Article written by Haim Ravia and Dotan Hammer
The panel of data protection authorities of the member states of the European Union (European Data Protection Board – EDPB), published for public comments its guidelines on Virtual Voice Assistants (VVAs). The draft guidelines emphasize that Virtual Voice Assistants, by their very nature, process voluminous personal data, which in turn warrants special attention to their data protection implications. Also, given that VVAs usually entail data storage in the user’s device, the Directive on privacy and electronic communications (ePrivacy Directive) applies as well, alongside the GDPR.
The draft guidelines discuss various data protection topics underpinning VVAs. Data subject rights – such as data correction, deletion, and request for a copy of the personal data processed – must be accessible to the data subject as voice commands.
Because the GDPR mandates that a legal basis be identified for each form of processing, the guidelines indicate that processing personal data for the proper performance of the user’s voice commands could be based on the need to perform a contract for the provision of a service. However, use of the personal data for quality assurance purposes and product improvement cannot be justified under that legal basis. Moreover, an organization developing VVA technology for another company may be considered a data processor for the other company (the controller), yet if the technology developing organization processes the data for its product improvement purposes, it would be considered a data controller for that processing.
The guidelines go on to explain that processing a user’s voiceprint to identify the user entails the processing of a “special category” of personal data, namely biometric data. Such processing can ordinarily be legitimized only through the data subject’s freely given consent. To qualify as “freely given”, the VVA must offer users the choice of equivalent functionality which does not entail processing a user’s voiceprint. Also, the voiceprint data should be stored on the user’s local device, and not on a remote server.
The guidelines are open to public comments until April 23, 2021.
CLICK HERE to read the European Data Protection Board’s Draft Guidelines 02/2021 on Virtual Voice Assistants.