the EU will NOT automatically recognise the UK as adequate, we will have to go through their process. This takes time and while our data law is identical to theirs they have long believed that the Investigatory Powers Act (2016) (aka the Snoopers Charter,) does not sufficently protect the rights & freedoms of citizens personal data. While we were a member this was moot but when we're outside it could count against adequacy. This could result in the Uk being free to transfer data to EU countries as we've recognised them, but them unable to do the same to us without contracts and safeguards at least until adequacy is agreed (if it ever is.)

So if you're Google and currently administer UK data from Irish jurastiction, you could face a huge headache trying to do so post transition as you'll have to generate huge swathes of clauses and documents any time you change a service for UK users or implement a new one. This could be a large and ongoing cost depending on how long we're not deemed adequate. Your alternative is to bring UK data under US jurastiction. The UK recognises US adequacy under Privacy Shield in one direction and given US standards on data protection are MUCH lower than ours they aren't going to find our laws lacking. So in this case you do a one off piece of work and the ongoing cost is zero.

This does NOT mean that GPDR/DPA protections will no longer apply to UK data held by Google under US jurastiction. As the Reuters article states:

So under Privacy Shield Google (or any other US based organisation handling UK data this way,) would be legally obliged to handle that data in accordance with the DPA or any future new UK data legislation. We'd lose no protections unless the UK parliment passes laws removing them. All Google is doing is moving the administrative burden to a country that is not going to quibble about whether our data laws are robust enough. I don't doubt that the US will try to use our data laws as a bargaining chip on trade, and make no predictions as to whether we alter them in future, but the above is my read on the current situation.

TL;DR - This move doesn't actually have any impact on the rights of Googles UK customers and is a logical move by Google to minimise the impact of Brexit on the administration of their UK data.

That was essentially my understanding of the changes, the only real question is how the EU decides to handle the adequacy decision as well as the length of time they take to do so. Any changes the UK makes to the DPA 2018 that reduce the protections will impact on that going forward, which we have no indication thus far that they are willing to do so. Google still has to adhere to local laws, regardless of where the data is held going forward. The ICO isn't toothless either.

[Technikal]

Can someone explain why I should care about gdpr? Other than financial and medical information i don't really care what happens to data about me. This regulation is costly to implement and that cost is passed on via higher prices.

[Corky34]

I think the lesson here is to not jump up and down with rage at every little change but also to be vigilant so that we don't lose even more rights or take backwards steps in certain areas.

As we've not learnt that lesson in the last 40 year it's probably best not to get your hopes up, the jumping up and down with rage at every little change got so bad while we were a member a site had to be made to debunk the red-tops claims.

Can someone explain why I should care about gdpr? Other than financial and medical information i don't really care what happens to data about me. This regulation is costly to implement and that cost is passed on via higher prices.

Not in a single post, privacy matters for various reasons, personally i don't want a company knowing the sort of details that can be gleaned from my data. A couple of stories spring to mind, one of a farther discovering his daughter was pregnant because companies sent baby related stuff to his house due to his daughters shopping habits changing, another is this short TedTalk about meta data.

You could spend months watching and reading about how powerful data can be but i wouldn't want to creep anyone out.

[T1nt1n]

Duck duck go seems to be the easiest fix if it happens.

[Dashers]

Can someone explain why I should care about gdpr? Other than financial and medical information i don't really care what happens to data about me. This regulation is costly to implement and that cost is passed on via higher prices.

This is a huge subject with a lot of nuances.

Some more present and real dangers are:
- Identify theft. You provide "harmless" personal details to a company you trust. This trust is abused (intentionally or maliciously) and that personal data is now a powerful tool that can be used to create a virtual clone of you and further exploit you personally, or just be used in other things (forging votes etc).

- Simple scamming. If I know more about you, I could potentially socially engineer phising against you.

- Profiling and manipulation. We all work in echo chambers and no matter how "woke" we think we might be, are influenced by external factors. Profiling you means that companies can target your political and personal biases (see Cambridge Analytics).

There are a myriad of different reasons why you don't want your personal information to be spread around in a liberal fashion.

A more extreme case is of course, the origins of data protection in Europe. When Nazi's rolled into countries they used secure government censor data to identify people with particular religious beliefs and slaughter them. This doesn't seem a likely event now (but it probably didn't at the time people gave up that information) - but Brexit is most definitely not a good sign for peace and prosperity in Europe as a place.

