
Google is moving EU citizens’ data to US? - andreagrandi
https://www.andreagrandi.it/2020/02/25/google-is-moving-eu-citizens-data-to-us/
======
alanfranz
I wonder if this is an issue with Andrea's Google account. Maybe it's some
setting that makes Google think he's from the UK. The text of the same
paragraph, just as I received it from Google:

"We’re improving our Terms of Service and making them easier for you to
understand. The changes will take effect on March 31, 2020, and they won’t
impact the way you use Google services."

No mention of Google LLC. And, surprise! I'm an Italian citizen living in
Italy.

~~~
supermatt
Same issue. I am resident in Lithuania (but I am from the UK originally). When
I view youtube (on a firefox browser I have never logged in to youtube with) I
get the same message...

------
andreagrandi
UPDATE #2: after clicking here and there, I was able to find this
[https://pay.google.com/gp/w/u/1/home/settings](https://pay.google.com/gp/w/u/1/home/settings)
it looks like I had set a UK address once and completely forgot about it (I
don't have any Android devices since 2014, that's why I forgot). Let's see if
this will change anything.

~~~
asdfasgasdgasdg
How misinformation spreads on the internet 101. In future, it might be best to
word this as a question. "Why does Google think I live in the UK?" Less click-
baity and more faithful to the level of investigation you had conducted.
Phrasing it as a question rather than an accusation might have even led you to
the answer, something along the lines of, "well, have I explicitly told them I
live in the UK? Let me check."

~~~
andreagrandi
I wouldn't classify this as misinformation.

Facts:

1) I don't live in UK 2) They threated me at UK resident 3) It's not possible
to change the country directly from Google account, you have to go to Play
Store (which I don't use it anymore) 4) It was impossible to contact them

~~~
asdfasgasdgasdg
You accused them of illegal behavior when they acted correctly on information
you explicitly gave them. You seem to expect them to divine your implicit
intent from non-payments related product usage data. But for all we know you
have search history turned off, and anyway most privacy advocates would
consider a join like that suspect at best. Then you publicized this false
information about illegal behavior as broadly as you could. If that's not
misinformation I don't know what is.

To be clear, I'm not saying you did so maliciously. Seems like an honest
mistake on your part. Well, it did until you started digging in.

~~~
andreagrandi
What do you mean "search history turned off"? I'm not sure I understand. Also,
I'm not a UI/UX expert, but Google suite has "Account Settings" where I would
have expected to be able to see/change my address, but the option is not
there. I use a limited subset of Google products (GMail, Calendar, Youtube,
Google Docs, Maps etc...) but the possibility of changing the address was in
the only product I haven't used since 2014 (I checked it because someone else,
on a forum, pointed me to it). Now the address is updated, but I have no idea
to check if my Data Controller will remain the same or it will be Google LLC.
They should give us an explicit option to check/set what Data Controller we
have, not infer it from a single product (which in my case wasn't used
anymore).

~~~
asdfasgasdgasdg
There is a toggle to control whether Google keeps track of your search
history. I suppose there's a separate toggle for location history. If you have
those turned off, Google does not record that data, and there would be no way
for them to derive your location even in theory.

~~~
frollo
Even if you keep track of location history, Google can get it wrong anyway (I
know, because I gave up the idea of having my home address in Google Maps a
year ago - it doesn't seem to learn that I've moved out, even after updating
my address in Google Pay).

~~~
asdfasgasdgasdg
There is a separate setting for your home address in Google Maps. You have to
update it there.

~~~
frollo
I did, but it keeps reverting back to what it thinks it learned from my
driving habits. Somehow, it doesn't seem to realize that I leave every morning
from the same address and get back to it every evening.

------
IAmEveryone
There is obviously some ambiguity in the rules when people move around, and
misclassifications can happen when, say, a Brasilian working for a US company
in Switzerland picks up the neighbouring French wireless signal to log into
their Asian VPN.

But it's really a non-issue. Google will make a good effort reducing such
errors, and there aren't going to be legal consequences, nor wild leaving-
Europe-for-good-drama as envisioned by some in this threat.

