On March 12, 2021, the European Data Protection Board (EDPB) opened a public consultation about their new guidelines on Virtual Vocal Assistants (VVA) which were adopted on March 9, 2021.
The EDPB draws attention to the fact that “[a] virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed” and “[r]ecent technological advances have greatly increased the accuracy and popularity of virtual voice assistants (VVA)” which “have [popularly] been integrated in [different devices such as] smartphones, connected vehicles, smart speakers and smart TVs”.
The EDPB highlights that “[d]ue to their role, VVAs have access to a huge amount of personal data including all users’ commands (e.g. browsing or search history) and answers (e.g. appointments in the agenda)” and that the integration of Virtual Vocal Assistants in various devices “has given the VVAs access to information of an intimate nature that could, if not properly managed, harm the individuals’ rights to data protection and privacy.”
Highlighting that “VVAs and the devices integrating them have been under the scrutiny of different data protection authorities” over the years, the EDPB’s guidelines seek “to provide guidance as to the application of the GDPR in the context of the VVAs.”
- In the first chapter, the EDPB’s report offers an overview of the “technology background” of VVA, including its basic characteristics, the actors surrounding the VAA ecosystem, a step-by-step description of the functioning and means of activating the system, a focus on “the wake-up expressions” that are used to activate the device, and lastly an explanation of “voice snippets and machine learning”.
- The second chapter’s main objective is to analyse “elements of data protection” law. The first part of this chapter examines the EU legal framework relevant to VVA, the second part focuses on “the identification of data processing and [the different VVA] stakeholders” and the third and fourth parts focus respectively on the transparency principle and the “purpose limitation” principle. In the final sections of the chapter, the EDPB emphasises the specific issues raised by the processing of children’s data (3.5), but also calls into question the issue of data retention (3.6), the security of VVA’s personal data (3.7) and the processing of special categories of data (3.8). Finally, the report analyses the issues of data minimization (3.9), accountability (3.10), and looks at data protection “by design” and “by default” principles (3.11).
- The third chapter of the report focuses on the mechanisms by which data subjects are able to exercise their rights, such as the right to access (4.1), the right to rectification (4.2), the right to erasure (4.3), and finally the right to data portability (4.4).
- Finally, the annex of the EDPB’s report focuses specifically on “automatic speech recognition, speech synthesis and natural language processing”.
The EDPB indicated that comments on these new guidelines are welcome and that contributions should be sent by April 23, 2021.