Loyola University Chicago School of Law, JD 2019
Google answered Amazon’s Echo Dot by recently launching their own pint-sized smart speaker, the Google Home Mini. Recently, Google was forced to disable one of the features on the Home Mini after it was discovered that a technical glitch led to near 24/7 audio recording. Google responded quickly and appropriately, investigating the cause and quickly releasing an update to disable the hardware responsible for the glitch. The Equifax hack – a breach of personal data including social security numbers, driver’s license information, and other credit details – exposed nearly half the country and waited months to respond. Upcoming European legislation that can significantly impact American companies with European Union clients may be part of the reason for their drastically different responses.
Smart speakers & expectations of privacy
Smart speakers are a booming industry. Most operate in the same or similar fashion. A wake-up word triggers the device to begin recording, then the device sends the recording to a server for processing before executing its reply. The Google Home Mini adds a touch sensitive bar to the device which records and processes commands without a wake-up word. When a glitch caused the software to believe that the touch bar was always being pressed, the system malfunctioned and recorded constantly.
But what about everything said before the wake-up word? Or anything recorded when the wake-up word is accidentally said? The fact that these speakers have to listen 24/7 in order to function properly has not been overlooked for its potential use in law enforcement. The prosecution sought access to recordings that they thought may have contained incriminating evidence. Unfortunately, the court did not have to rule on the matter as the defendant voluntarily released the recordings. That means that the question still stands – does a citizen have a reasonable expectation of privacy when they’ve placed a recording device in their home? Importantly, Amazon claims that the recordings would have only been from after the trigger word but it is still possible, as was argued by law enforcement, that accidental recordings may have occurred if other noises tricked the device. As the Google Home Mini has shown, accidents can and do happen.
The impact of European law
The EU is set to begin enforcement on the EU General Data Protection Regulation (GDPR) on May 25, 2018. This comprehensive regulation will govern data privacy laws across Europe throughout member states and comes with harsh penalties if a company is found to be in violation. One of the harshest penalties that can be imposed is a fine equal to 4% annual global revenue for serious infringements. As the law hasn’t gone into full effect yet, it’s hard to say precisely what will count as a serious infringement. However, within the GDPR itself there is some guidance and it explicitly states that a serious infringement includes not having customer consent to process data or collecting data without consumer consent.
Consumer consent can come in the way of consent to privacy policies or terms of service and these policies are easy to find with a quick search (Privacy at Google, Privacy at Bing, Privacy at Facebook). However, under the GDPR these privacy policies must be written in plain language and it must be as easy to withdraw consent as it is to give it.
All of this circles back to the Home Mini accidentally recording at all times. Once the GDPR goes into full enforcement, Google could have faced fines up to 4% of its global revenue if they hadn’t responded quickly and informed customers about the breach by exceeding the scope of the consent, and also for processing the data. Even a technical glitch that exposes a consumer’s data results in liability to the company if they don’t promptly address the breach. Google, doing significant business in European Union companies and certainly looking at Europe as a major market for the Home Mini, would have been open to immense liability had they not promptly addressed and repaired the glitch.
Why Equifax could wait and Google couldn’t
Equifax’s response to their hacking scandal would have failed miserably under the GDPR. Global technology companies will be quickly forced to comply with GDPR, but the strong data protection afforded by the GDPR only governs how those companies act in the European nations and American has no federal law requiring companies to inform consumers of a breach, let alone in a timely manner.
The GDPR will give a 72-hour window for the data controller to inform a consumer of a breach. Google was made aware of the potential issue with the Home Mini after 4PM on a Friday; by that Sunday they had not only informed customers of the problem, but had fixed the issue (albeit by disabling a feature via an update).
Both the incredibly harsh penalty for the breach, and for the failure to inform customers could have certainly motivated Equifax to disclose their massive breach to the American people sooner if the United States had stronger data privacy laws similar to the GDPR. The Google Home Mini acts as a wonderful test run for how companies should react to privacy concerns, and how they will soon have to in Europe. It remains to be seen how widespread the GDPR’s impact on American companies and American law will be, but if companies like Google and Facebook want to avoid turning over massive amounts of revenue, you can be sure to see some changes to their European privacy policies.