Voiceprinting Privacy

Voiceprinting Privacy

Voiceprinting is becoming a widespread identification and authentication tool for banks and even public authorities. Voiceprinting privacy concerns and GDPR compliance need to be discussed too.

As technology advances and the world shifts more and more towards electronic and online platforms, new means of digitally identifying individuals are constantly being introduced.

One such digital identification tool which has been experiencing a surge of use over the last three to five years is voiceprintingtechnology which authenticates individuals with voice alone.

In fact across the globe, several organizations including banks, credit unions and government agencies are already making use of this technology.

In 2016, for instance, Citi was reported to have launched a project to automatically verify a customers identity by voice within the first few seconds of the conversation. Citis adoption of voice printing was presented as a means of reducing time to service by eliminating the manual authentication processpotentially cutting a typical call center call by a minute or more.

Yet while voiceprint technology is being lauded as a security game-changer and a customer-service home run there are undoubtedly privacy and data protection concerns.

Just four months ago the Information Commissioners Office (ICO) issued a final enforcement notice to HM Revenue & Customs (HMRC) to delete millions of unlawful voiceprints after an investigation revealed that the UK tax office had collected biometric data without giving customers sufficient information about how their biometric data would be processed and had also failed to give customers the chance to give or withhold consent. The May 2019 final enforcement notice gave HRMC 28 days to complete the deletion of all biometric data held under the Voice ID system for which it does not have explicit consent.

“Since a voiceprint is regularly used to re-identify a person, it needs to be processed based on a lawful processing basis, just like any other personal data. This basis may be the individual’s consent or legitimate interest, subject to legitimate interest assessment in line with GDPR,” comments Dr Bostjan Makarovic, Aphaia managing partner.


Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

GDPR Challenges For Artificial Intelligence

Data protection in algorithms

Technological development is enabling the automation of all processes, as Henry Ford did in 1914; The difference is that now instead of cars we have decisions about privacy. Since GDPR came into force on 25th May 2018, lots of questions have arisen regarding how the Regulation may block any data-based project.

In this article, we aim to clarify some of the main GDPR concepts that may apply to the processing of large amounts of data and algorithm decision-making. It has been inspired by the report the Norwegian Data Protection Authority -Datatilsynet- published in January this year: “Artificial Intelligence and Privacy”.

Artificial intelligence and the elements it comprises like algorithms and machine/deep learning are affected by GDPR for three main reasons: the huge volume of data involved, the need of a training dataset and the feature of automated decision-making without human intervention. These three ideas reflect four GDPR principles: fairness of processing, purpose limitation, data minimisation, and transparency. We are briefly explaining all of them in the following paragraphs – the first paragraph of each concept contains the issue and the second one describes how to address it according to GDPR.

One should  take into account that without a lawful basis for automated decision making (contract/consent), such processing cannot take place.

Fairness processing: A discriminatory result after automated data processing can derive from both the way the training data has been classified (supervised learning) and the characteristics of the set of Data itself (unsupervised learning). For the first case, the algorithm will produce a result that corresponds with the labels used in training, so if the training was biased, so will do the output. In the second scenario, where the training data set comprises two categories of data with different weights and the algorithm is risk-averse, the algorithm will tend to favour the group with a higher weight.

GDPR compliance at this point would require implementing regular tests in order to control the distortion of the dataset and reduce to the maximum the risk of error.

Purpose limitation: In cases where previously-retrieved personal data is to be re-used, the controller must consider whether the new purpose is compatible with the original one. If this is not the case, a new consent is required or the basis for processing must be changed. This principle applies either to the re-use of data internally and the selling of data to other companies. The only exceptions to the principle relate to scientific or historical research, or for statistical or archival purposes directly for the public interest. GDPR states that scientific research should be interpreted broadly and include technological development and demonstration, basic research, as well as applied and privately financed research. These elements would indicate that – in some cases – the development of artificial intelligence may be considered to constitute scientific research. However, when a model develops on a continuous basis, it is difficult to differentiate between development and use, and hence where research stops and usage begins. Accordingly, it is therefore difficult to reach a conclusion regarding the extent to which the development and use of these models constitute scientific research or not.

Using personal data with the aim of training algorithms should be done with a data set originally collected for such purpose, either with the consent of the parties concerned or, to anonymisation.

Data minimisation: The need to collect and maintain only the data that are strictly necessary and without duplication requires a pre-planning and detailed study before the development of the algorithm, in such a way that its purpose and usefulness are well explained and defined.

