On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand and execute voice commands or coordinate with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal data, such as through user commands. In addition, VVAs require a terminal device equipped with a microphone and transfer data to remote service. These activities raise compliance issues under both the General Data Protection Regulation (“GDPR”) and the e-Privacy Directive.
The four most common processes by which VVAs process personal data are (1) for the execution of user requests; (2) to improve the VVA machine learning model; (3) for the purposes of biometric identification; and (4) for profiling in order to deliver personalized content or advertising.
The Guidelines provide those offering VVA services with recommendations on how to navigate the key compliance challenges, such as by providing voice-based interfaces for providing notice of data processing to users during installation. Service providers also should avoid bundling their VVA service with other services, such as email or video streaming, so as not to infringe the GDPR’s transparency principle with complex and lengthy privacy policies.
Providers also may encounter challenges with respect to the accidental collection of personal data or violations of the storage limitation principle where personal data is stored until proactively deleted by the user. It is recommended that VVA providers carry out a Data Protection Impact Assessment with respect to these services. Technical solutions also are suggested by the Guidelines, such as applying automated background-noise filtering.
The Guidelines provide that controllers should ensure that all data subjects (including those not registered as users of the VVA) are able to exercise their rights under data protection law using easy-to-follow voice commands. Confirmation that the request has been processed also should be provided by the VVA, either by voice or by a written notification to another device or account.
Comments on the draft Guidelines should be submitted by the April 23, 2021.