Guidelines on Virtual Voice Assistants have been published by the European Data Protection Board (EDPB).
A virtual voice assistant (VVA) is a service that understands voices and responds to instructions at the request of a user’s voice that it recognises – such as a request to play a song or to conduct a search. A VVA may be a standalone device or it might be integrated in smart speakers, smartphones, household appliances, connected vehicles, etc.
Challenging privacy and data protection issues can arise in relation to the use of VVAs.
In order to operate successfully, VVAs have access to a significant amount of personal information, which should be managed in compliance with the GDPR and the ePrivacy Directive. Compliance is necessary or VVA service providers and related stakeholders will face the scrutiny of a data protection supervisory authority.
These Guidelines published by the EDPB highlight the most obvious compliance issues and provide recommendations on how to address them.
We have outlined below the main issues identified by the EDPD and its suggestions on how to address them.
VVA providers or designers of screenless terminal VVAs should develop voice-based interfaces to facilitate the communication of mandatory information under the GDPR to VVA users. This mandatory information relates to the GDPR’s transparency obligation: data controllers are obliged to inform users of the processing of their personal data in a concise, transparent and intelligible form and in an easily accessible way.
VVA service designers should refrain from bundling a VVA service with other services in user accounts such as email, purchases, or video streaming. That is because lengthy and complex privacy policies would not comply with the data controller’s obligation of transparency under the GDPR. If a user’s VVA account is linked to another independent service, however, the data controller’s privacy policy should have a clearly separated section on the VVA processing of personal data.
Processing VVA data is considered to be strictly necessary where it is done in order to execute a user’s request (i.e., to provide a service requested by the user), and therefore data controllers need not obtain prior consent pursuant to the ePrivacy Directive.
Consent would be required where information is stored or accessed for any other purpose than executing a user’s request. Users expect that their voices are processed for the sole purpose of interpreting their queries and providing meaningful responses. Therefore, users should be able to separately consent (or not consent) to the manual review and labelling of voice transcriptions or the use of their voice data for other purposes, such as identification or authentication, for example.
The storage of personal data by VVA services until users request deletion is not compatible with the principle of storage limitation under the GDPR. VVAs should store data for no longer than is necessary for the purposes for which the personal data are processed and, therefore, the relevant data retention periods should be linked to different processing purposes. In light of the principle of data minimisation, data controllers need to limit the data storage period, the type of data stored, and the quantity of data stored. This could include implementing technologies that delete background noise in order to avoid recording and processing background voices and situational information.
Where a data controller becomes aware of the accidental collection of personal data, the data controller should verify that there is a valid legal basis under the GDPR for each purpose of the processing of such data. Otherwise, the accidentally collected data (i.e., the voice recording and all associated data) should be deleted.
It should always be obvious to a user whether or not a VVA is in record mode and this information should also be accessible to persons with disabilities.
Users should also be made aware of the kind of information that a VVA can derive about its surroundings (for example background noise or music, speech from non-users, etc.)
VVA providers or designers should implement access control mechanisms to ensure the confidentiality, integrity and availability of personal data, but traditional methods such as passwords are not practical or appropriate. VVA designers and app developers should provide secure, state-of-the-art authentication procedures for users. Human reviewers of voice recordings should always receive pseudonymised data and the legal agreements governing the review should expressly forbid any processing that could lead to the identification of the data subject.
Voice recordings may contain background noise including the voices of other individuals, which is not necessary for the provision of the service. If possible, VVA designers should consider employing technologies that would filter the unnecessary data and ensure that only the user’s voice is recorded.
Due to the amount of personal data that VVAs can access, the EDPB considers that data controllers and data processors that are engaged in, or connected to, the provision of VVA services must be aware of their obligations under the GDPR and the ePrivacy Directive.
The Guidelines provide welcome recommendations as to how to address the compliance challenges posed by VVAs, which have become omnipresent, indeed many of us are now continually in the vicinity of a VVA.
For more information please contact Aideen Burke.
We regularly publish useful content on a wide range of legal and business topics. Please click the button below if you would like to receive these by email.
Subscribe