The European Data Protection Board (EDPB) published its draft Guidelines 02/2021 on Virtual Voice Assistants (VVAs), which are software services that take voice as an input, identify and execute a command or question, and interact with users or other devices. The guidelines provide a hands-on guidance for stakeholders across the whole VVA ecosystem.
The guidelines include a detailed overview of the technology background and a step-by-step description of the basic functioning of VVAs. In this regard, the EDPB notes that VVAs should not be confused with smart speakers, which are the hardware element in which the VVA is embodied. In addition, VVAs can appear in various other forms such as in personal mobile devices, connected cars, and in other IoT devices).
Data protection stakeholders and data subjects in VVAs
In order to properly match all participants throughout the VVA executive chain with their role and obligations in terms of data protection, the guidelines identify all stakeholders involved, including:
- Designer of the VVA – who designs and defines the functionalities of the VVA;
- VVA application developer – who creates applications to extend the VVA’s default functionalities;
- Integrator – who is the manufacturer of connected IoT devices, and would equip these with a VVA;
- Owner – who provides its own VVA;
- User – who uses the device (usually the owner and individuals connected to the owner, such as family members).
The complexity of scenarios where a VVA could be deployed affects the user side as well. Therefore, the EDPB identifies three categories of users:
- Registered users – who purchased the VVA device, and set up a user account for the configuration – (this category corresponds to the ‘owner’ in the VVA value chain);
- Non-registered users – who knowingly interact with the VVA set up configured by someone else;
- Accidental users – registered or not, who unknowingly use the VVA (e.g. by not knowing that the VVA is present).
Since VVAs process personal data, they must comply with the GDPR’s principles and obligations.
Using the interactivity of the VVA for transparency and displaying privacy policies
Regarding transparency, the EDPB urges utilising the interactivity of the VVA. Whether VVAs are attached to screens or operate on screenless devices, privacy policies should be easily available (e.g. as a link) at the time of the processing at the latest. Already existing practices could be included, such as a call centre notification scheme on calls being recorded and references to privacy policies. The given information should match the collection and the processing of personal data. Where VVA services are provided by companies offering diverse services such as VVAs, webshops, online market places and streaming services, users should be explained to what service the data collection relates to (e.g. e-commerce, web activities or telecommunication).
Purposes and legal basis of data processing: consent is not always needed
The EDPB identifies four main purposes and the corresponding legal basis for the functioning of the VVA. For executing user requests and to access already stored information, no prior consent is needed. However, for all subsequent processing, controllers need to obtain user consent, or, if there is a user account registered, they may rely on a contractual obligation (article 6 (1) b) of the GDPR) as a legal basis.
For manually reviewing voice data and transcripts to improve the VVA by machine learning, the EDPB considers consent as the only appropriate legal basis. User authentication using voice data on the other hand involves the processing of biometric data and is subject to higher protection under the GDPR. As biometric data is a special category of personal data, it's processing requires the explicit consent of the user. Finally, profiling in order to provide personalised services could be considered a contractually agreed service, and be based on fulfilling contractual obligations, whereas profiling for advertisements may only be carried out based on user consent.
Retention period and anonymisation
In regard to data retention, the EDPB recognises the need to store data for a longer time to comply with legal obligations based on factors such as tax laws. In addition, the EDPB recognises anonymisation as a method for deleting voice data. However, they recommend that before anonymisation, designers and developers of virtual voice assistants should check that the anonymisation process renders the voice unidentifiable. Any recordings made by mistake should also be deleted immediately after detection.
The guidelines also outline requirements on accountability, processing of children’s data and the exercise of data subjects’ rights.
The EDPB has launched a public consultation on the draft guidelines. Comments can be submitted by 23 April 2021.
You can read the draft guidelines here. For an overview on VVAs and smart speakers, read the EDPS TechDispatch on the topic.
Co-authored by Anna Zsófia Horváth.
For more information, contact your regular CMS partner or local CMS experts: Dora Petranyi, Katalin Horvath and Marton Domokos.