May 28, 2020

May 27, 2020

Subscribe to Latest Legal News and Analysis

May 26, 2020

Subscribe to Latest Legal News and Analysis

Hamburg Data Protection Commission: Declaring a Data Emergency

On August 1st, the Hamburg Commissioner for Data Protection and Freedom of Information announced that the Hamburg Data Protection Commission (HDPC) had opened an administrative procedure to prohibit Google from carrying out evaluations of their voice assistant program by employees and third parties for a period of three months.

This could be a warning shot to big businesses that engage with European data that enforcement authorities are unafraid to utilize urgency procedures when modes and forms of data processing offend the spirit of the GDPR.

Google analyzed recordings of user interaction with their voice assistant program to “help improve [their] services.” A Google contractor working as a Dutch language reviewer handed more than 1,000 recordings to the Belgian news site VRT which later identified some of the individuals in the audio clips, and included personal information including addresses, medical information, and recordings of individuals in distress. News of this leak led to increased scrutiny of voice assistant programs by journalists and enforcement authorities.

The General Data Protection Regulation (GDPR) reserves the initial supervision authority over enforcement orders to the head of office of the responsible body in the particular GDPR member state where the data is processed. Google has designated Ireland as the location of its data services in Europe, and therefore would be under the purview of the Irish Data Protection Commission (IDPC). However, Article 66 of the GDPR provides data protection authorities in other GDPR member states the opportunity to enforce within their own jurisdiction for a period of three months if there is an urgent need to protect the rights and freedoms of those concerned. Use of Article 66 powers is unprecedented, and lends itself to the care by which GDPR member state enforcement authorities impose urgency procedures.

The HDPC believes that the temporary halting of Google’s voice recording evaluation process is necessary. The HDPC essentially argues that the effective protection of those affected from listening to, documenting and evaluating private conversations by third parties can only be achieved by a timely execution of Article 66.

Copyright © 2020 Womble Bond Dickinson (US) LLP All Rights Reserved.


About this Author

Theodore Claypoole, Intellectual Property Attorney, Womble Carlyle, private sector lawyer, data breach legal counsel, software development law
Senior Partner

As a Partner of the Firm’s Intellectual Property Practice Group, Ted leads the firm’s IP Transaction Team, as well as data breach incident response teams in the public and private sectors. Ted addressed information security risk management, and cross-border data transfer issue, including those involving the European Union and the Data Protection Safe Harbor. He also negotiates and prepares business process outsourcing, distribution, branding, software development, hosted application and electronic commerce agreements for all types of companies.


Dominic Dhil Panakal Womble Atlanta

Dominic is a member of the firm’s IP Transactions, FinTech, and Privacy and Cybersecurity practices.

Dominic advises clients on international and domestic data privacy laws.  He also assists in drafting Software as a Service agreements, privacy policies, terms of use, and licensing contracts.