Cloud-based spell checker: a risk for your data?
Data protection problems often arise where you least expect them. Modern IT environments, which are a closed book for many users, are particularly affected. A current example of this is the spell-checking functions of web browsers. What do these seemingly harmless little helpers have to do with data protection?
When the cloud is reading along
Professor Dr. Thomas Petri, the Data Protection Commissioner of the Free State of Bavaria, is sounding the alarm. In his regular briefings, he addresses data protection problems that particularly affect public bodies such as authorities and schools. In his latest briefing, Petri points out that web browsers are increasingly taking over tasks that used to be performed by programs on the hard drive. These include office applications in the cloud, digital files and online forms.
It becomes particularly problematic when the spell checker transmits personal data to third parties via the web browser - without the user noticing. While correction programs on your own computer do not raise any data protection issues, the situation is different with cloud-based applications. These often use artificial intelligence (AI) and can therefore raise data protection concerns.
Unnoticed data transmission: A nightmare for privacy
When a cloud-based AI application is used to correct spelling, data is transferred to the AI support provider. It is often unclear how this data is transferred and to what extent. The Bavarian State Data Protection Commissioner warns: "For the web browser, every piece of content is a website. So if an internal web application contains a text editor or form fields for text input, the spelling correction is applied in the same way as for any web form." This means that the spelling corrections can run unnoticed in the background.
GDPR does not provide a sufficient legal basis
The example of Google Chrome shows how difficult it is to maintain an overview here. There you can choose between a simple and an advanced spell checker. According to Google, no data is sent to the browser provider in the simple version. With the advanced version, however, the texts entered are sent to Google. Professor Petri concludes that public authorities in Bavaria need a legal basis in order to be allowed to use this AI for spell checking.
A legitimate interest in data processing pursuant to Article 6 para. 1 sentence 1 lit. f GDPR and consent pursuant to Article 6 para. 1 sentence 1 lit. a GDPR cannot be considered, as public authorities do not have a consent routine and data is often transferred unconsciously. It is also hardly reasonable to expect citizens to allow their personal data to be used without their knowledge to facilitate the work of public authorities. Even the performance of a task in the public interest in accordance with Article 6 para. 1 sentence 1 lit. e GDPR does not justify this. Professor Petri clarifies: "Convenience does not make necessity."
Increasing use of AI applications has advantages and disadvantages
On the one hand, they make everyday life much easier, but on the other hand, we must not underestimate the risks to data protection. It becomes particularly critical when personal data is transferred to third parties without the user's knowledge. Caution is required here! Public bodies should think carefully about whether they should rely on cloud-based spellcheckers or whether the tried-and-tested method on their own computers is the safer choice. Data protection must not be sacrificed for convenience!
