Guidelines 02/2021 on Virtual Voice Assistants in consultazione pubblica. Le prescrizioni riguardano tutti coloro che lavorano online, non solo i VVA o smart speaker. E' una occasione imperdibile per verificare l'applicazione del gdpr all'interno delle nostre attività. La live in settimana, segui il programma delle live su Civile.it in fase di pubblicazione
Guidelines 02/2021 on Virtual Voice Assistants in consultazione pubblica.
Le prescrizioni riguardano tutti coloro che lavorano online, non solo i VVA o smart speaker.
E' una occasione imperdibile per verificare l'applicazione del gdpr all'interno delle nostre attività.
La live in settimana, segui il programma delle live su Civile.it in fase di pubblicazione
Sono in consultazione pubblica, e si potrebbe veramente dire tantissimo.
Non c'e' sicuramente il tempo per dire tutto, ma nemmeno poco.
Ne parleremo in settimana nelle live di Civile.it, programma in pubblicazione sul sito.
EXECUTIVE SUMMARY A virtual voice assistant (VVA) is a service that understands voice commands and executes them or mediates with other IT systems if needed. VVAs are currently available on most smartphones and tablets, traditional computers, and, in the recent years, even standalone devices like smart speakers. VVAs act as interface between users and their computing devices and online services such as search engines or online shops. Due to their role, VVAs have access to a huge amount of personal data including all users’ commands (e.g. browsing or search history) and answers (e.g. appointments in the agenda).
The vast majority of VVA services have been designed by few VVA designers. However, VVAs can work jointly with applications programmed by third parties (VVA application developers) to provide more sophisticated commands. To run properly, a VVA needs a terminal device provided with microphones and speakers. The device stores voice and other data that current VVAs transfer to remote VVA servers. Data controllers providing VVA services and their processors have therefore to consider both the GDPR and the e-Privacy Directive.
These guidelines identify some of the most relevant compliance challenges and provide recommendations to relevant stakeholders on how to address them. Data controllers providing VVA services through screenless terminal devices must still inform users according to the GDPR when setting up the VVA or installing, or using a VVA app for the first time.
Consequently, we recommend to VVA providers/designers and developers to develop voice-based interfaces to facilitate the mandatory information. Currently, all VVAs require at least one user to register in the service. Following the obligation of data protection by design and by default, VVA providers/designers and developers should consider the necessity of having a registered user for each of their functionalities. The user account employed by many VVA designers bundle the VVA service with other services such as email or video streaming. The EDPB considers that data controllers should refrain from such practices as they involve the use of lengthy and complex privacy policies that would not comply with the GDPR’s transparency principle.
The guidelines consider four of the most common purposes for which VVAs process personal data;
executing requests, improving the VVA machine learning model, biometric identification and profiling for personalized content or advertising. Insofar the VVA data is processed in order to execute the user’s requests, i.e. as strictly necessary in order to provide a service requested by the user, data controllers are exempted from the requirement of prior consent under Article 5(3) e-Privacy Directive. Conversely, such consent as required by Article 5(3) e-Privacy Directive would be necessary for the storing or gaining of access to information for any purpose other than executing users’ requesararart. Some VVA services retain personal data until their users require their deletion. This is not in line with the storage limitation principle. VVAs should store data for no longer than is necessary for the purposes for which the personal data are processed. If a data controller becomes aware (e.g. due to quality review processes) of the accidental collection of personal data, they should verify that there is a valid legal basis for each purpose of processing of such data.
Otherwise, the accidentally collected data should be deleted. VVAs may process data of multiple data subjects. VVA providers/designers should therefore implement access control mechanisms to ensure personal data confidentiality, integrity and availability. However, some traditional access control mechanisms such as passwords are not fit for the VVA context since they would have to by spoken aloud.
The guidelines provide some considerations in this regard, including a section specific to the processing special categories of data for biometric identification. VVA providers/designers should consider that when collecting user’s voice, the recording might contain other individuals’ voice or data such as background noise that is not necessary for the service.
VVA designers should therefore consider technologies filtering the unnecessary data and ensuring that only the user’s voice is recorded. When evaluating the need for a Data Protection Impact Assessment (DPIA), the EDPB considers that it is very likely that VVA services fall into the categories and conditions identified as requiring a DPIA.
Data controllers providing VVA services should ensure users can exercise their data subject rights using easy-to-follow voice commands. VVA providers/designers, as well as app developers should at the end of the process inform users that their rights have been duly factored, by voice or by providing a writing notification to the user’s mobile, account or any other mean chosen by the user.
Adopted - version for public consultation
Table of contents EXECUTIVE SUMARY-. 2 1 GENERAL-- 6 2 TECHNOLOGY BACKGROUND- 7 2.1 Basic characteristics of Virtual Voice Assistants- 7 2.2 Actors in the VVA ecosystem - 8 2.3 Step-by-step description -. 9 2.4 Wake-up expressions - 10 2.5 Voice snippets and machine learning- 10 3 ELEMENTS OF DATA PROTECTION - 11 3.1 Legal framework- 11 3.2 Identification of data processing and stakeholders- 13 3.2.1 Processing of personal data - 13 3.2.2 Processing by data controllers and processors-. 14 3.3 Transparency-. 16 3.4 Purpose limitation and legal basis-. 20 3.4.1 Execute users’ requests-. 20 3.4.2 Improve the VVA by training the ML systems and manually reviewing of the voice and transcripts-- 22 3.4.3 User identification (using voice data)- 22 3.4.4 User profiling for personalized content or advertising -. 23 3.5 Processing of children’s data-. 24 3.6 Data retention-. 24 3.7 Security-- 27 3.8 Processing of special categories of data -. 29 3.8.1 General considerations when processing special categories of data -. 29 3.8.2 Specific considerations when processing biometric data -. 29 3.9 Data minimization -. 31 3.10 Accountability- 32 3.11 Data protection by design and by default-. 32 4 Mechanisms to exercise Data Subject Rights- 33 4.1 Right to access-. 33 4.2 Right to rectification- 34 4.3 Right to erasure-. 34 4.4 Right to data portability - 35 Adopted - version for public consultation 5 5 Annex: Automatic Speech Recognition, Speech Synthesis and Natural Language Processing-. 37 5.1 Automatic Speech Recognition (ASR)- 37 5.2 Natural Language Processing (NLP)-. 37 5.3 Speech Synthesis-. 38 Adopted - version for public consultation