“Alexa, am I a data controller?”

Over the years, developments in technology led to the adoption of General Data Protection Regulation (GDPR). The GDPR was designed to harmonise data protection laws across EU member states, as well as provide a more solid foundation for the protection of personal data, fit for the 21st century.

The regulation lays down personal rights, scrutinising the processing of individuals’ personal data. This is done by the limitation on data collection, control of data flow extraterritorially and data processing.

The rise in popularity of ‘smart speakers’ raises interesting and important questions for data protection, given their ability to collect large amounts of very personal data.

Producers of smart speakers, such as Amazon or Google, come under the GDPR as data controllers. Data controllers are defined as “a natural or legal person, which alone or jointly with others, determines the purposes and means of personal data processing.”[1] Seeing as voice recordings are a form of personal data, it is important that data controllers are governed by laws broad enough to cover the issues they can raise.

The role of a data controller is to determine how personal data is to be processed, i.e., they are the managers of the personal data.  Controllers are supposed to “require data protection by design and by default”, meaning that appropriate technical and organisational measures must be in place at all times- this includes the time at which the determination is made of how it will be processed, to the actual processing itself.

This definition leads to two interesting questions in regards to smart speakers: first, can the owner of a smart speaker be considered a joint controller? Second, if this is the position, does the household exemption apply, and to what extent?

The degree and extent of control is core to determining the “responsibilities of each controller”, and whether they are a data controller, jointly, or as individuals. For the purposes of the GDPR, “control” is understood as the “truthful representation of factual control”.[2]

Arguably, an owner of a smart speaker has very little control over their device. They are limited to activation of the device, installation of apps, and the deletion of information. Comparatively, Amazon and Google have sole control of the processing cloud and extensive decision making powers.

On this basis, one might credibly assert that owners of smart speakers are not de facto data controllers. Instead, it might be that owners are facilitators when activating the smart speaker.

So, if the owner were the data controller, could the household exemption apply? Article 2(2) of the GDPR excludes the processing of data “in the course of a purely personal or household activity”.  This is further clarified by Recital 18 which elaborates that the phrase “purely personal or household activity” relates to activities falling within the management of a house, family or personal life, which is to exclude all professional or commercial activities regardless of whether the activities take place domestically. In the context of smart speakers, the vast majority of tasks performed will likely fall under the  personal, family or household exemption.Further, the CJEU’s case law has interpreted this exemption very narrowly. Thus, owners of CCTV cameras recording parts of the public have been held to be outside of this exemption.[3]

However, in this context, owners as data controller’s would arguably have responsibility for the information of guests, for example. In that instance, although the third party is in a private sphere, the information recorded by the smart speaker would arguably not constitute personal, family or household information if it were about the third party themselves.

In assessing whether owners of smart speakers should be liable, it is important to go back to first principles: what is the point of the data protection regime? Who is it trying to protect and why? Is there anything to be gained by considering private individuals jointly liable for data breaches along with companies like Amazon or Google?

In Wirtschaftsakademie, Attorney General Bot argued that an imbalance of power between potential joint controllers does not prevent the less powerful party from being classed as a controller, as a “substantive and functional approach” must be taken to assessing controllership.[4] In this vein, the Article 29 Working Party says that “a broad variety of typologies for joint control should be considered and their legal consequences assessed, allowing some flexibility in order to cater for the increasing complexity of current data processing reality”.[5]

However, we argue that it is inappropriate to give GDPR Article 2(2) a meaning so expansive as to risk making owners of smart speakers liable. It is possible to distinguish this position from the decision in Wirtschaftsakademie – a business running a Facebook page has a commercial interest in collecting and processing the data of its visitors, even if it cannot negotiate with Facebook over how this is done. By contrast, owners of smart speakers do not have such an interest; they are users of a product for purely personal benefit.

It is unclear how increasing the number of parties liable would increase the effectiveness of the GDPR. In case of a data breach, injured parties would unlikely be able to recover anything from the owner of the smart speaker. In any case, as De Conca points out, if the owner was in some sense the ‘real culprit’ behind the breach, then other law exists to protect the injured party (negligence, etc).[6] A loose analogy to product liability may be drawn here, where the manufacturer will usually be liable, not the intermediary.[7]

Additionally, this would fragment liability and potentially allow loopholes to open whereby powerful companies like Apple are able to hide behind users, who are nominally ‘controllers’,  but who in fact have no influence over the product. AG Bobek has argued that this would dilute effective protection: “Making everyone responsible means that no-one will in fact be responsible”.[8] Therefore, we submit that private users of products should not count as controllers. If they do, then they should usually fall under the household exemption. The law, especially if it is based on fundamental rights[9], should protect individuals from those actually wielding power – in this case, big tech companies, not Alexa owners.

In sum, there is some ambiguity over whether owners of smart speakers are controllers under the GDPR – Wirtschaftsakademie suggests they are. Meanwhile, the household exemption is very narrow. We argue that they should not be controllers, or at least that the exemption should be expanded, so that those with de facto power are held accountable.

Footnotes

[1] Article 4(7) GDPR

[2] Ibid, Art 25

[3] Case C‑212/13

[4] Case C‑210/16, opinion of AG Bot, para 76.

[5] ibid.

[6] Silvia De Conca, ‘Between a rock and a hard place: owners of smart speakers and joint control’, 2020 Scripted 17(2), 266.

[7] ibid.

[8] Case C-40/17, opinion of AG Bobek, para 92.

[9] Preamble to the GDPR.