What does the case of Google potentially breaching GDPR mean for RegTech businesses?

German authorities are going after Google after it listened to Google Assistant recordings. But this case could have big ramifications outside of the Mountain View company.

The Hamburg Commissioner for Data Protection and Freedom of Information (HmbBfDI) has launched an investigation against the tech titan for potentially breaching the General Data Protection Regulation (GDPR).

The issue in question dates back to the beginning of July with a report from Belgian broadcaster VRT NWS. It reported that people working on behalf of Google was transcribing recordings created by Google Assistant, the company’s voice-controlled smart assistant. The assistant is activated with a wake word like “Hey Google” or “Okay Google.” However, the device, which is constantly listening for the wake word, can mishear other words as the wake words.

That was the case in 153 of the thousands of recordings VRT NWS was given access to by a contractor. The contractor revealed they had been listening in on conversations that were often sensitive in nature. In one particularly problematic case, the contractor stated that they had heard a female voice in distress and what they thought was physical violence.

In a statement, David Monsees, product manager of search at Google, stated that transcribing recordings was an important aspect of developing the software. “This is a critical part of the process of building speech technology and is necessary to creating products like the Google Assistant,” he explained, adding that only 0.2 per cent of all audio was reviewed in this way.

In regards to the leak, Monsees said, “We just learned that one of these language reviewers has violated our data security policies by leaking confidential Dutch audio data. Our Security and Privacy Response teams have been activated on this issue, are investigating, and we will take action. We are conducting a full review of our safeguards in this space to prevent misconduct like this from happening again.” But that was not the end of it.

HmbBfDI ordered Google to stop listening on voice recordings for three months in the beginning of August. The authority would conduct a probe in that period to determine if the search engine giant failed to comply with GDPR. Google has confirmed it would comply with the order to stop listening to voice recordings until November.

HmbBfDI also encouraged Amazon and Apple to cease their reviews of audio snippets during that period. Apple has suspended its reviews of recordings created by its Siri smart assistant after an expose in The Guardian. The story revealed that a contractor claimed to have heard personal information, people having sex and financial details. The Cupertino-based company suspended the reviews, a process known as grading, while it was reviewing its process.

Amazon has updated its privacy policy regarding its Amazon Echo and Alexa services. Now users can opt-out having humans review the recordings.

But no matter what the outcome of the German authorities’ investigation is, the case could change how businesses ensure they comply with privacy rules. “How German regulators approach the situation of voice assistants and how Google itself interacts with regulators will create precedent for RegTech companies to refine their risk profiles for GDPR audits,” says Tim Mackey, principal security strategist at Synopsys CyRC, the software company’s cybersecurity research centre, when speaking exclusively to RegTech Analyst. “Of particular note is that unlike with a personal computer or a device owned by a single individual, voice assistants could process the vocal information from different people – some of which may not be in a position to provide consent, even if processing required consent and the vendor sought explicit consent.”

This is not the first time Google has had problems with GDRP. In January 2019, the National Data Protection Commission (CNIL), the French privacy watchdog, fined Google €50m for breaching GDPR in regards to how Android phones were set up.

The decision was reached after CNIL regarded it too difficult to find out how data was being used and that users’ consent were not validly obtained. It also found that Google had committed so-called consent bundling by telling users to create a Google account in order to get the best use of their device. These two, setting up the phone and setting up an account should have been separate and not bundled together, CNIL claimed, as consent bundling is illegal according to GDPR.

According to Mackey, this decision highlighted that regulators were sending a message to tech companies about GDPR – that it is not enough to respond to a breach to be compliant with GDPR, but also to consider privacy regulations when designing a product. And this is relevant to the current Google Assistant case. “[We] see that regulators are looking not only at overall product design as it relates to privacy, but also the processes organisations use when supporting and improving their products,” he says.

Mackey adds that the case could also have ramifications for cybersecurity vendors. “Given awareness that digital assistants might be constantly transmitting audio information to a cloud service gives attackers new opportunities to design attacks,” Mackey explains. “Defenders within cybersecurity teams should similarly be using this information to refine their threat models. Given home users don’t have cybersecurity teams, we must rely on vendors to best secure their devices, our information and the communications channels in use. How Google responds will be key in understanding the future state for digital voice assistants.”

IF Google has fallen foul of GDPR when it comes to how it handled Google Assistant recordings is still unclear. But businesses around the world better keep an eye out for the verdict. “Given the global popularity of these devices, whatever outcome is likely to be felt outside the EU,” Mackey concludes.

Latest Post