Securing privacy compliance for Virtual Voice Assistants

Virtual Voice Assistants (“VVA”) continue to grow in popularity as the precision of the technology improves. The European Data Protection Board (“EDPB”) recently adopted new guidelines addressing how data controllers and data processors shall manage personal data to ensure that their VVAs are compliant with the European General Data Protection Regulation (“GDPR”).[1][1] EDPB Guidelines 02/2021 on Virtual Voice Assistants, adopted 7 July 2021.
The article was written on November 15, 2021

VVAs offer speech-based interactions and serve as an interface between users and their devices, e.g. smartphones. Although the use and purposes of VVAs stretch over many different areas and industries, the most commonly known example is presumably the smartphone integrated VVAs that help users to set timers, book appointments, or check the weather forecast. It is primarily for these purposes, simplifying everyday tasks, that the technology has proven to be very popular. VVAs have also shown their capacity within more complex settings, for example, health centres have started using VVA-based call bots that enable prediagnosis and self-assessments over the phone. Another example demonstrating the potential of VVAs is within the field of manufacturing where it may be difficult to manage manufacturing tools and written commands simultaneously.

A data controller must carefully consider for what purposes the voice data will be processed and upon what legal basis the processing activities are performed. The primary purpose of processing voice data within the application of a VVA is to execute the voice request of a user. Moreover, EDPB identifies three other purposes that are relevant for providers and designers of VVA applications: 1) improving the capacity by training VVA models with machine learning techniques, 2) biometric identification, and 3) user profiling for personalized content or advertising.

There is also a risk that VVA applications collect personal data from background interactions or sources that are not intended for the stated purpose. The data controller is obliged to make sure that there is a valid legal basis for each purpose of processing such data which might have been accidentally collected, and consequently delete unnecessary collections. Data minimization by deleting background noise, interactions or sources is therefore a key technical requirement for lawful VVAs.

EDPB highlights several privacy challenges that stakeholders must take into consideration whilst designing VVAs. The core functionalities of VVAs rely heavily on the processing of, not only personal data, but also sensitive personal data. Information processed by VVAs may contain sensitive personal data, for example in the event users share information about their medical condition to the VVA. There can also be sensitive meta-information processed, for example, the use of voice data for user identification implies the processing of biometric data which thus, requires a higher level of protection and extra attention when it comes to ensuring legal basis and lawful processing according to Articles 6 and 9 of the GDPR.

Data controllers must also ensure an appropriate level of security for the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures according to Article 5 of the GDPR. VVAs are sometimes designed to be bundled with other services, such as communication or entertainment services. This practice lays the ground for complex processing chains involving multiple stakeholders and purposes of the processing of personal data, which requires the data controller and processor to continuously ensure a high standard of technical and organisational measures safeguarding the processing activities according to Articles 24 and 32 of the GDPR.

The Swedish Authority for Privacy Protection (“IMY”) recently confirmed the importance of ensuring appropriate security measures in complex processing chains of personal data. The decisions (for several stakeholders involved) concerned the investigation of an incident where recorded phone calls (for the avoidance of doubt, not VVAs) to a medical consultation service in Sweden were publicly accessible on an unprotected server on the internet.[1] As the recorded phone calls concerned physical persons mainly calling for the purpose of medical consultation, the recorded phone calls also contained sensitive personal data about health, requiring a high level of security. Although some of the decisions have been appealed, IMY importantly highlights the importance of ensuring appropriate technical and organisational measures throughout the complex processing chains, i.e. not only for the data controller, but also for the processors, to ensure an adequate level of security to protect the voice recordings and personal data therein.

If your company is involved in the field of VVAs and you wish to have your service, application or business idea evaluated, Setterwalls can give you constructive legal advice on how to best leverage your technology while ensuring privacy compliance.

[1] EDPB Guidelines 02/2021 on Virtual Voice Assistants, adopted 7 July 2021.

[2] See all decisions issued by IMY for the 1177-incident here: https://www.imy.se/tillsyner/voice-integrate-nordic-ab/, https://www.imy.se/tillsyner/medhelp-ab/, https://www.imy.se/tillsyner/regionstyrelsen-region-sormland/, https://www.imy.se/tillsyner/regionstyrelsen-region-varmland/, https://www.imy.se/tillsyner/halso–och-sjukvardsnamnden-region-stockholm/.