On April 23, 2021, the Centre for Information Policy Leadership (“CIPL”) at Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines on virtual voice assistants (the “Guidelines”). The Guidelines were adopted on March 12, 2021 for public consultation.
The EDPB’s Guidelines are intended to help organizations identify the risks associated with virtual voice assistants (“VVAs”), implement the relevant mitigation measures and provide guidance regarding the application of the EU General Data Protection Regulation (“GDPR”).
CIPL welcomes the Guidelines which come at a time when VVAs have become increasingly common in our daily lives due to the important benefits they bring to individuals and society―from providing convenience in daily life interactions and communications to assisting people for whom the use of traditional interfaces is problematic.
CIPL believes some of the Guidelines are not well aligned with current market practices and offerings and overlook the privacy-by-design controls implemented by some VVA providers. The Guidelines also should be more nuanced and adaptable to account for the differences in types of VVAs and rapid technological developments to avoid becoming quickly outdated. To address this, CIPL makes several recommendations, such as:
- Clarify that a VVA is only a new audio interface complementing other touch-based interfaces;
- Define VVAs as conversational assistance software that has natural language understanding capabilities and uses artificial intelligence to help the end-user perform certain tasks;
- Avoid over-simplification of the complexity of VVAs and better account for the variety of VVAs offerings on the market and, in particular, VVAs that do not rely on the processing of personal data;
- Clarify that a VVA is not in and of itself a terminal equipment, and that the e-Privacy Directive only applies where information is stored or accessed on the terminal equipment;
- Confirm that, absent a hierarchy between the different legal bases, data processing can be based on any relevant legal basis of the GDPR (which cannot be restricted by the e-Privacy Directive);
- Confirm that the GDPR is the relevant legal framework for VVAs―including the GDPR cooperation and consistency mechanism;
- Confirm that service improvement based on voice data and commands is a core functionality of VVAs enabling reliance on the contractual necessity or legitimate interest legal bases;
- Confirm that VVA provider classification and controllership should be assessed on a case-by-case basis;
- Adapt transparency and exercise of data subject rights to the particulars of VVAs at and do not impose an obligation to identify individuals;
- Recommend that data protection authorities focus primarily on proactive communication of the Guidelines to relevant stakeholders in the first six months after the publication of the final Guidelines, and refrain from proactive enforcement actions in order to provide for a reasonable time for implementation.