EDPB adopts guidelines on virtual voice assistants
Virtual voice assistants (VVAs) are becoming mainstream. What are the data protection implications and how does the European Data Protection Board (EDPB) suggest you address them?
The key takeaway
The EDPB’s recently adopted draft guidelines identify some of the most relevant compliance challenges with VVA’s and include recommendations on how to address them. These focus on improved transparency, for example giving users better access to privacy policies and clearer information on how their data is being processed for e-commerce and telecommunication services. The guidelines also note that consent might not always be required for the processing of user data and set out the specific legal basis for the processing of VVA data.
The draft guidelines
The EDPB adopted its draft guidelines on 9 March 2021 and started a consultation on them on 12 March 2021, which closed on 23 April 2021. The EDPB aims to publish a final version later this year once it has received the feedback.
As VVAs process users’ personal data in their functionality, they must comply with the legal requirements under the General Data Protection Regulation (GDPR) and the e-Privacy Directive. Some of the key areas the new guidelines address are as follows:
- briefer privacy policies and improved transparency – VVA developers are encouraged to refrain from using lengthy and complex privacy policies and to better communicate them, either through a display (if the device has one) or through voice-based interfacesm
- requirement for registration – currently VVAs only require a single registration for the use of all of the VVAs’ functionalities, but the EDPB now recommends that developers implement requirements for users to register separately for all the different services, thereby enabling data protection by design and by default.
The guidelines also address the possible legal basis for the processing of personal data by VVAs, specifically in relation to executing requests, improving the VVA machine learning model, biometric identification and profiling for personalised content or advertising. For the purposes of executing users’ commands, VVAs do not have to have consent to process their data, but instead are exempt under Article 5(3) e-Privacy Directive. However, consent will still be required for the storing or gaining of access to information for any purpose other than executing users’ requests.
According to the guidelines, VVA developers should also not retain users’ data for longer than is necessary for the purposes for which the personal data are processed. Currently many retain it indefinitely until requested to be deleted, which is not in line with the storage limitation principle.
The guidelines also note that VVAs can process the data of multiple users (eg family members), so developers should implement access control mechanisms to ensure confidentiality, integrity and availability. As passwords are not suitable for VVAs, the guidelines set out options such as using biometric identification for processing special categories of data.
Why is this important?
The guidelines are an important, and timely, reminder of the importance of good data protection practice in the development of new technology, like VVAs, which have the power to hoover up vast amounts of data directly from within the home.
Any practical tips?
Clearly the guidelines are a “must read” for those closely involved in any VVA projects. On the practical side, and as recommended by the EDPB, remember also the need to carry out a full Data Protection Impact Assessment at an early stage.