In recent years, thanks to the evolution of technology, changes in user habits, and new customer relationship models that are more digital, efficient, and simple, users increasingly use services while on the go, accessing them through apps and web portals and with assistance provided remotely.
In this scenario, processes that involve audio and video recordings to support service activation and management procedures are becoming more widespread.
We all know, then, that the Coronavirus emergency has, in a very short time, forced us to take most all services remotely, out of necessity. Therefore, many services have reorganized and transformed their assets and their customer relationship channels in order to allow for remote digital activation and use.
Business-relevant audio and video recordings
The natural evolution of technology and the digital revolution in user habits, and above all the need to operate from home that has emerged in these long months of the COVID-19 emergency, have meant that more and more services and processes have remote use capabilities. Such services involve activation with an online procedure and the support that uses audio tools through call centers or audio and video recordings through web platforms or apps to interact with the user. In many cases, these audio or audio-visual transactions can acquire legal relevance for business.
For example, telcos and multi-utilities, i.e., companies that deal with the provision of public services such as the management of gas or electricity distribution, integrated water service, the waste cycle, and other environmental services, have long used the technique of recording the audio session and increasingly that of the video session when it interacts with users.
Moreover, for many years it has been possible to issue certificates of one’s qualified electronic signature (in Italy known as the digital signature) and SPID (Sistema pubblico per l’identità digitale) digital identities through the recognition that is performed remotely through an online procedure with webcam (such procedure is required by law for the holder of the signature or SPID identity).
In 2019, the Bank of Italy regulated video identification for remote verification by authorizing new identification and verification methods that do not require the physical presence of the customer. Pursuant to Articles 17-30 of the Anti-Money Laundering Decree, the Bank of Italy issued the Provision of July 30, 2019 by which it defined in Annex 3, “Video identification procedure,” the video identification mode, indicating the necessary verifications for customer identification data acquired in the audio-video session according to an AML risk-level approach.
However, apart from the obligations for verification against anti-money laundering, more and more services and solutions are making it possible to establish remote contractual relationships, and some are using remote identification techniques. Such techniques require users to input personal data, to upload both sides of a valid form of ID, and in some cases to perform a selfID or self video, which is a photo or video of the person holding the document, or a video session, by appointment, in which a representative of the provider validates the identification remotely. Some examples are advanced electronic signature solutions, the procedures for activating a bank account online, or initiating a contract remotely for supplying goods and services.
Audio and video recordings are it documents
Most of the actors involved in processes in which audio and/or video recordings are made are not aware that they are IT documents for all legal purposes and that their management is only correct if the current regulations on the creation, management, and storage of IT documents are complied with.
In this regard, in the European context, Regulation No. 910/2014 on electronic identification and trust services for electronic transactions in the internal market, known by the acronym eIDAS (electronic IDentification Authentication and Signature), defines, in art. 3 paragraph 35, the electronic document as any content stored in electronic form, in particular text or sound, visual, or audiovisual recording. In art. 46, it establishes that an electronic document is not denied legal rights and admissibility as evidence in legal proceedings for the sole reason of its electronic form.
In the Italian legal system, it is the Legislative Decree no. 82 of March 7, 2005 and subsequent amendments, the so-called CAD (Digital Administration Code), which, in accordance with the eIDAS European regulation, regulates the legal and evidentiary value of electronic documents and files, including those signed electronically.
According to art. 1 paragraph 1 letter p) of the CAD, an electronic document is defined as an electronic document that contains the computer representation of acts, facts, or data that are legally relevant.
Moreover, art. 20 paragraph 1-bis of the CAD establishes that the suitability of the electronic document to meet the requirement of written form and its evidentiary value may be assessed in court, in relation to the document’s security, integrity, and whether it may be modified or not.
Finally, art. 43 paragraph 3 of the CAD establishes that IT documents, whose preservation is prescribed by law or regulation, can also be stored in paper form but are permanently preserved in digital form, in compliance with the technical rules of the CAD.
The above should make all operators reflect on the fact that audio and audiovisual recordings, if legally relevant for the business, must be considered as electronic documents and therefore ensure throughout their life cycle a probative consolidation with respect to their security, integrity and ability to be modified, as well as their compliance with the regulatory requirements established by the Guidelines of the Agency for Digital Italy (AgID) referred to in art. 71 of the CAD on technical rules on the formation, management, and storage of computer documents.
The evidentiary consolidation of audio and video recordings
The recent AgID guidelines on the formation, management, and storage of electronic documents, as well as the DPCM of 13 November 2014 are in force until 7 June 2021, the date on which it will be repealed and replaced by the Guidelines. The guidelines provide that an electronic document can be formed or generated also through the mode of storage on computer media in digital format of the information resulting from computer transactions or processes or from the telematic presentation of data through forms or forms made available to the user.
Audio or audiovisual recordings fall within this modality governed by the technical rules, and electronic documents generated in this way are not able to be modified if their digital storage in digital format cannot be altered in its access, management, and preservation.
In the case of electronics documents that consist of audio and video recordings formed according to the aforementioned mode, the technical rules establish that the characteristics of integrity and a document’s ability to not be modified are guaranteed by one or more of the following operations:
- Affixing a qualified electronic signature, digital signature, or qualified electronic seal or advanced electronic signature on the generated audio-video file (computer document)
- Recording the outcome of the operation that created the computer document in system logs, including the application of measures to protect the integrity of databases and the production and preservation of system logs
- Producing a static extraction of the data and its transfer to the preservation system
Therefore, the proper formation and, above all, the digital preservation, according to the regulations in force overtime and for the entire statutory period required for preservation, are fundamental requirements for guaranteeing an evidentiary consolidation based on suitable characteristics that identify that a document is secure, valid, and cannot be modified, which are guaranteed to the audio-video file.
Among the key points to be taken into consideration when a process or a service generates audio and video recordings, we must mention compliance with security measures to ensure that the personal data of users is protected and, in general, compliance with the GDPR European Regulation for the Protection of Personal Data No. 2016/679.
Processing the voice, image, and facial video recording data of an individual, in addition to requiring the initial consent for the processing of biometric data of the same individual, requires the adoption of appropriate security measures, such as, for example, the adoption of secure transmission channels, the application of encryption solutions to make the data contained in the audio-video recordings inaccessible from the moment of acquisition and storage and throughout the entire period of digital storage, and any certification from the provider regarding the security and protection of personal data as user protection according to the principle of accountability.
In addition, the person who intends to use the audio-video recordings in the remote activation and management procedures of their services and processes must also be in compliance with industry regulations or rules regarding distance contracts.
In conclusion, the adoption of audio and/or audiovisual recording tools for the activation and/or management of remote services is already a reality today. However, in the future it will become the standard model, as users now want to use their own devices, such as smartphones, from wherever they are; therefore, users will willingly accept innovative and digital solutions.