What about voice assistant and privacy ? GPDR, personal data, Privacy by Design… These are all words that have shaken the media landscape since 25 May 2018: the debut of the European Union’s General Data Protection Regulation.
Voice assistants, like other cloud technologies, collect and use user data for different purposes. In doing so, they are directly affected by the new provisions in this area. Ethical issues, fraudulent uses… how to reconcile speech recognition and the GDPR?
Through this article, we will give you the keys to understand the basis of the GDPR and how to choose the right solutions to preserve your personal information or that of your customers.
The GDPR (General Data Protection Regulations) is the new European framework governing the processing and use of personal data. It replaces the former 1995 charter to provide a legal framework, both for the EU as a whole and for the digital explosion we are experiencing.
As you may already know or have guessed, the main objective of this treaty is protecting personal data. These data take different forms: a name, a picture, an IP address, an email or postal address, a fingerprint, a voice recording etc. They are particularly sensitive because they can give rise to discriminations or prejudices. In the interest of users, they must be subject to a particular treatment, we’ll come back to it right after.
The scope of this protection is not only territorial. Indeed, on European soil, all companies, regardless of their size or sector or field of activity, are affected by the new regulation. In order to avoid any abuse, the companies outside the European Union are also affected by the provisions of the DGPS when they process personal data from the territory.
How manage a voice assistant and privacy? Our advice.
Let’s go back to the main principles of the GDPR that you must systematically pay attention to when you are looking for a solution or a provider.
The explicit consent of the user.
One of the fundamental rules of the GDPR (which was already partially respected by companies before) is the user consent toward data collection. When it is a form to be completed, a checkbox must be provided to obtain the user’s agreement. In the case of voice assistant and privacy, this information can take different forms. It can be a pop-up on an application or a mention in the general conditions of use. The main idea is that the individual using the system should be able to see this statement and confirm or reject it.
The user’s access to its data.
The user must be able, at any time, to have access to all his personal information. This data can take different forms. In the voice assistants ecosystem, they are generally audio recordings and the results of additionnal processing that allow characteristics or habits to be deduced. In addition to access, it is stipulated that it has control over it, both in limiting their use and in rectifying them.
The right to erasure.
In direct connection with the previous element, the right to delete is a right specific to each user. It allows you to claim the deletion of personal information with the various actors who own or use them. The latter, in order to comply with the GDPR, have 30 days to respond to the user’s request and assert their right.
The Privacy by Design principle.
The protection of personal data must be imperatively integrated into the various technological solutions and this from their conception. This is not about connectivity. Although products/services that operate locally (without the use of the Internet) are Private by Design by nature, this does not prevent connected solutions (e. g. in the cloud) from adopting measures to preserve personal information.
The DPO (Data Protection Officer).
Finally, a DPO must be appointed within the organization when this one :
- is a public body or public authority carrying out the processing of data
- carries out basic activities, concerning the data controller or subcontracting, which consist of operations requiring regular and systematic monitoring by virtue of their nature, scope or purpose.
- manipulates sensitive data on a large scale such as health information, biometric data or political and religious opinions.
Its main missions are to :
- Educate and train collaborators and partners in the GDPR.
- Manage data protection and security processes.
- Cooperate with the supervisory authorities and prove compliance.
- Support user requests.
With these elements in your hands, you are able to define whether a company or department is in compliance with the GDPR. It is essential to make sure of this before making a decision. Compliance is fundamental today, whether you are a company or a user.
Voice assistants are impacted by privacy issues and the GDPR, as are all other technologies that have an impact on the user’s personal data. Some cloud-based systems will suffer from these new guidelines, in line with the obligations they bring.
For example, as mentioned above, the user is entitled to delete his personal information at any time. Bearing in mind that current systems, for the most part, are based on Machine Learning which involves training the AI with the user’s data. By removing this resource, the system may lack information and therefore potential.
In particular, this influences companies to rethink the place or at least the importance of data in the design of AI and its functionality. On the one hand, the acquisition of information is more regulated and therefore more tedious, and on the other hand, users have a significant influence on the use and storage of this information.