Data protection issues – technology and procurement @ Morgan Lewis

In Part 1 of our series on Text-to-Speech AI (TTS) models, we highlighted issues that should be considered from an intellectual property perspective. In this Part 2, we provide a comprehensive overview of privacy concerns to consider. Given the specific nature of the product source –Voice as a core element of input and output data for TTS models – it is important to consider data protection requirements, especially in a time of increased attention to the right to privacy.

Voice as personal data

Many regulators around the world have adopted a broad definition of personal data similar to that provided for in Article 4(1) of the EU General Data Protection Regulation (GDPR):

(A)ll information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social Identity of that natural person.

Following the GDPR approach, many legal systems classify a person’s voice as personal data. Unlike classic data protection scenarios where two or more identifiers (e.g. a name and an address) are required to classify information as personal data, a person’s voice alone is recognized as personal data. This is especially true if the voice belongs to a famous person or celebrity, as such a voice is distinctive due to the person’s reputation and fame.

Recognising a voice as personal data imposes certain requirements on the way in which voice data may be collected, the purposes for which it may be processed, the duration of its storage and the way in which it may be processed and shared with third parties.

It can be argued that the synthetic voice itself, to the extent that it fully reproduces the performer’s original voice and potentially allows identification (particularly where the performer’s speech patterns and other characteristics are generally known), is likely to fall within the definition of personal data.

Voice as biometric data

In addition, since the voice is associated with physical and physiological characteristics of individuals and can be used to uniquely identify individuals, it could be classified as biometric personal data. This is the case, for example, under the GDPR. Likewise, the California Consumer Privacy Act (Cal. Civ. Code 1798.140(c)) explicitly classifies voice recordings as biometric information:

Biometric information includesbut not limited to, images of the iris, retina, fingerprint, face, hand, palm, vein patterns and Voice recordings from which an identification template such as a facial print, a minutiae template or a voice print can be extracted, and keystroke patterns or rhythms, gait patterns or rhythms, and sleep, health or exercise data that contain identifying information.

When a voice is considered biometric data in a relevant jurisdiction, it often brings with it additional obligations and restrictions that need to be carefully addressed in agreements related to licensing voice datasets for training purposes, engaging artists, or outsourcing the TTS models.

In conclusion, TTS models rely heavily on speech data and it is therefore essential to navigate the complex data protection regulations. Recognising speech as personal and potentially biometric data requires strict compliance with legal requirements regarding data collection, storage, processing and transmission.