Blog details

Voiceprinting Privacy

Voiceprinting Privacy

Voiceprinting is becoming a widespread identification and authentication tool for banks and even public authorities. Voiceprinting privacy concerns and GDPR compliance need to be discussed too.

As technology advances and the world shifts more and more towards electronic and online platforms, new means of digitally identifying individuals are constantly being introduced.

One such digital identification tool which has been experiencing a surge of use over the last three to five years is voiceprintingtechnology which authenticates individuals with voice alone.

In fact across the globe, several organizations including banks, credit unions and government agencies are already making use of this technology.

In 2016, for instance, Citi was reported to have launched a project to automatically verify a customers identity by voice within the first few seconds of the conversation. Citis adoption of voice printing was presented as a means of reducing time to service by eliminating the manual authentication processpotentially cutting a typical call center call by a minute or more.

Yet while voiceprint technology is being lauded as a security game-changer and a customer-service home run there are undoubtedly privacy and data protection concerns.

Just four months ago the Information Commissioners Office (ICO) issued a final enforcement notice to HM Revenue & Customs (HMRC) to delete millions of unlawful voiceprints after an investigation revealed that the UK tax office had collected biometric data without giving customers sufficient information about how their biometric data would be processed and had also failed to give customers the chance to give or withhold consent. The May 2019 final enforcement notice gave HRMC 28 days to complete the deletion of all biometric data held under the Voice ID system for which it does not have explicit consent.

“Since a voiceprint is regularly used to re-identify a person, it needs to be processed based on a lawful processing basis, just like any other personal data. This basis may be the individual’s consent or legitimate interest, subject to legitimate interest assessment in line with GDPR,” comments Dr Bostjan Makarovic, Aphaia managing partner.


Do you require assistance with GDPR and Data Protection Act 2018 compliance? Aphaia provides both GDPR adaptation consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.

Prev post
Real time bidding, programmatic advertising and privacy risks
August 30, 2019
Next post
Aphaia attends FOAN2019
September 6, 2019

Leave a Comment