[kompukare]

While we are here - naturally - focused on what this means for UK users of Google (and whoever follows Google for similar reasons), does this also bode very badly for any UK companies holding information of any EU-27 citizen?

I guess for very companies shifting things around is not a problem but for small to medium companies this could prove costly.

[spacein_vader]

Can someone explain why I should care about gdpr? Other than financial and medical information i don't really care what happens to data about me. This regulation is costly to implement and that cost is passed on via higher prices.

On your first point, it is absolutely your perogative not to care. What GDPR does is protect those who do. If you don't, you can consent to whatever data use you like. However it's worth bearing in mind that financial and medical data would be fair game too without GDPR (or other data protection law,) so it gives you protections there and you're free to surrender them everywhere else if you wish. Data Protection is not new, pre-GDPR we had the Data Protection Act 1998 which adhered to similar principles but with a lot more grey areas and much less punitive penalties (a maxium fine of £500k for example,) and before that the Data Protection Act 1984!

On your second point about cost, do you have any evidence to back that up? I'm not saying that to be sarcastic but because I've actually been looking to find evidence for higher/lower costs post GDPR and have been unable to find anything substantive in either direction. There is undoubtably an up front cost if an organisation was being less stringent in its data practices beforehand but it should have just been 1 hit when the new legislation hit. Given that was nearly 2 years ago that cost has been paid already and in my own limited anecodtal experience the clarity the new law gives has made setting up new data usage/sharing arrangements has been quicker, easier and by extension cheaper than under the old regime.

A more extreme case is of course, the origins of data protection in Europe. When Nazi's rolled into countries they used secure government censor data to identify people with particular religious beliefs and slaughter them.

Nerdy fact time. Under GDPR certain types of data are deemed to be extra sensitive and need extra conditions in place before you can process them, these are known as special category data. They are:

Data relating to racial or ethnic origin.
Data relating to political opinions.
Data relating to religious or philosophical beliefs.
Data relating to trade union membership.
Data relating to genetics/biometrics.
Data relating to health.
Data relating to somones sex life or sexual orientation.

That list was established in the 1950s and is essentially a list of things where the wrong answer would earn you a one way trip to a concentration camp under the Nazis. That's why financial data is not included on that list, as a lot of those sent to the camps were quite affluent.

While we are here - naturally - focused on what this means for UK users of Google (and whoever follows Google for similar reasons), does this also bode very badly for any UK companies holding information of any EU-27 citizen?

I guess for very companies shifting things around is not a problem but for small to medium companies this could prove costly.

That depends, but its something everybody involved is working towards resolving. If you're a multinational organisation you can use one of the other 2 methods of transfer I alluded to in my first post called Binding Corporate Rules. The simple version of this is that you provide legal undertakings that all offices/subsiduaries/franchises of a multinational org that lie outside of GDPR countries will follow the same rules and protections on the data as their offices/subsiduaries/franchises inside GDPR territories.

If you're sharing with international partners that aren't part of the same multinational you can use the third method, Standard Contract Clauses. These are a set of clauses provided by the EU (or ICO for us now,) that you can drop into a contract that then bind both parties to uphold the rules of GDPR even though one of them may be extra-territorial to GPDR jurisdiction. I've been amending contracts in this way since we left and so have many others so that when the transition period ends everything will carry on as normal until/unless we get an adequacy decision or we change our Data Protection legislation.

[gagaga]

Anti-Brexit fear mongering designed to appeal to the remainiacs for whom EU=amazing, fab, stupendous and UK=s4it

GDPR is UK law - the Data Protection Act 2018. The EU cannot pass laws in each country. We had to pass our own law to meet the directive of the GDPR.

Before that we already had our own data protection laws that it was pointless updating whils the EU prepared GDPR.

Just as the EU didn't invent employment protection laws, or the NHS, or clean water and safe food, they didn't invent data protection.

People who think Boris is some tub thumping mini Trump, they are the problem. He is Tony Blair reincarnated (which for the current mad left is probably even worse). He's is progressive liberal (like most tories now) - I wouldn't even descibe him as econonomically conservative, given his spending plans.

