Jennifer Cobbe asked this question on Twitter:
Question for ePrivacy Directive fans: if I was a provider of a cloud AI service and I siphoned off input data originating with end-users so that I could use it to improve my models, would that activity fall under Art 5(1)?
Say, for the sake of argument, this is a speech-to-text transcription service used by a user-facing mobile application. The end-user’s voice data goes to my server, I process it, and send the text back to them. I retain a copy of some input data for model training.
Is sending data to a speech-to-text service a “communication” for the purposes of the Directive? It seems to be “information exchanged or conveyed between a finite number of parties” (i.e. the end-user and the cloud provider)
If so, does this extra use of the data - retaining a copy for model training - fall within “listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users”?
My initial answer
My initial answer was this:
Gut reaction is that no, the cloud service provider is the intended recipient of the communication, and is processing the data communicated to it by the user. Akin to, say, eBay analysing what a seller uploads to its platform.
Jennifer asked for my thinking, so here it is.
It’s the telecoms regulatory framework
We’re talking here about the telecoms regulatory framework. In particular, the ePrivacy directive (2002/58/EC).
The relevant bit is Article 5(1):
Member States shall ensure the confidentiality of communications and the related traffic data by means of a public communications network and publicly available electronic communications services, through national legislation. In particular, they shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned, except when legally authorised to do so in accordance with Article 15(1). This paragraph shall not prevent technical storage which is necessary for the conveyance of a communication without prejudice to the principle of confidentiality.
1.) The “cloud AI service” is neither a PECN and PECS, so a Member State is not required to prohibit storage of the communication by it
The scope of the limitation / requirement is:
communications and the related traffic data by means of a public communications network and publicly available electronic communications services
In my view, the “cloud AI service” in Jennifer’s question is neither a public communications network, nor a publicly available electronic communications service.
My rule-of-thumb test is that a network is the physical infrastructure over which information is carried, an electronic communications service is the service which carries the information over that network.
Here, the “cloud AI service” is the endpoint: it’s the destination of the user’s traffic. I’d see it is as (only) an information society service.
In other words, once the traffic has reached the cloud AI service, it is no longer a communication “by means of a public communications network and publicly available electronic communications services”, and so falls outside the scope of the limitation that Member States are required to impose.
2.) It’s only a “communication” while in the course of transmission. Post-termination, it’s no longer a “communication”
Article 2(d) contains the definition of “communication”:
‘communication’ means any information exchanged or conveyed between a finite number of parties by means of a publicly available electronic communications service.
In a similar vein to the point above, there’s an argument — and a reasonable one, IMHO — that something is a communication only for so long as it is “exchanged or conveyed … by means of a publicly available electronic communications service”.
Once the exchange / transmission / conveyanced is over — once it has been received / terminated — it is no longer a “communication”, and thus it falls outside the scope of what a Member State is required to prohibit.
Taking this, and the previous point, together, one might argue that, once something is a communication, it remains a communication even after it has been received at the (in this case, intended) destination.
That is definitely arguable, in my view, but I don’t think it makes sense.
Keeping a copy of an email
I get, and send, the occasional email.
If the thesis that something communicated over a PECS remains a communication after it is terminated, and that the prohibition on listening, storage, tapping etc. applies to the recipient of the communication, storing email would be prohibited, unless the user consented (which is highly unlikely and, in any case, is revocable) or there was an exception.
Must one look to the national implementation of the lawful business practice exception to determine if a business is entitled to retain a copy of an email sent by a prospective customer?
I don’t think so.
Or a tweet, or an uploaded photo, or an auction description, or…
If every single thing that a user transmits over the Internet remains a communication, and is subject to the national law’s prohibition on storage in the hands of the person to which they’ve transmitted it, then there are an awful lot of situations in which the recipient is relying on either the user’s consent, or the lawful business practice derogation.
To my mind, that cannot make sense.
Consent is a high threshold: is it really the correct interpretation of the law that, when I upload a photo to an online storage service, I am consenting to that storage? If I were thinking in GDPR “lawful basis of processing” terms, I doubt I would be relying on consent.
And storage of my photo does not fit comfortably into Article 5(2) either:
Paragraph 1 shall not affect any legally authorised recording of communications and the related traffic data when carried out in the course of lawful business practice for the purpose of providing evidence of a commercial transaction or of any other business communication.
When the online service stores my photo, is it doing so “for the purpose of providing evidence of a commercial transaction or of any other business communication”.
No. It’s doing it to provide me with a service.
The prohibition may not even apply to user-to-computer communications
The second sentence of Article 5(1) says:
In particular, [Member States] shall prohibit listening, tapping, storage or other kinds of interception or surveillance of communications and the related traffic data by persons other than users, without the consent of the users concerned
The key bit is “by persons other than users, without the consent of the users concerned”.
“User” has a narrow definition:
‘user’ means any natural person using a publicly available electronic communications service, for private or business purposes, without necessarily having subscribed to this service;
Only a human can be a “user”, as only humans are “natural persons”.
But the prohibition envisages that a communication has users, plural. Not a user, but users.
In the context of someone phoning their partner, there are two users: the person at each end of the call.
But what if the A party leaves a voicemail: they are talking to a computer. The requirement of users is not met, or at least is met only indirectly.
In the situation at hand, there is a user, and they are sending the recording of their voice to a computer, for text-to-speech recognition. But they are the only user, assuming it is a genuine machine-based translation and not a Mechanical Turk.