Hi guys, nice job on the article “Alexa, am I a data controller?”! We loved reading it and felt as though you truly walked us through the complexities arising from using smart speakers… it would dissuade more than one person to buy them!
After a thorough reading, we questioned who exactly the owner is. Some of us believed it was powerful companies like Google and Amazon, others felt it was the average consumer buying the speaker. These different perspectives led us to discuss controllership as well as the household exemption.
The first point we discussed was that of controllership and the extent it should have.
A lot of focus is placed on the idea that smart speaker owners have little ‘control’ over their device. Arguably, since the owner can turn off the device/microphone and choose what information is being ‘listened’ to by the device (i.e. through trigger words), he may be found to have significant control over it. This could invoke the owner’s liability. This is the case where a third-party may visit the owner’s house, being unaware of the existence of a device, and have their data processed. An example could be where the owner uses the device in a way that provides information about other individuals. For instance, saying ‘Alexa, call John from the XYZ law firm’ includes information about John’s profession or ‘Alexa remind me to buy a gift for Nick’s wedding’ provides information about Nick’s marital status.
This element of ‘control’ may have the same meaning as ‘controller’ under the GDPR. The concept of owner entails someone using a product for one’s own use. Surely in a situation like this, they cannot be responsible for the processing of their own data, they are the data subject rather than controller. They are however, like you discuss, a data controller under the GDPR definition where other people’s data is concerned. As mentioned above, users may be regarded as “controllers” because they have collected information from friends or other people and “indirectly” submitted them to the manufacturer (i.e., Amazon). In this case, it will be inevitable to discuss the household exemption, but more on this later.
We did however question an argument you put forward in the blog. You write that users should not be identified as controllers because it would dilute effective protection: “Making everyone responsible means that no-one will in fact be responsible”, but this is open to debate. Firstly, responsibility should not be evaded; giving users some responsibility can make them more cautious and careful when collecting information from others. Secondly, we agree that users’ responsibilities should be limited in situations of a data breach, but they should be held liable in proportion to their assistance. It is not suitable to use the concept of controller, as described under the GDPR, to hold them liable to the extent of a global tech giants like Amazon or Google.
The second point in the blog that sparked our interest was the household exemption and your position on its breadth.
According to s2(2) of the GDPR, the household exemption applies where processing of data is carried out in the “course of a purely personal or household activity”. It is questionable whether the scope of the provision should be extended to protect individuals who enable third-party data processing through smart speakers.
It is true that in the event of a data breach, the injured party cannot retrieve anything from the owner. However, the concept of controllership does not stem from whether something can be retrieved but rather if there was assistance in obtaining the data. By owning a smart speaker and being negligent in restricting the collection of data (e.g., turning the microphone off), puts the owner in a liable situation.
Logically, this facilitation should not enable an owner to be protected under the household exemption. They are liable for holding “decisive influence” (Fashion ID) over the collection of data, especially in their house. The transmission of data which is not their own is neither a personal nor household activity.
Furthermore, the household exemption in relation to smart speakers should continue to be narrow due the large scope of information it can gather. Where most people will use these devices to monitor their daily lives (grocery shopping lists, etc); some might also use it for professional reminders. This use of the smart speakers would lead them to, technically, fall under the household exemption but, in practice, cover data that is not personal. This could even be brought further and lead one to wonder what happens when a smart speaker user divulgates professional information to the device and that information is covered by a non-disclosure agreement.
It is for all these intricacies related to the household exemption and the implications that it has in relation to data that, unlike you, we believe that the scope of the exemption should remain narrow.