What is it about?

Voice-controlled AI systems and multi-agents are not only changing customer service, but increasingly also marketing, recruiting, logistics, coaching and internal process control.
However, anyone using voice and call automation is caught between data protection, telecommunications law, media law, copyright law and AI regulation - both in Europe and in the UAE. Mistakes can be costly: In 2024 alone, the TDRA imposed over 2,000 fines for unauthorized AI calls - with individual fines of up to AED 150,000.

How do multi-agent voicebots work - and what can they already do today?

Modern AI voicebots are much more than intelligent answering machines. They are human interfaces to company systems - from merchandise management and logistics to marketing, HR and compliance. They interact via natural-sounding voices, understand requests based on context and implement them in real time. They use API interfaces to book appointments, place orders or forward information to internal systems.

They can also record, transcribe and analyze conversations - for example to summarize customer meetings, evaluate applicant interviews or optimize sales and coaching processes.

This means that an AI agent can now conduct market research, identify sales potential, develop communication strategies, integrate these into CRM systems - and even call a customer or candidate automatically if required.

This means that voicebots already touch on several areas of law at the same time - and significantly increase the requirements for governance, data protection and supervision.

1. voice and personal rights - Bruce Willis at the dentist

The voice of a voicebot sounds human because it is trained on real voice profiles.
Legally, it is irrelevant whether the bot sounds like Bruce Willis or "Inge from next door" - the voice is part of the general right of personality (Sections 823, 1004 BGB in conjunction with Art. 2 para. 1, Art. 1 para. 1 GG). It may not be used or imitated without the consent of the person concerned. The voting rights of deceased personalities must be licensed to the heirs.

The unauthorized recording or use of a voice for training purposes violates personal rights, can give rise to copyright claims (§ 22, 23 KunstUrhG) and is regularly also a breach of data protection.

In extreme cases, it may be a criminal offense under Section 201a StGB (violation of the most personal sphere of life through sound recordings) - especially in the case of voice imitations or deepfakes.

2. conversation analysis and data protection

As soon as a voicebot records or transcribes conversations, several levels of data protection apply:
Voice data contains personal and often biometric information - so Art. 9 GDPR (special categories of personal data) and the principle of data minimization (Art. 5 para. 1 lit. c GDPR) apply.

Required is:

• express consent (Art. 6 para. 1 lit. a GDPR),
• in the case of systematic analysis, a data protection impact assessment (Art. 35 GDPR),
• and a processing directory (Art. 30 GDPR).

Automated applicant assessments or scoring processes may also violate Art. 22 GDPR ("Prohibition of automated individual decision-making").
According to the ECJ ruling SCHUFA (2024), stricter limits apply here: Factually effective preliminary decisions are also deemed to be automated.

A voice application must provide an easily accessible privacy policy - for example on the website or via a QR link in an app.

This must contain, among other things: Controller, purpose, legal basis, storage period, data subject rights and, if applicable, reference to automated decisions.

3. data processing and hosting - cloud, location & GDPR transfer rules

The legally compliant handling of voice and metadata is at the heart of every voicebot implementation. As soon as voice recordings or transcripts are processed, it must be clearly defined where the data is stored, who has access to it and on what legal basis it is processed.

The General Data Protection Regulation (GDPR) applies in the EU, in particular Art. 5 (Principles of processing) and Art. 32 ff (Security). Companies must ensure that all voice data is processed within the European Economic Area (EEA) or - in the case of outsourcing - only transferred to recipients who guarantee an adequate level of data protection (Art. 44 et seq. GDPR).

For cloud providers such as AWS, Azure, Google Cloud or Twilio, this means that a data processing agreement (DPA) in accordance with Art. 28 GDPR is required. A Transfer Impact Assessment (TIA), which assesses the law of the recipient country - e.g. the UAE or USA - may be necessary. Standard Contractual Clauses (SCCs) or Binding Corporate Rules (BCRs) may also need to be integrated.

Data transfers to third countries (outside the EEA) are only permitted if they are secured by contract or adequacy decisions. There is currently no EU adequacy decision for the UAE - SCCs or local hosting are therefore required.

4. media law and transparency obligations

Voicebots that generate or communicate content are also subject to the Interstate Media Treaty (MStV). According to Section 18 MStV, there is an obligation to identify the provider, and according to Section 19 MStV, there is an obligation to make machine communication recognizable.
So if an AI speaks in such a way that it is perceived as a human, it must be disclosed that it is an artificial voice.

In addition, transparency obligations also arise from data protection law (Art. 5, 12-14 and 22 GDPR) and competition law (Section 5a UWG):
Anyone who uses AI systems for communication, analysis or decision-making must inform users clearly and comprehensibly that automated processing is taking place and what consequences this may have.

The forthcoming Art. 52 EU AI Act harmonizes these requirements at European level:
Every person must be able to recognize that they are interacting with an AI - and have the option of rejecting or terminating the interaction. This applies in particular when the AI makes recommendations, analyzes emotions or prepares decisions.

5. competition law limits - inbound vs. outbound

Advertising calls can be problematic according to § 7 UWG.

Inbound calls (user calls) are permitted if the voicebot identifies itself as an AI at the beginning ("I am an AI assistant of ...") and the user continues the call.
Consent is deemed to have been given implicitly when the call is continued.

Outbound calls (company calls) are only permitted with prior express consent (Section 7 (2) No. 2 UWG).

In the B2B area, the exception of "presumed consent" applies if the call is objectively in the interest of the called party and is relevant to the topic. This consent must be documented. Violations can be punished by the Federal Network Agency with fines of up to €300,000. In principle, voicebots are treated the same as people under competition law.

