Google's UK users will see their data shifted to a US-based data controller from the end of next month with the ad giant blaming Brexit for the move.
In a statement, Google said that UK users will now have Google LLC – the US-based operation – as the legal controller of their data instead of Google Ireland Limited.
Google could have used a UK firm to act as data controller, but that would leave it dependent on the UK government sorting out data rules in time and the EU recognising those rules.
Jim Killock, executive director of the Open Rights Group (ORG), warned: "Moving people's personal information to the USA makes it easier for mass surveillance programmes to access it. There is nearly no privacy protection for non-US citizens.
"We have no reason to trust a Donald Trump government with information about UK citizens. The possibilities for abuse are enormous, from US immigration programmes through to attempts to politically and racially profile people for alleged extremist links.
"Data protection rights will also become more fragile, and are likely to be attacked in trade agreements pushing 'data flows'."
In addition, Google is taking the opportunity to bundle any data collected via its Chrome browser, Chrome OS and Google Drive into the same set of terms and conditions.
A spokesman for the ad giant told us this morning: "Like many companies, we have to prepare for Brexit. Nothing about our services or our approach to privacy will change, including how we collect or process data, and how we respond to law enforcement demands for users' information. The protections of the UK GDPR will still apply to these users."
'An issue of survival': Why Mozilla welcomes EU attempts to regulate the internet giantsREAD MORE
While the government has promised some sort of equivalence to the EU's General Data Protection Regulation, it is unclear what UK data protection will look like when it finally leaves the bloc for real and whether it will be part of wider trade negotiations with the US.
UK regulator the Information Commissioner's Office said: "Our role is to make sure the privacy rights of people in the UK are protected and we are in contact with Google over this issue. Any organisation dealing with UK users' personal data should do so in line with the UK Data Protection Act 2018 and the GDPR which will continue to be the law unless otherwise stated by UK government."
As pointed out by the ORG, the US has far weaker data protection and privacy protections for users, although the situation varies state by state.
Google's statement continued by reminding us peons that we're not obliged to use its services. If you can manage without YouTube, Gmail and easy access to the Play Store, you are quite free to feck off.
"If you don't agree to the new Terms, you should remove your content and stop using the services. You can also end your relationship with us at any time by deleting your Google Account," it wrote. Though that might be a bit trickier for the myriad organisations large and small with Google tentacles running deep into their infrastructure.
Google Pay started this trend of sorts last year when it shifted from UK to Irish registration.
El Reg would be willing to bet the contents of our Google Pay wallet that other firms will follow suit to either reduce the burden of data protection rules or simply to ensure some sort of clarity while negotiations drag on. ®