New EDPB guidelines on virtual voice assistants
The European Data Protection Board (EDPB) recently published its draft Guidelines 02/2021 on Virtual Voice Assistants (VVAs). VVAs have been integrated in smartphones, smart speakers, vehicles, TVs, etc. and may bring many advantages for users. A core activity of such VVAs is processing personal data, hence they have been under the scrutiny of data protection authorities.
The GDPR applies as does the e-Privacy Directive. Whenever information in the VVA is stored or accessed, it is considered as being ‘terminal equipment’. The EDPB now provides guidance to all actors in the VVA ecosystem.
You will find hereafter some takeaways of these Guidelines.
From VVA designer to end user
The Guidelines start by identifying the actors in the VVA ecosystem. On the one end of the spectrum, there is the VVA designer, responsible for its development and for defining its capabilities. On the other end of the spectrum, there is the user – whether registered (the person that sets up the VVA) or not (family, colleagues, etc.). Users can also be accidental users in case the VVA wakes up and registers voice recordings without them being aware.
Depending on the situation, more actors in the ecosystem can be identified:
- the developer of applications extending the VVAs capabilities;
- the integrator manufacturing a connected object and equipping it with a VVA; and
- the owner of an accommodation, a professional environment, a rental vehicle etc. providing a VVA to its customers.
The EDPB stresses that each actor processing or exchanging data should be clearly defined as either controller or processor, and that data minimization must be kept in mind at each step.
Performance of contract as legal basis for core activity – otherwise consent
The EDPB distinguishes four main processing purposes:
- executing users’ commands;
- improving the VVA through machine learning (includes human review of the data);
- identifying the user through voice; and
- advertising and personalising content thanks to profiling.
For the first purpose, the performance of a contract with the user is the legal basis. This can also be the case for the fourth purpose of profiling users for personalised content if this is an intrinsic element of the VVA service, expected by the user.
Otherwise consent will be the legal basis, as it is for the second and third purpose and for profiling users for advertising purposes. It is also worth noting that voice used to identify the users is biometric data and requires explicit consent. The EDPB specifies that consent can only be obtained from registered users. For non-registered users, VVAs should therefore only execute commands.
Immediate deletion of voice recordings where possible
After executing a user’s command, the personal data should be immediately deleted, unless there is a legal basis for further processing. This can be a legal obligation requiring certain storage periods, like purchase evidence for tax regulation. The same goes for accidentally processed personal data (following an accidental wake up of the VVA).
When controllers become aware of it, they should either verify that there is a valid legal basis, or immediately delete the data.
Some VVAs store currently personal data by default for an undefined period, and rely on users to delete them. The EDPB instead advises controllers to define storage periods. It also points to the possibility of anonymising recordings by removing situational information and anonymizing the voice.
Transparency and data subject rights through the vocal interface
The vocal interface is also an important mechanism for the exercise of data subject rights. All users (registered or not) must be able to exercise their rights through voice commands. At the end they should be informed that their rights have been duly factored, for example by voice or by a message to the user’s account.
The EDPB also provides guidance on the processing of children’s data, on security, and accountability. Importantly, it specifies that it is very likely that VVA is a processing activity which requires a Data Protection Impact Assessment (DPIA).
The EDPB will start examining the comments received during the public consultation and will publish a final version within the coming months of the Guidelines.