Apple is facing fresh questions from its lead data protection regulator in Europe following a public complaint by a former contractor who revealed last year that workers doing quality grading for Siri were routinely overhearing sensitive user data.
Earlier this week the former Apple contractor, Thomas le Bonniec, sent a letter to European regulators laying out his concern at the lack of enforcement on the issue — in which he wrote: “I am extremely concerned that big tech companies are basically wiretapping entire populations despite European citizens being told the EU has one of the strongest data protection laws in the world. Passing a law is not good enough: it needs to be enforced upon privacy offenders.”
The timing of the letter comes as Europe’s updated data protection framework, the GDPR, reaches its two-year anniversary — facing ongoing questions around the lack of enforcement related to a string of cross-border complaints.
Ireland’s Data Protection Commission (DPC) has been taking the brunt of criticism over whether the General Data Protection Regulation is functioning as intended — as a result of how many tech giants locate their regional headquarters on its soil (Apple included).
Responding to the latest Apple complaint from le Bonniec, the DPC’s deputy commissioner, Graham Doyle, told TechCrunch: “The DPC engaged with Apple on this issue when it first arose last summer and Apple has since made some changes. However, we have followed up again with Apple following the release of this public statement and await responses.”
At the time of writing Apple had not responded to a request for comment.
The Irish DPC is currently handling more than 20 major cross-border cases, as lead data protection agency — probing the data processing activities of companies including Apple, Facebook, Google and Twitter. So le Bonniec’s letter adds to the pile of pressure on commissioner Helen Dixon to begin issuing decisions vis-à-vis cross-border GDPR complaints. (Some of which are now a full two years old.)
Last year Dixon said the first decisions for these cross-border cases would be coming “early” in 2020.
At issue is that if Europe’s recently updated flagship data protection regime isn’t seen to be functioning well two years in — and is still saddled with a bottleneck of high-profile cases, rather than having a string of major decisions to its name — it will be increasingly difficult for the region’s lawmakers to sell it as a success.
At the same time the existence of a pan-EU data protection regime — and the attention paid to contravention, by both media and regulators — has had a tangible impact on certain practices.
Apple suspended human review of Siri snippets globally last August, after The Guardian had reported that contractors it employed to review audio recordings of users of its voice assistant tech — for quality grading purposes — regularly listened in to sensitive content such as medical information and even recordings of couples having sex.
Later the same month it made changes to the grading program, switching audio review to an explicitly opt-in process. It also brought the work in house — meaning only Apple employees have since been reviewing Siri users’ opt-in audio.
The tech giant also apologized, but did not appear to face any specific regulatory sanction for practices that do look to have been incompatible with Europe’s laws — owing to the lack of transparency and explicit consent around the human review program. Hence le Bonniec’s letter of complaint now.
A number of other tech giants also made changes to their own human grading programs around the same time.
Doyle also pointed out that guidance for EU regulators on voice AI tech is in the works, saying: “It should be noted that the European Data Protection Board is working on the production of guidance in the area of voice assistant technologies.”
We’ve reached out to the European Data Protection Board for comment.