Under GDPR’s Article 66, Google has been ordered to stop manually reviewing audio recordings from its Google Assistant Service because the process breaches data protection laws.
This follows a data breach last month of more than 1000 recordings. A Belgian News Site, VRT, was able to identify people from the clips given to them, including such data as their addresses and medical conditions.
While Google has taken steps to report the breach to the Irish Data Protection Commission (DPC), it’s the fact that it has been forced to stop processing this data that is most significant here.
As reported by TechCrunch:
The real enforcement punch packed by GDPR is not the headline-grabbing fines, which can scale as high as 4% of a company’s global annual turnover — it’s the power that Europe’s DPAs now have in their regulatory toolbox to order that data stops flowing.
“This is just the beginning,” one expert on European data protection legislation told us, speaking on condition of anonymity. “The Article 66 chest is open and it has a lot on offer.”
This seems to be the first time that Article 66 has been implemented, but it demonstrates that GDPR is a powerful tool for data protection regulators. Not only can it levy big penalties after a data breach has occurred, it can force organisations to change their procedures.
The key requirement is that there is an “an urgent need to act in order to protect the rights and freedoms of data subjects”, which there was here.
This case also demonstrates that data can include such things as video and audio recordings. Personal data is anything that can be used to identify a person, whether on its own or in conjunction with other information.