German DPA Tackles Artificial Intelligence

Written by: Chase Langhorne, Esq.

Artificial Intelligence (“AI”) devices can make everyday life easier. They can tell us the temperature outside, set a timer, and even order a pizza; but what is happening to all the data being collected by these devices? Think of everything an AI device hears in your living room while waiting for the designated wake up command (“Alexa”, “Hey Google”, etc.). For example, in a routine phone call with your doctor you might disclose your name, date of birth, billing address, social security number, and medical condition all within a matter of minutes. The AI device in the corner is more than willing to record all the information while it patiently waits for the wake up command.

On August 1st, the German data privacy watchdog, the Hamburg Data Protection Commission (“HDPC”), ordered Google to cease manual human reviews of audio snippets collected by its Google Assistant software. The software is found on many android devices and Google Home products. Under GDPR Article 66, the HDPC has the authority to and has ordered Google to stop using humans to review these audio snippets for three months. This comes on the heels of a data leak in early July when 1,000 private conversations with Google Assistant were leaked by a Google contractor conducting manual reviews. In due course, Google filed an Article 33 breach notification with its lead privacy regulator, the Irish Data Protection Commission, who is conducting further investigation.

This is the first instance of a regulatory authority’s use of a measure as extreme as Article 66. Without invoking Article 66, investigations are left up to the designated data protection authority for the company, which in the case of Google is the Irish Data Protection Commission. This could be a warning shot to companies putting them all on notice that all EU data protection authorities are watching. The takeaway for companies using “big data” to conduct business is that the regulatory authorities are now using their GDPR powers to effectively stop the flow of data at a moment’s notice. If there is no data in the pipeline, the result is arguably worse than if the company were fined the full amount allowed under GDPR (4% of global revenues).

Other big players in the AI industry are taking this event very seriously. Apple and Amazon have both changed their policies regarding manual human review as a result of HDPC’s action. Apple has halted manual human review of audio collected by Siri, and Amazon has changed its policies to allow for users to opt-out of manual human review of audio collected by Alexa.

The entire statement released by the HDPC can be found here (in German).