The data protection authority (DPA) of the German federal state of Hamburg recently opened administrative proceedings against Google. It relates to Google’s “Google Assistant” System, the natural language assistant behind the “Google Home” speaker, and transcripts from it. The Belgian public broadcaster VRT NWS recently revealed that recordings from “Google Assistant” were systematically listened to and transcribed by humans: Google contractors. In 153 out of 1000 audio clips leaked to VRT NWS, digital assistant users didn’t even use the command “Google” or “OK Google” to start recordings. Google defended its practice by stating that these recordings began due to a misunderstanding. Nevertheless, Google agreed with the Hamburg DPA to not submit European “Google Assistant” recordings to human review for a period of 3 months.
Google’s European headquarters are in Ireland. According to the “one-stop-shop” provisions of the EU General Data Protection Regulation (GDPR), namely Art. 56 par. 6, the lead supervisory authority “shall be the sole interlocutor of the controller or processor for the cross-border processing carried out by that controller or processor”. The lead supervisory authority of Google in Europe, according to Article 56 par. 1 GDPR, is that of Ireland. However, the Hamburg DPA invoked Art. 66 par. 1 GDPR according to which, due to exceptional circumstances, any DPA may “immediately adopt provisional measures intended to produce legal effects on its own territory with a specified period of validity which shall not exceed three months”.
Our readers might remember another Google case, of January 2019, where the French DPA CNIL imposed a fine against Google of 50 Mio € , and called out the need for internet giants to clearly state how they process personal data, in a transparent and accessible way. Another important aspect of the decision was how the French DPA substantiated its own responsibility to handle this case. They authority said that, “when the CNIL initiated proceedings, the Irish establishment did not have a decision-making power on the processing operations carried out in the context of the operating system Android and the services provided by GOOGLE LLC, in relation to the creation of an account during the configuration of a mobile phone”. The CNIL justified its own competence by saying that, since the design of the relevant Google functions was really done in the US, any DPA in Europe was competent, including the French authority.
The concept of “Forum shopping “ in the legal context, is the practice of selecting the competent court to oversee a specific case, when one of the parties want to have its case decided by a court where they expect the most favorable (or the fastest) judgment. This goes against the principle of exactly one “lawful judge”. The same may occur when a person or an organization raises a claim against a multinational, to a DPA. The parties in the French case included an NGO (Max Schrems’ “None of Your Business”) that has the resources to carry out proceedings in Ireland, and has done so in other cases. In this case, they consciously chose France as forum and were successful with that choice.
Art. 62 GDPR provides for joint operations of several Supervisory Authorities, and Art. 63 – 65 GDPR establishes a coherence mechanism between them. In both Google cases these mechanisms were not used. Instead, the DPA that acted first, might have set lasting standards. One may doubt if this behavior by the DPAs, will contribute to a uniform application of the GDPR, which is its express aim (Art. 63 GDPR). The “fast mover” politics, or race to fame, of some DPAs may contribute to high standards of data protection, for the moment. But there may be another wave, into another direction, when processor companies make the first step.
Companies developing products that could raise privacy concerns have the means to get these concerns cleared, before going to market with their products. They can carry out a data privacy impact assessment (DPIA) in some country and start a prior consultation with its DPA according to art. 36 GDPR over their product. They could also seek an informal consultation with the DPA of their location (according to national law) that may lead to the DPA giving a public opinion according to Art. 58 par. 3 b. By doing so, they could prevent other DPAs from imposing fines and creating negative publicity.
Maybe first some more bold decisions in different directions will have to be passed, before the coherence provisions of the GDPR will really be used.
European harmonization of data protection rules will be a fascinating subject for years to come. IT companies active in several European countries have good reasons to closely watch these trends.