Mr. Dale Sunderland:

Our role as regulator is to ensure that the entire process is compliant. At this stage, we are more concerned about the systemic issue and nature of the processing from the start of the installation of the product through to the use of the data at the other end. There may be multiple uses for that data. We do not receive, nor do we ask for logs. We are trying to stand back and look. In the case of misactivations, we want to know what the company has done to minimise the incidence of misactivations. They should be baked into privacy design, and, equally, dealing with misactivations, the way that is dealt with in privacy design and how it is implemented into processes. Companies have introduce features such as on device screening to understand if a person is actually engaging with the device before it starts to record. There are also further screening processes on the server side.

Misactivations still happen. As I noted in my opening remarks, this is a concern for us and we think more needs to be done. The Deputy is quite right that we are talking about private conversations in the home and in the workplace and many users were not, and still are not, aware that such misactivations can take place. An interesting aspect that arose in the human review of voice recording was that there was no awareness whatever that humans would take a voice recording and examine it to see if the algorithm was working correctly. The companies we have engaged with as lead supervisory authority have all enhanced their transparency requirements to say that this processing takes place.

On whether something more needs to be done, GDPR holds the tools because the processing of data, from the point it is collected, must be legitimate, fair, lawful and transparent. It is about the application of those important data protection principles at each step of the processing of personal data. From the moment someone says something, there should be safeguards and protections built in to ensure voice recordings are only taken when someone intends to engage with the device. As Dr. Cowan said, data protection by design or default are fundamental principles of data protection law. My colleague, Mr. Ultan O'Carroll, has recently completed work as a co-rapporteur on the European Data Protection Board's guidelines on data protection by design and default. They are now out for consultation. It is something we want to see more of from the companies concerned. Before one ever starts to collect data - before the new ways of processing personal data to provide services is even designed - data protection concerns should be built in. Along the chain, one should look at what safeguards can be built in. It may be minimisation of clips or anonymisation of voice recordings. There is a legitimate purpose for this review but it is about what the company needs to do to ensure the risk is minimised.