This may be achieved by making it difficult to identify the individuals by the basic data contained. The degree of identification is restricted by both the amount and the nature of the information used, as some details reveal more about a person than others. While the deletion of information is not feasible in this type of application due to the continuous learning, the default privacy and by design must govern any process of machine learning, so that it applies encryption or use of anonymized data whenever possible. The use of pseudonymisation or encryption techniques protect the data subject’s identity and help limit the extent of intervention.

Transparency, information and right to explanation: Every data processing should be subject to the previous provision of information to the data subjects, in addition to a number of additional guarantees for automated decision-making and profiling, such as the right to obtain human intervention on the part of the person responsible, to express his point of view, to challenge the decision and to receive an explanation of the decision taken after the evaluation.

GDPR does not specify whether the explanation is to refer to the general logic on which the algorithm is constructed or the specific logical path that has been followed to reach a specific decision, but the accountability principle requires the subject should be given a satisfactory explanation, which may include a list of data variables, the ETL (extract, transform and load) process or the model features.

A data protection impact assessment carried by the DPO is required before any processing involving algorithms, artificial intelligence or profiling in order to evaluate and address the risk to the rights and freedoms of data subjects.


Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessment, and Data Protection Officer outsourcing.

GDPR and social media

GDPR and social media : EU Court on fan pages on Facebook

Earlier this month the ECJ published a preliminary ruling finding the fan page admin jointly responsible with Facebook for the personal data of the visitors. Although the decision refers to the previously enforceable EU Data Protection Directive, the new rule paves the way for GDPR and social media practice, since the definition of the processor has not been altered.

GDPR and social media

The dispute had arisen in 2011 when the the data-protection authority of Schleswig-Holstein ordered an educational academy, under the name of Wirtschaftsakademie, to delete its facebook fan page because it failed to inform its users that personal data had been collected and processed via cookies. In particular,  Wirtschaftsakademie used the Insights tool provided by Facebook which provided demographic data of its audience following the processing of personal information such as age, sex, relationships, occupation, information on the lifestyles and centres of interests etc. Based on the anonymised demographic data the admin is able to customise its Facebook content targeting the relevant audience.

Wirtschaftsakademie argued before the German administrative courts that it was not responsible for the data collected by Facebook without its instructions. However, the ECJ after being asked by the national court decided that the fan page admin and facebook are jointly responsible as controllers of the personal data. The fact that the platform used to process the personal data was provided by Facebook cannot justify an exemption of the joint liability.

Nonetheless, in this dispute with crucial GDPR and social media implications, the European Court clarified that the responsibility of the two controllers, who are involved in different stages of the process, may not be equal. Therefore the level of responsibility of each operator should be assessed after taking all relevant circumstances of the case into consideration.

Do you require assistance understanding GDPR and social media ? Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.

data protection officer GDPR to do list

GDPR to do list this autumn

GDPR starts to apply less than a year from now – which seems like a reason enough to panic for many data-driven organisations who have so far not addressed the transition to GDPR. But instead of panicking, it may be better to have a look at our autumn GDPR to do list.

data protection officer GDPR to do list

1. Map your personal data

Personal data mapping may sound like a basic thing for any data protection compliance exercise but the truth is it gets way more serious with GDPR. The requirements such as privacy by default and by design, stricter consent rules, enhanced data security obligations, or data protection impact assessment all require a very clear overview of personal information under the company’s control. Whereas assistance of a privacy professional may be required for a full mapping exercise, a basic overview could easily be made in-house by involving all the relevant departments such as marketing, sales, HR, legal, and IT.

2. Identify any key risks

In many cases, you do not need to be a trained privacy professional to spot a major data privacy-related risk. For example, a system whereby any employee can access personal data and where no measures such as pseudonymisation or encryption are used is unlikely to comply with the GDPR. Other risks may be more subtle and would be best identified and assessed by a privacy professional. For example, using IoT devices might reveal aspects of individuals’ lives not foreseen by the solution provider. Why not start with a homemade list to get an initial idea and then consult a professional?

3. Plan your GDPR compliance journey

Will you simply require one-off assistance or are you in the category of organisations that are required under the GDPR to appoint a Data Protection Officer? With regard to both, you may have to decide whether you plan to tackle data protection issues in-house or seek external expert assistance.

Aphaia provides both GDPR adaptation consultancy services and Data Protection Officer outsourcing.