~~~
andreagrandi
We all know that mistakes can happen. That is not the issue. The issue here is
that there is no way to contact them and ask to fix this. I tried at least 3
or 4 times to contact them on Twitter (they are replying to other people for
other issues, why not replying to me?) but I didn't have any luck with it.

~~~
nottorp
Top of HN usually works to get Google customer support :)

------
dathinab
I (German citizen) also got a update them of service mail _which does not
mention the UK_.

I take this as a strong indicator, that Google believes you are a UK citizen.

------
andreagrandi
Note: if anyone thinks I should at least re-phrase the title and the article,
I'm more than happy to do that.

My concern is: why do they mention UK leaving EU if I'm not UK citizen? And
why there is no way to appeal/complain directly with them?

Mistakes can happen from anyone, but if they don't let me contact them I have
no way of fixing this.

~~~
Normal_gaussian
"why do they mention UK leaving EU if I'm not UK citizen?"

PR most likely. Within the UK this phrasing makes it less likely to actually
be read / acted upon.

However there could be more than a few grains of truth to it as well.

------
andreagrandi
UPDATE: I've updated the article removing the "illegal" words. Since it
doesn't seem to be clear if this is legal or not from their side, I think it's
right to give it the benefit of the doubt. (give CloudFlare a few minutes to
update the cache, please)

~~~
three_seagrass
This isn't illegal. You worked in London and had enough UK-based activity to
warrant receiving an email notification about UK-based data handlers.

~~~
andreagrandi
let’s try to keep the technical mistake separate from the legal bit. I think
their email is entirely legit if I was living in UK, but I don’t. Also:
honestly, I use Google Maps almost everyday. Even without asking me I think
they have plenty of data on me to clearly see I’ve been living in Italy in the
last year and half.

~~~
Gigablah
Wait, are you complaining that Google knows _too little_ about you?

------
jacquesm
They were doing the same thing with the data of citizens of Ireland. Google is
flirting with a massive fine here, in spite of all their PR efforts in and
around Brussels. Have you seen Brussels airport lately? It is wall-to-wall
'Google is pro privacy' PR.

------
drcursor
Is there a way to find out where my google account is hosted ?

~~~
auiya
I'm willing to bet your data is hosted in multiple locations based on the
service you're using. I don't think it's as simple as "Oh John Smith's account
is hosted in Lenoir, NC".

~~~
asiachick
Of course it is. It's called backups, and being prepared. If one data center
burns down or is taken offline for other reason your data needs to be
somewhere else.

~~~
inetknght
> _If one data center burns down or is taken offline for other reason your
> data needs to be somewhere else._

Somewhere else doesn't necessarily need to be "in different jurisdiction"

~~~
SAI_Peregrinus
No, but ideally (and especially for live failover datacenters) it should be in
a different wide-area synchronous grid segment[1] to prevent issues in the
event of large disasters. For datacenters in the EU that means having a backup
outside the continental EU, which has meant Ireland or Great Britain if they
want to stay within the EU jurisdiction. With the UK leaving that means just
Ireland.

Other disaster recovery concerns also mean that having large geographical
distance between datacenters is a good idea. This can lead to jurisdictional
issues, which need to be addressed when building the system.

[1]
[https://en.wikipedia.org/wiki/Electrical_grid#Wide_area_sync...](https://en.wikipedia.org/wiki/Electrical_grid#Wide_area_synchronous_grid)

------
notgoogle2
Goto [https://myaccount.google.com/data-and-
personalization](https://myaccount.google.com/data-and-personalization) Change
Language to English(Ireland)

~~~
andreagrandi
Done, thanks! I hope it will be enough to fix this.

