There are now over three billion smartphones and all of them have virtual voice assistants (VVAs), most activated by default. Furthermore, the recent rise of smart speakers (147 million were sold in 2019) is also bringing VVAs to millions of households and offices. A virtual voice assistant is a service capable of understanding voice commands and carrying them out or connecting with other IT systems if necessary. By their very nature, these VVAs process a high volume of personal data, meaning special attention must be paid to their data protection implications. This led the European Data Protection Board (EDPB) to publish Guidelines 02/2021 on Virtual Voice Assistants (VVAs) Version 2.0 on July 7, 2021.
The main aim of these guidelines is to identify some of the most significant compliance challenges and provide stakeholders with recommendations on how to tackle them. Moreover, since VVAs generally involve storing data on the user’s device, the Directive on Privacy and Electronic Communications (ePrivacy Directive) and the General Data Protection Regulation (GDPR) still apply.
These guidelines have been updated to take into account the comments submitted during the public consultation and deal with the following areas in particular:
- Technology background: The directives clearly define how VVAs work, as well as their functionalities, the forms of machine learning, and data storage and processing.
- Concept of data controller and processor: From a personal data protection viewpoint, several constants are present regardless of the type of VVA (that is, the type of device, the functionalities, the services or a combination of these) that a data subject can use. Those constants relate to the plurality of personal data, data subjects and data processing at stake.
Moreover, the main stakeholders can be identified under the role of a provider or designer, an application developer, an integrator, an owner, or a combination of these. Different scenarios are possible, depending on who is doing what in the stakeholders’ business relationship, on the user’s request, the personal data, the data processing activities, and their purposes. They should clearly decide and inform data subjects on the conditions under which each of them will act and comply with the resulting role.
- Principle of minimization and transparency: Data controllers are required to inform users of the processing of their personal data in a concise, transparent, intelligible manner, and in an easily accessible way. Failure to provide necessary information is a breach of obligations that may affect the legitimacy of the data processing. Furthermore, based on the principle of minimization, controllers must minimize the amount of data collected directly or indirectly and obtained by processing and analysis.
- Identification of users and creation of user profiles for personalized content or advertising: Using voice data to identify the user involves processing biometric data as defined in Article 4.14 of the GDPR. Therefore, the controller will have to identify an exception under Article 9 of the GDPR, as well as a legal basis under Article 6 of the GDPR. Among the exemptions envisaged in Article 9, only the data subjects’ explicit consent would appear to apply for this specific purpose.
Personalization of content may (but does not always) constitute an intrinsic and expected element of a VVA. Whether that processing can be regarded as an intrinsic aspect of the VVA service will depend on the precise nature of the service provided, the expectations of the average data subject in light not only of the terms of service but also the way the service is promoted to users, and whether the service can be provided without personalization. Regarding user profiling for advertisement, it should be noted that this purpose is never considered as a service explicitly requested by the end user. Therefore, in case of processing for this purpose, users’ consent must be systematically collected.
- Processing of children’s data: Children can also interact with VVAs or create their own profiles connected to adults’ profiles. Some VVAs are even embedded in devices specifically aimed at children. Therefore, when the legal basis for the processing is the performance of a contract, the conditions for processing children’s data will depend on national contract laws.
- Mechanisms for data subjects to exercise their rights: In compliance with the GDPR, data controllers providing VVA services must allow all users, registered and non-registered, to exercise their data subject rights. These rights include the right of access, the right to rectify their data, and the right to erase the data. The data controller must provide information on the data subject’s rights when they switch on a VVA and, at the latest, when the first user’s voice request is processed.
Authors: Alba Terés and Albert Agustinoy