EDPB publishes guidelines for virtual voice assistants
On March 12, 2021, the European Data Protection Board (“EDPB”) published its Guidelines 01/2021 on Virtual Voice Assistants for Consultation (the “Guidelines”). Virtual voice assistants (“VVAs”) understand voice commands and execute them or coordinate them with other IT systems. These tools are available on most smartphones and other devices and collect significant amounts of personal information, such as: B. via user commands. In addition, VVAs require an end device that is equipped with a microphone and transmits data to the remote service. These activities raise compliance issues under both the General Data Protection Regulation (GDPR) and the E-Privacy Directive.
The four most common processes that VVAs use to process personal data are (1) to perform user requests; (2) Improvement of the VVA model for machine learning; (3) for the purpose of biometric identification; and (4) profiling to provide personalized content or advertising.
The guidelines provide recommendations for those who offer VVA services to address key compliance challenges, such as: B. by providing voice-based interfaces to inform users about the data processing during installation. Service providers should also avoid bundling their VVA service with other services such as email or video streaming in order not to violate the transparency principle of the GDPR with complex and lengthy data protection guidelines.
Providers may also encounter problems related to accidental collection of personal data or violations of the limitation of storage principle when storing personal data until it is proactively deleted by the user. It is recommended that VVA providers conduct a data protection impact assessment in relation to these services. The guidelines also suggest technical solutions, e.g. B. the use of automated background noise filtering.
The guidelines provide that data controllers should ensure that all data subjects (including those who are not registered as users of the VVA) can exercise their data protection rights with easy-to-follow voice commands. Confirmation that the request has been processed should also be provided by the VVA either by voice or by a written notification to another device or account.
Comments on the draft guidelines should be submitted by April 23, 2021.