6. telecommunications law (TDDDG/TTDSG, TKG)

The TDDDG (successor to the TTDSG) regulates data protection for end devices and communication systems.

• 25 TDDDG - Terminal device access

Any access to the microphone, memory or sensors requires prior, informed consent. This also applies to wake word detection or buffering.
A mere browser or app prompt is not sufficient. Only "absolutely necessary" processes are exempt.

• Section 3 TDDDG - Telecommunications secrecy

The content and metadata of voice sessions may not be collected, evaluated or passed on to third parties without authorization. In addition to fines, violations can also lead to criminal liability under Section 206 of the German Criminal Code (StGB). Companies must implement technical and organizational measures (TOMs): Encryption, access restriction, logging minimalism.

Telecommunications Act (TKG)

The TKG only applies if the voicebot mediates communication between people (e.g. call routing or conference services). In this case, it is a number-independent interpersonal communications service (NI-ICS) with additional obligations in accordance with Sections 168 et seq. TKG.

7. copyright and trade secret protection

AI systems may only be trained on lawfully accessible data (Section 44b UrhG - Text & Data Mining). Rights holders can declare an opt-out. This also applies to the use of internal call recordings.

Voice transcripts often contain confidential information. This is only protected under Section 2 GeschGehG if appropriate security measures are in place - such as NDAs, access restrictions and encryption. Confidentiality agreements should therefore always be in place for AI service providers.

8 The EU AI Act - what will change from 2025

The AI Act (Regulation (EU) 2024/1689) will come into force in stages from 2025 and revolutionize the handling of AI systems in Europe.

Since February 2025, there has been a ban on certain applications (emotion recognition in the workplace, social scoring). In August 2025, further obligations for general-purpose AI were introduced with regard to transparency, training documentation and copyright policy.

From August 2026, stricter requirements for high-risk AI such as registration, risk management or CE marking will be introduced. Full enforcement will then apply from August 2027, i.e. market surveillance and fines of up to €35 million or 7% of turnover.

The implications for voicebots include a ban on emotion recognition or behavioral analysis in HR or work contexts. With regard to applicant scoring or automated selection, this is high-risk AI; the "human oversight" obligation applies here in particular)

What is the legal situation in the UAE - new obligations for voice & telemarketing AI

The UAE Personal Data Protection Law (PDPL) (Federal Decree Law 45/2021) is substantiated by Cabinet Resolutions 56 & 57 (2024). The TDRA (Telecommunications and Digital Government Regulatory Authority) monitors the use of AI in customer contact and telemarketing.

With inbound calls, consent is also assumed to be implied by the call. An AI notice "I am an AI ..." is required, a separate license is not necessary.

With outbound calls, on the other hand, there is a prior consent requirement and a "Do Not Call Registry" obligation. As with Call In, the AI notice "I am an AI ..." is required, and there must also be an opt-out option at the beginning. Use is limited in time, the time window for permitted calls is from 9 am to 6 pm. TDRA approval is required, and fines of up to AED 20 million can be imposed for violations.

What about the technical set-up?

The United Arab Emirates has one of the most restrictive telecommunications regimes in the world. The TDRA is responsible for licensing and monitoring all telecommunications services. Only two official operators, Etisalat and du, have a monopoly on telecom and VoIP services, including SIP trunks, SMS gateways and landline numbers.

A common practice with Voivebots and similar systems is, for example, the use of Twilio, SIP trunks or US numbers Twilio is not licensed or authorized to provide telecommunication services in the UAE.

It applies to all SIP trunks from abroad (e.g. USA, Germany, UK). Only TDRA-licensed providers may terminate SIP trunks in the local telephone networks. External SIP trunks (e.g. from Asterisk, 3CX, Twilio, Zoom, Vonage, RingCentral, etc.) may not be directly connected to UAE phone numbers or integrated into local voicebots/call centers. Such connections are considered illegal international gateway services. Significant fines of up to AED 500,000 and blocking of the systems are possible.

A local storage obligation also applies with regard to data processing & data residency: According to Cabinet Resolution No. 56/2024 (Implementation of PDPL): Telecommunications and communications data (call logs, voice records, metadata) may only be stored in the UAE or recognized free zones (DIFC, ADGM). Transfers abroad are only permitted with the approval of the Data Office or at an "adequate protection level".

In principle, permissible storage locations are UAE Mainland (Etisalat, du) or certain free zones with so-called data sovereignty such as Dubai International Financial Center (DIFC) orAbu Dhabi Global Market (ADGM). Both zones have their own data protection laws (based on GDPR) and are considered a "safe haven" within the UAE.

Violations can result in fines of up to AED 20 million and personal liability of the management.

What needs to be done? - Recommendations for action

Companies should take action now and:

• Design consent flows in compliance with GDPR & PDPL
• Implement AI disclosure & human fallback
• Integrate DNCR and license checks
• Check VoIP compliance (Twilio/Vonage)
• Clearly define data location (EU/VAE)
• Create audit trails & incident playbooks
• Conclude company agreements for internal use
• Implement AI act roadmap (documentation, copyright, risk management)
• Introduce AI register & impact assessment
• Establish employee training & governance for AI compliance

In Conclusio

Multi-channel voicebots will revolutionize corporate communication in the coming years - but will also make it more legally challenging. Those who implement transparency, documentation and human supervision today will create trust and legal certainty at the same time.

The future belongs to those who think technology and law together.

Talk to us.