The United Kingdom’s tax authority has until June 5th to delete 5 million voice recordings that were used to provide biometric authentication for British citizens. The program dates back to 2017, when HM Revenue and Customs (HMRC) began asking callers to use the phrase “My voice is my password” to register their voice biometrics and verify their identities on future calls.
Following a tip from the privacy advocate Big Brother Watch, the Information Commissioner’s Office (ICO) ruled that callers were not given the opportunity to provide consent or opt out of the biometrics program. That made it a violation of the European Union’s GDPR legislation that went into effect last May, which requires such explicit consent for any form of biometric authentication.
“Innovative digital services help make our lives easier but it must not be at the expense of people’s fundamental right to privacy,” said ICO Deputy Commissioner Steve Wood.
For its part, HMRC will continue to use voice authentication, citing the security and convenience benefits of the technology. The agency changed its onboarding process to comply with GDPR regulations in October, and reported that 1.5 million people have already opted in to the voice registration platform.
HMRC also indicated that it would have no trouble deleting the 5 million recordings that were gathered before its new procedures went into effect. Since this is HMRC’s first GDPR violation, the agency will not face any fine as a result.
While the ruling raises obvious concerns about HMRC’s prior conduct, the ICO’s enforcement of the law is nevertheless one of the first major displays of legislative oversight as it relates to biometrics. It proves that privacy activists have been effective in Europe, and is likely to renew calls for similar legislation in the US, especially as major companies like Amazon and Microsoft begin to champion the cause.
Source: BBC News
May 6, 2019 – by Eric Weiss