It’s not uncommon for people to struggle with Amazon Alexa — but possibly not quite like one customer in Germany.
After requesting his data from Amazon, as allowed by the EU’s General Data Protection Regulation (GDPR), the man mistakenly received 1,700 audio recordings from someone else entirely, accompanied with PDF transcriptions of all the requests the other person had ever made.
“The alarms, Spotify commands, and public transport inquiries included in the data revealed a lot about the victims’ personal habits, their jobs, and their taste in music,” revealed Germany’s c’t magazine. which has reviewed the trove. “The audio files were recorded in a stranger’s living room, bedroom, and shower. ”
c’t were able to identify the other person from the Alexa inquiries and reached out to him via Twitter. Naturally, the individual instantly complained to Amazon, which provided him with a free Prime membership and two more Echo speakers as compensation.
“This was an unfortunate case of human error and an isolated incident,” an Amazon rep told Fortune. “We have resolved the issue with the two customers involved and have taken steps to further improve our processes. We were also in touch on a precautionary basis with the relevant regulatory authorities.”
It’s not the first time Amazon has mistakenly sent Alexa recordings to third parties. Back in May, just before GDPR went into effect, a family’s Alexa sent private recordings to a random contact.
GDPR is the world’s most sweeping data privacy regulation and comes with severe penalties for companies that violate the law — up to 4% of a company’s global revenue. According to GDPR, every company must allow users to request their own data and must notify authorities within 72 hours of any data breach.
The incidents raise the question of whether tech companies are even capable of complying with GDPR rules. Particularly, as the German who requested his information in the first place does not own an Echo speaker — and has never used Alexa in his life.