Virtual voice assistants (VVAs) are interactive software-based services that are increasingly used to access and control digital 'smart' devices and online services, particularly in people's homes and vehicles, but also at work. The major tech companies offer them, every smartphone has a VVA 'living' inside, as do some screenless 'smart speakers'. But VVAs may also be offered independently of the device manufacturer, e.g. by the owners of related databases, apps or other services. Indeed, a chain of firms can be involved in ensuring that a VVA executes your requests, 'learns' how you want to use it, identifies you and profiles you for personalized content or advertising. All this means one or more firms processing a vast amount of data relating to you - and any other users - in different ways, sometimes on their own account and sometimes for other firms you are dealing with. VVAs therefore create significant compliance challenges under the General Data Protection Regulation and the e-Privacy Directive (as VVA-enabled devices are considered 'terminal equipment'). The European Data Protection Board recently issued guidelines to explain how the authorities believe those challenges should be addressed.  The guidelines are open for consultation until 23 April, but already provide a useful insight into the workings of VVAs for consumers and businesses who use them. I've summarised the main aspects below. Please get in touch if you have further queries.

Key guidelines

It is likely that VVAs would trigger the need for Data Protection Impact Assessment (DPIAs) under GDPR, basically showing how the privacy risks have been considered and addressed in the design and implentation of the VVA.

Where VVAs operate through screenless devices, the authorities recommend 'voice-based interfaces' to provide mandatory information, obtain consent, and enable users to easily exercise their rights as data subjects, with the right to receive confirmations in writing via email and so on.

The VVA should be treated as a distinct service in itself, rather than bundled with other services that have different privacy implications. Otherwise, it would be impracticable for you to give your fully informed consent to its use.

Multiple users create challenges for consent (particularly with minors and those with disabilities), configuration, accidential processing, confidentiality, integrity and availability. Ironically, spoken passwords may not be appropriate in a multi-user environment, requiring biometric solutions. These challenges will likely need to be addressed through explanation to customers prior to purchase of the VVA-enabled device/app, as well as during set-up.

Where multiple firms are involved in the VVA, it should be made clear to users who is doing which type of processing and in what capacity (either as controller or processor), as well as the purpose and legal basis for processing.

No consent is required under the e-Privacy Directive for processing of personal data that is strictly necessary to provide a service specifically requested by the user, but would be necessary for storing or accessing that information for any other purpose.

Voice data itself is biometric data, so in addition to the general requirements for processing (Article 6 of GDPR) the requirements relating to the processing of special categories of personal data apply (Article 9).

VVAs should store personal data for no longer than is necessary for the processing purpose.

Filtering may help avoid accidentally collecting other data, but any personal data that is accidentally collected must be deleted.

Users should be made aware of the current state of a VVA as this affects the compliance requirements relating to that state, including the permitted recipient of data as well as the purposes and legal basis of processing.

It may be necessary to have different registered users for different features.

Conclusion

Quite apart from helping the providers of VVAs to meet their compliance challenges, these guidelines provide useful insight into the workings of VVAs for consumers and businesses alike.

Please get in touch if you have further queries.