------
bognition
File a complaint:
[https://edps.europa.eu/node/75_en](https://edps.europa.eu/node/75_en)

~~~
lucb1e
Not the right place. Have you tried doing what you suggested? Because I end up
on this page which, as expected, tells me that this is not the right
authority: [https://edps.europa.eu/data-protection/notre-r%C3%B4le-en-
ta...](https://edps.europa.eu/data-protection/notre-r%C3%B4le-en-tant-que-
contr%C3%B4leur/private-organisation_en)

> Data protection supervision over private organisations such as companies is
> carried out by national data protection authorities. All EU Member States
> have at least one such authority.

> You can also take up your complaint with the courts in the relevant Member
> State.

> The EDPS is not competent for complaints against such private organisations;
> we can therefore only refer you to the relevant national authorities.

Instead, you can find national authorities here:
[https://en.wikipedia.org/wiki/National_data_protection_autho...](https://en.wikipedia.org/wiki/National_data_protection_authority)

The authority in the country where the headquarters of the infringing company
are will handle your complaint, as per GDPR article 56(1)¹. I don't know what
happens if you complain to your local authority, they might just forward it
themselves or maybe they'll tell you that you're in the wrong place. It
shouldn't matter much since GDPR is EU-wide, so you can just send the same
complaint to another address.

¹ [https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CEL...](https://eur-lex.europa.eu/legal-
content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN#d1e4864-1-1)

In Google's case this is Ireland, so the correct link would be:
[https://forms.dataprotection.ie/contact](https://forms.dataprotection.ie/contact)

Note that I am not saying anything about the article, whether Google/Alphabet
is wronging anyone, or calling for anyone to file a complaint. If you want to
file a complaint based on what others said, this would be the place.

------
Normal_gaussian
It is not illegal at all.

At all.

Firstly lets establish the rules using the ICO's (the UK's Data Authority)
handy FAQ [1], a site providing a copy of the GDPR [2], the EU Commissions
adequacy decisions page [3], the EU's privacy shield page [4], and the
dedicated site for the privacy shield's Google LLC page [5]:

In short (yes, this is my idea of short):

* We, the UK, are currently in the transition period where EU rules still apply [1 - "What happens now that the UK has a withdrawal agreement?"]. This lasts until Jan 1st 2021 [6]

* We, the UK, are currently on track to have pretty much the same rules (cynicism allowed) [1 - "Will the GDPR still apply when we leave the EU"]

* So Brexit shouldn't change the legality (more cynicism allowed)

So are Google breaking the law?

* The GDPR has a provision allowing third countries and international organisations to process data presuming. It is Article 45 [2]

* The USA has been approved for this [3]. Years ago [4].

* Google LLC is approved under Privacy Shield [5]

So, there is no indication of anything illegal going on. Yes they are
segmenting the data incorrectly and messaging an italian as though they are a
brit. However the change would be perfectly legal was it to be done to the
whole of the EU.

I don't like it, but it is legal.

[1] [https://ico.org.uk/for-organisations/data-protection-and-
bre...](https://ico.org.uk/for-organisations/data-protection-and-
brexit/information-rights-and-brexit-frequently-asked-questions/)

[2] [https://gdpr.eu/article-45-adequacy-decision-personal-
data-t...](https://gdpr.eu/article-45-adequacy-decision-personal-data-
transfer/)

[3] [https://ec.europa.eu/info/law/law-topic/data-
protection/inte...](https://ec.europa.eu/info/law/law-topic/data-
protection/international-dimension-data-protection/adequacy-decisions_en)

[4] [https://ec.europa.eu/info/law/law-topic/data-
protection/inte...](https://ec.europa.eu/info/law/law-topic/data-
protection/international-dimension-data-protection/eu-us-data-transfers_en)

[5]
[https://www.privacyshield.gov/participant?id=a2zt000000001L5...](https://www.privacyshield.gov/participant?id=a2zt000000001L5AAI)

[6] [https://www.gov.uk/transition](https://www.gov.uk/transition)

------
pcora
So, question here: If I move from outside EU to a country that is part of the
block, does that mean that my Google Account will change the terms and mention
something about GDPR?

------
three_seagrass
How exactly is this illegal?

AFAIK, it's not illegal (per GDPR) to process EU citizen data in data
controllers _if_ the individual is no longer in the EU.

_Edit_: Yes, I read the article. It looks like this person got this email
notification because they had activity in London (per their resume on their
website). That doesn't make the email illegal nor does it mean their activity
in Italy is going to be on a non-EU controller.

The email implicitly states that it's for the UK only.

~~~
andreagrandi
Have you read the article? Entirely? If yes, can you please tell me since when
ITALY is not part of EU? Thanks

~~~
three_seagrass
Have you VPN'd into the UK or had activity there recently?

It says on your website that you worked in London.

This email is likely a courtesy notification because you had activity in the
UK, a UK billing address, or something that put you there, meaning if you have
activity there again, the controller will be different.

What this email does not mean is that your Italy based activity is going to a
different controller, so how exactly is this illegal?

