Guidelines 02/2021 on Virtual Voice Assistant

The need to adopt an harmonized European framework on Virtual Voice Assistant (hereinafter also referred to as “VAAs”) comes from their role which grants them to be integrated in smartphones, connected vehicles, smart speakers and smart TVs and, consequently, have access to information and personal data including all users’ commands (e.g. browsing or search history) and answers (e.g. appointments in the agenda).

More specifically, a VVA is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the recent years, even standalone devices like smart speakers. There are currently more than 3 billion smartphones and all of them have integrated VVAs, most of them switched on by default. Some of the most widespread operating systems in personal computers and laptops also integrate VVAs.

VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Therefore, to run properly, a VVA needs a terminal device provided with microphones and speakers. The device stores voice and other data that VVAs transfer to remote servers.

For these reasons, data controllers providing VVA services and their processors have to grant the compliance with the European Regulation no. 2016/679 (hereinafter also referred to as “GDPR”) and Directive 2002/58/EC (hereinafter also referred to as “e-Privacy Directive”).

The main beneficiaries of the voice interface could be people with disabilities or other vulnerability data subjects (as well as children) for whom the use of traditional interfaces could be problematic. Virtual voice assistance can provide easier access to information and computer resources and thus promote inclusive logics as the use of the voice makes it possible to overcome the difficulties associated with the written word, which can be found among certain classes of users.

With particular reference to children, they can also interact with the VVAs or can create their own profiles connected to the ones of the adults. Some VVAs are embedded in devices which are specifically aimed at children. When the legal basis for the processing is the performance of a contract, the conditions for processing children data will depend on national contract laws; otherwise, when the processing is legitimate under consent, according to Article 8(1) GDPR, children’ consent is only valid “where the child is at least 16 years old”. Therefore, where the child is below the age of 16 years, such processing should be lawful only if and to the extent that consent is given or authorized by the holder of parental responsibility over the child (e.g.  parents or guardians). Data controllers should invest in developing means for parents or guardians to control children use of VVAs.

Similarly, VVAs are also widespread in the health industry. For instance, during the Covid-19 pandemic, various callbots were deployed to offer a pre-diagnosis to calling users. In the long term some experts anticipate that the entire patient care process could be impacted by human/assistant interactions: not only for well- being and prevention, but also for treatment and support.

Therefore, these guidelines define some of the most relevant compliance challenges and provide recommendations to relevant stakeholders on how to address them. Firstly, Guidelines recommend the respect of general principles relating to the processing of personal data, with particular reference to special categories (e.g. in the health industry) as well as: lawfulness, fairness and transparency of the processing, purposes limitation, data minimization and storage limitation.

The main purposes for which VVAs process personal data are the following: executing requests, improving the VVA machine learning model, biometric identification and profiling for targeting content or advertising. Regarding the purposes there are further aspects that VVAs have to respect: information about the processing of personal data, specific storage period for each processing of personal data, the identification of the legal basis for each specific processing of personal data, as well as the implementation of appropriate technical and organisational measures to ensure a level of security appropriate to the risk.

More specifically, if voice messages are to be used to inform users according to Article 13 GDPR, data controllers should publish such messages on their website so they are accessible to all the parties involved.

Regarding the retention period, it depends on the specific purpose of processing. Generally, after a query has been answered or a command executed, the personal data should be deleted unless the VVA designer or developer has a valid legal basis to retain longer these data. Before considering anonymization as means for fulfilling the data storage limitation principle, VVA providers and developers should check the anonymization process renders the voice unidentifiable. When during the review process the VVA provider or developer detects a recording originated on a mistaken activation, the recording and all the associated data should be immediately deleted.

Any VVA service requiring confidentiality will involve some access control mechanism and user authentication which can rely on one or more of the following factors: something you know (such as a password), something you have (such as a smart card) or something you are (such as a voice fingerprint). Some VVAs offer an optional basic access control in the form of PIN number with no real user authentication. Some other VVAs have the option to use voice fingerprint recognition as identification mechanism. In fact, Without an identification or authentication mechanism, anyone could access other users’ data and modify or erase them at will. Additionally, VVAs, like any other software, are subject to software vulnerabilities.

Many comments from the main stakeholders are expected on these Guidelines. It represents a revolution in the health or banking industry, as well as with reference to children and their experiences on Internet and App online. It regulates for the first time the processing of personal data (e.g. IoT) conducted by VAAs and all the linked industries and stakeholders.