Voiceprinting is becoming a widespread identification and authentication tool for banks and even public authorities. Voiceprinting privacy concerns and GDPR compliance need to be discussed too.
As technology advances and the world shifts more and more towards electronic and online platforms, new means of digitally identifying individuals are constantly being introduced.
One such digital identification tool which has been experiencing a surge of use over the last three to five years is voiceprinting—technology which authenticates individuals with voice alone.
In fact across the globe, several organizations including banks, credit unions and government agencies are already making use of this technology.
In 2016, for instance, Citi was reported to have launched a project to automatically verify a customer’s identity by voice within the first few seconds of the conversation. Citi’s adoption of voice printing was presented as a means of reducing time to service by eliminating the manual authentication process—potentially cutting a typical call center call by a minute or more.
Yet while voiceprint technology is being lauded as a security game-changer and a customer-service home run there are undoubtedly privacy and data protection concerns.
Just four months ago the Information Commissioner’s Office (ICO) issued a final enforcement notice to HM Revenue & Customs (HMRC) to delete millions of unlawful voiceprints after an investigation revealed that the UK tax office had collected biometric data without giving customers sufficient information about how their biometric data would be processed and had also failed to give customers the chance to give or withhold consent. The May 2019 final enforcement notice gave HRMC 28 days to complete the deletion of all biometric data held under the Voice ID system for which it does not have explicit consent.
“Since a voiceprint is regularly used to re-identify a person, it needs to be processed based on a lawful processing basis, just like any other personal data. This basis may be the individual’s consent or legitimate interest, subject to legitimate interest assessment in line with GDPR,” comments Dr Bostjan Makarovic, Aphaia managing partner.