~~~
andreagrandi
Even the article says I lived in UK/London, it's not a secret, but remains the
fact I'm not a UK citizen :/ If US or EU would be the same, why mentioning
brexit?

~~~
three_seagrass
* You're receiving the email because you've had enough activity in UK to warrant a notification.

* Read literally, the email only talks about the UK, not Italy.

* If you go to the UK again, then your activity in the UK will be on a nom-GDPR handler.

There is nothing illegal here, and just because you're sitting in Italy at
this moment doesn't mean Google is moving Italian activity handlers. The email
is a notification about Uk only.

------
myrandomcomment
The simple suggestion would be that Google needs to ask for your citizenship
status and go from there. Not sure else how to solve that. If I am an American
living in the EU for a few years does the GDPR apply to me when I live there?
I am going to the EU next week for 10 days. When I access my gmail from the EU
what law applies?

~~~
contingencies
I have three western citizenships, one is EU, and I live across borders,
usually accessing the internet via VPN from China. Google cannot possibly
understand this, nor should it try to, rather it should give everyone the best
protections guaranteed by law anywhere in the world and only punch holes in it
for local regulations in specific jurisdictions where unavoidable. To do
anything else (such as profiling for ads) is to be _evil_.

~~~
thayne
> it should give everyone the best protections guaranteed by law anywhere in
> the world

What do you do when laws from different countries conflict with each other?

~~~
contingencies
Use infinite lawyer dollars and infrastructure capabilities to route around
the problem where viable. Where impossible, preserve maximum protection
outside of these exceptions.

------
dhosek
Don't be evil.

------
madeofpalk
> I'm an Italian citizen, living in Italy [...] and I'm fully entitled to GDPR
> protection and to have my data owned by a European data controller.

I don't think the latter part is true. AFAIK GDPR does not give you the
_right_ do have your data owned or processed by an EU entity. GDPR does not
say that.

It doesn't matter where your data is stored or processed, Google must still
follow GDPR rules for data about EU residents. The first part of the comment
is correct.

I'm not actually completely sure why some companies do this whole EU data
controller seperate company thing. I guess for organisational or legal
simplicity?

(Edit: I reworded to hopefully remove ambiguity)

~~~
pmontra
Yes, even if he lives outside the EU

[https://gdpr.eu/companies-outside-of-europe/](https://gdpr.eu/companies-
outside-of-europe/)

It applies even to non EU citizens resident in the EU.

~~~
madeofpalk
Wait so, an an EU resident, processing my data outside of the EU is illegal
under GDPR? I have a _right_ to have it processed within the EU?

~~~
HatchedLake721
Incorrect. It is legal to process data outside the EU. They have to be
compliant with GDPR. GDPR does not require the data to processed within the EU
borders.

~~~
madeofpalk
Exactly. Perhaps I worded my question wrong, but this is my assumption. The
entire premise of the article seems incorrect.

------
iknownadaalot
kinda clickbait [edit for clarity] Please cite where [your] data is now stored
and how you found that information. Cause I'm US based and I got the same
email! WTF Google?

~~~
iknownadaalot
And by that, I mean I got that same email. And I definitely live in the US.
Please cite sources of them actually moving [your] data to Google LLC and or
US.

~~~
andreagrandi
What do you mean by "source" ? I haven't "heard" this story somewhere on
Internet. I did receive the email where they say they are going to move my
data controller to US.

~~~
iknownadaalot
Again I am really dumb, so I don't know how to check if my data has been moved
to a US controller. Also, I got the same email (multiple times, thanks
Google), and I live in the US.

Example: some_command -> where your data is stored at. I don't know how to
verify that information.

------
rupert1234
It's difficult. You are pretending they are deliberately doing it. No one at
Google wants to move your data to the US.

~~~
wereHamster
> It's difficult.

Please elaborate. What is difficult? And why is it difficult?

~~~
rupert1234
It's difficult to know for sure where to store data in a GDPR world. People
move. People have multiple citizenships. People open accounts in countries
where they aren't citizens. People give up citizenships. People share
documents with other people. People ingest data from one product to another.
People comment on documents. It's really, really hard to get all of this down.
It's not even clear legally what to do in various scenarios and it's
impossible to enumerate them all. It's difficult.

