EU report omits Big Tech GDPR decision, Google moves UK data to US
The European Commission (EC) is yet to clarify its stance on Big Techs’ handling of EU consumers’ data.
The EC recently published its ‘European strategy for data’, but there is still no mention of how US tech giants such as Facebook, Twitter, Apple, Google and LinkedIn should continue handling UK users’ data, despite the UK’s impending departure from the European Union (EU).
Reuters has since revealed Google’s plans to move the data and user accounts of its British users from the EU to the US, therefore taking it out of the regulatory control of the EU.
From 31 March, UK users’ data will no longer be included under the General Data Protection Regulation – or GDPR – which was implemented in May 2018 continent-wide to make it illegal for companies to pass on people’s data to third parties without getting permission from the people whose data it is first.
The data shift from Ireland – where 21 cross-border data practice investigations into Big Techs are taking place – to the US has prompted considerable backlash because US data privacy laws are currently a lot weaker.
The Big Tech sent an email to UK users, in which it said: “Because the UK is leaving the EU, Google will now be the service provider and the data controller responsible for your information and for complying with applicable privacy laws for UK consumer users.”
If the UK and the EU do not agree on a data-sharing deal by 31 December 2020, then the Brexit transition period is no longer applicable and it becomes illegal to transfer and process data between the UK and the EU.
The US has put one data protection law in place in California, and another data protection law was passed in New York last October. California’s Consumer Privacy Act (CCPA) came into effect on 1 January and has similar implications to GDPR, whilst the Shield Act is designed to protect US elections from foreign interference.
The key differences between CCPA and GDPR come down to the size of the fines imposed, the size of the company and the opt-out versus opt-in model.
CCPA will fine per user at rate between $100 and $750, whilst GDPR has caps in place so a small company can’t be fined out of existence. But whilst GDPR has no minimum requirements for applicability, CCPA will not govern activity unless the company has a revenue north of $25 million and deals with the personal data of more than 50,000 users.
As for a consumers’ permissions, GDPR requires users to opt into third party data sharing, whilst CCPA requires consumers to actively opt out of it.
The Irish Data Protection Commission (DPC), the body responsible for holding Big Techs to account for UK users, has emphasised how over-worked it has been in its report. It received a total of 7,215 complaints in 2019, which is a 75% increase on the 4,113 it received in 2018. There was also a 71% increase in data security breach notifications last year compared to 2018.
The DPC increased its staff count by 30 last year, but it said it did not receive enough funding from the Irish government. In 2019, it got just $16.5 million.
Google has warned its shareholders that Britain’s departure from the EU could knock its revenue and spur regulatory fines against the Big Tech over the transfer of personal data between the EU and the US.