CIPL will submit a response to the EDPB guidelines for virtual voice assistants
On April 23, 2021, the Center for Information Policy Leadership (“CIPL”) in Hunton Andrews Kurth submitted its response to the European Data Protection Board (“EDPB”) consultation on draft guidelines for virtual voice assistants (the “Guidelines”). The guidelines were adopted for public consultation on March 12, 2021.
The EDPB guidelines are intended to help organizations identify the risks associated with virtual language assistants (“VVAs”), implement the appropriate mitigation measures and provide guidelines for the application of the EU General Data Protection Regulation (“GDPR”).
CIPL welcomes the guidelines that come at a time when VVAs are becoming increasingly problematic in our daily lives because of the important benefits they bring to individuals and society.
CIPL believes that some of the guidelines do not align well with current market practices and offers and overlook the privacy controls implemented by some VVA providers. The guidelines should also be more nuanced and adaptable to take into account the differences in the types of VVAs and the rapid pace of technological developments and to avoid becoming quickly out of date. To remedy this, CIPL makes several recommendations, such as:
- Make it clear that a VVA is just a new audio interface that complements other touch-based interfaces.
- Define VVAs as conversation assistance software that has natural language understanding skills and uses artificial intelligence to assist the end user in performing specific tasks.
- Avoid over-simplifying the complexity of VVAs and better take into account the variety of VVAs offerings on the market and in particular VVAs that are not based on the processing of personal data.
- Make it clear that a VVA in and of itself is not an end device and that the e-privacy directive only applies if information is stored on the end device or is accessed.
- Confirm that in the absence of a hierarchy between the various legal bases, the data processing can be based on a relevant legal basis of the GDPR (which cannot be restricted by the ePrivacy Directive).
- Confirm that the GDPR is the relevant legal framework for VVAs – including the GDPR collaboration and consistency mechanism;
- Acknowledge that service improvement based on voice data and commands is a core functionality of VVAs that allows reliance on contractual necessity or legal basis for legitimate interests.
- Confirm that the classification and control of WSR providers should be assessed on a case-by-case basis.
- Adjustment of the transparency and exercise of the rights of data subjects to the details of the VVAs and no obligation to identify persons;
- For the first six months after the final guidance is published, encourage data protection authorities to focus primarily on proactive delivery of guidance to relevant stakeholders and not to take proactive enforcement action in order to ensure a timely implementation.
Download CIPL’s full response to the consultation.