The European Data Protection Board (‘EDPB’) launched, on 12 March 2021, a public consultation on its Guidelines 02/2021 on Virtual Voice Assistants. In particular, the draft guidelines note that virtual voice assistants understand voice commands and execute them or mediates with other IT systems, as well as they have access to a considerable amount of personal data which raises questions around their compliance with the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’) and the Directive on Privacy and Electronic Communications (2002/58/EC) (as amended) (‘the ePrivacy Directive’). More specifically, the draft guidelines highlight that voice data is biometric data and outline requirements on, among others, transparency, purpose limitation, processing of children’s data, data retention, accountability, and the exercise of data subject rights. With regards to retention, the EDPB recommended that before anonymisation, providers, and developers of virtual voice assistants should check the anonymisation process renders the voice unidentifiable as well as that any recordings taken by mistake should be deleted.
Comments can be submitted by 23 April 2021 through here.