In the fast-paced world of technology, advancements in artificial intelligence (AI) have transformed the way we interact with machines and data, specifically for the use case of whistleblowing software. Among these advancements, two prominent technologies have gained significant attention: AI-based voice recognition and speech-to-text powered by models like ChatGPT. While both technologies have the potential to revolutionize various industries, they raise important questions about data privacy and compliance with regulations such as the General Data Protection Regulation (GDPR).
In this article, we will explore the key differences between AI-based voice recognition and speech-to-text, and whether it is necessary for a company to seek approval from the local data protection authority under GDPR when utilizing these technologies to process sensitive biometric or similar data.
AI-based voice recognition technology utilizes machine learning algorithms to understand and interpret human speech. It allows devices, applications, and systems to recognize and respond to spoken commands or queries. This technology can be found in virtual assistants like Siri, Google Assistant, and Alexa, as well as in various customer service applications.
Speech-to-text technology, powered by models like ChatGPT, is designed to convert spoken language into written text. It can transcribe audio recordings, voicemails, or any spoken content into text form, making it easily searchable and accessible. This technology has applications in transcription services, accessibility tools, and data analysis.
Purpose: AI-based voice recognition is primarily focused on understanding and responding to voice commands, while speech-to-text aims to convert spoken language into text for various purposes, including documentation, analysis, and accessibility.
Use Cases: Voice recognition is commonly used in voice assistants and smart devices, while speech-to-text technology finds applications in transcription services, customer service call centers, and content indexing.
Data Processing: Voice recognition systems often process voice data without the need to retain the actual voice recordings. In contrast, speech-to-text systems store and process the transcribed text, which may contain sensitive information.
Biometric Data: AI-based voice recognition may involve the collection and processing of biometric data, such as voiceprints, for user identification. Speech-to-text, on the other hand, typically deals with textual data and does not store biometric information.
Now, let’s address the crucial question of GDPR compliance when dealing with these technologies, especially in cases where sensitive biometric data is processed.
Under GDPR, biometric data is considered a special category of personal data, and its processing is subject to strict rules. Article 9 of GDPR prohibits the processing of biometric data for the purpose of uniquely identifying an individual unless certain conditions are met, including obtaining explicit consent from the data subject or processing being necessary for specific legal reasons.
The need for approval from local data protection authorities largely depends on how these technologies are used and whether they involve the processing of sensitive biometric data.
AI-Based Voice Recognition: Companies using AI-based voice recognition for general voice commands or interactions may not require specific approval if they comply with GDPR’s general principles, including obtaining informed consent and ensuring data security.
Speech-to-Text: When utilizing speech-to-text technology, it is important to consider whether the transcribed text contains sensitive biometric data, such as voiceprints. If the text is anonymized, and the biometric aspect is not retained, explicit approval may not be necessary. However, if sensitive biometric data is stored, explicit consent and approval from the local data protection authority may be required.
It’s crucial for organizations to conduct a thorough Data Protection Impact Assessment (DPIA) to evaluate the risks associated with the processing of biometric data and to determine whether approval is needed from the local data protection authority. DPIAs help identify and mitigate risks, ensuring compliance with GDPR.
Whistleblowing is an essential mechanism for uncovering and addressing misconduct within organizations, promoting transparency, and safeguarding the interests of employees and the public. To enhance the effectiveness of whistleblowing software procedures, some companies are incorporating speech-to-text technology, like ChatGPT, into their reporting mechanisms. This innovative approach can improve the accuracy and security of whistleblowing software processes while maintaining compliance with data protection regulations.
Here’s how the implementation of a speech-to-text module for whistleblowing software can benefit organizations:
Traditional whistleblowing mechanisms often involve written reports, which may reveal the identity of the whistleblower through handwriting analysis or typing patterns. By using speech-to-text technology, whistleblowers can record their concerns anonymously through spoken words, reducing the risk of identification.
Voice recordings can capture nuances and emotions that written text may not convey effectively. When whistleblowers can speak freely, they might provide more comprehensive and accurate information about the misconduct they’ve witnessed.
Speaking is often more natural and faster than typing, making it easier for whistleblowers to submit their reports. This can encourage more employees to come forward with their concerns.
Speech-to-text technology can make whistleblowing software accessible to individuals with disabilities who may face challenges with traditional written reporting methods.
Implementing robust encryption and security measures when using speech-to-text technology ensures that the recorded voice data is protected, reducing the risk of data breaches.
Since the voice files are anonymised with a voice distortion and are not used to identify the person giving the clue, the file itself cannot be classified as biometric (see EBF Paper). In addition, the audio files must be deleted within a certain time. Therefore, in our opinion, the consent of the data protection authority is not required. The consent of an anonymous user is obtained by briefly explaining what happens to the voice recording and how the file is anonymised and stored. As soon as the user clicks on “Continue”, he or she agrees to the processing. Furthermore, the detailed privacy policy is available to the user at any time.
Book a demo today and learn how DISS-CO is using AI to enhance the whistleblowing software.
DISS-CO® is an innovative legal tech company with a strong focus on eGRC and RegTech. Built by investigators experienced in detecting fraud and other violations in various sectors.