[adidan]

Boris is.....* snip * ....He's is progressive liberal (like most tories now)

That really is a good one, I may use it.

[Domestic_Ginger]

Anti-Brexit fear mongering designed to appeal to the remainiacs for whom EU=amazing, fab, stupendous and UK=s4it - snip- People who think Boris is some tub thumping mini Trump, they are the problem. He is Tony Blair reincarnated (which for the current mad left is probably even worse). He's is progressive liberal (like most tories now) - I wouldn't even descibe him as econonomically conservative, given his spending plans.

Thats right!!! Because we all knew what we voted for



The first comment is the best.

"As usual I sit back and enjoy these videos. Laugh. Then I sit in a dark room and cry at the truth of it all." -stephen cain youtube.

[Saracen999]

.....

The EU cannot pass laws in each country. We had to pass our own law to meet the directive of the GDPR.

.....

Erm, they don't need to pass laws in each country. But yes, the EU can pass laws that have direct, binding effect in all member states the instant they are passed in the Eu.

This is the difference between Regulation and Directive. A 'directive' is essentially a statement of objectives, or minimum standards to be achieved in all countries but it is left to each country to pass laws to achieve that .... if sufficient laws are already in place.

A classic example is the consumer protection directive some years back. The EU directive mandated a two-year warranty ( which is not the two-year "guarantee" many mistook it for) on retail purchases. The UK Sale of Goods Act had had 6 years in place for a couple of decades, so we needed to take no action on that.

But it also included minimum protections on distances purchases, so we got the Distance Selling Regs, implemented in the UK by Statutory Instrument to amend the SoGA.

That's how EU directives work - member states have to all achieve at least the standards in the directive, but each member state can choose how to do it, and whether to exceed it.


Regulations, on the other hand, become national law in all member states the moment they are passed in the EU, at which point, the principle of supremacy (as defined in and agreed to by all member states when they joined) in the fundamental EU Act by which that membership is created. This applies the areas of EU competency, but not to all areas.

As soon as that EU reg is passed, citizens can rely on it in national courts, who are bound to accept the supremacy of such EU regs over any already existing national regs.

[Corky34]

Erm, they don't need to pass laws in each country. But yes, the EU can pass laws that have direct, binding effect in all member states the instant they are passed in the Eu.

But only because those member states have enacted legislation to that effect. To say the EU can pass laws that have direct binding effect in all member states the instant they're passed is a bit like saying your local town council can pass laws that has direct binding effect on you even though you've chosen to live there, got to all the council meetings, and get to vote on all the laws the council passes.

[Saracen999]

But only because those member states have enacted legislation to that effect. To say the EU can pass laws that have direct binding effect in all member states the instant they're passed is a bit like saying your local town council can pass laws that has direct binding effect on you even though you've chosen to live there, got to all the council meetings, and get to vote on all the laws the council passes.

I'm not sure what you're getting at. If you mean that the EU can pass laws that directly affect all citizens because their country agreed to it, then yes. That's what I said. Second to last paragraph. Any country that joins the EU signs up to the founding treaties, and that is part of that.

But I certainly didn't move to a "town" then object to the laws, and no I have no say in those laws, any more than I had in joining the EU.

But hey, let's not go down the route of EU pro's and con's again.

The point I was making was that, contrary to the remark I quoted, whether we think it good or bad, the EU can indeed pass laws that have direct effect. Not all EU laws require legislationin each member country.

The other difference of course is that an EU law, via supremacy, is superior to national laws that either already exist or may be subsequently created, and they apply letter for letter, word for word, in all member states.

Directives, on the other hand, set out the objectives nations are required to achieve, but each member state can (and has to) implement national laws to do do, by a date specified in the directive, but in their own wording.

That is, Regs apply instantly, as soon as passed, and courts up to the ECJ apply, quite literally, the latter of that EU law.

Directives don't apply instantly because the depend on being implemented in national law and that national law sets the start date nation by nation though all must (in theory at least) start by the date specified in the EU directive.


That's all I'm saying. Two different methods of creating EU law, one requires implementing locallly but the other does not.

There is nothing in there saying whether I like it or not, or approve (as if anybody cared) or not. It's simpy how it is. If a country buys into the EU, that's an indivisible part of the package. Take it or leave it. We, or rather Edward Heath, took it.