Processing speech recordings: some data protection issues by Romagna Tech

When Air Traffic Control enthusiasts record conversations, they may be unaware of what speech is in terms of data protection: it can be regarded as biometric data, similarly to a fingerprint.

Biometrics refers to technologies that measure and analyse a person’s physical characteristics, making it possible to identify it through its biometric features and can also be used for authentication purposes.

From a data protection perspective, biometric technologies in general are closely linked to specific physical, physiological, behavioural or even psychological characteristics of a person, and some of them might also reveal sensitive data.

As to the voice, biometrics may concern the analysis of the tone, pitch, cadence and frequency of a person’s voice, which can make it possible to determine if a certain person is who he/she declares to be, or the identity of an unknown person, if matched with data from other databases.

Biometric data may also allow for automated tracking, tracing or profiling of persons and, as such, their potential impact on the privacy and the right to data protection of individuals is high, as also observed by the EU data protection authorities.

Moreover, biometric data are irrevocable: a breach concerning biometric data threatens the further safe use of biometrics as identifier and the right to data protection of the concerned persons for which there is no possibility to mitigate the effects of the breach.

One can change its passwords if forgotten or compromised, or its home keys if lost, but not its voice.

Voice biometric authentication systems are based on measurements of the biological characteristics of the individual and comparisons with other individuals previously checked and recorded in a database by a mechanism called enrollment.

Every spoken word (of a predefined speech used as sample) is converted, by a chain of mathematical operations, into a person’s voice print (also called ‘iVector’ in the R&D community), which is stored in the database. This shall be further interrogated to determine if a speaker is the person it claims to be, by comparing the stored voice print with the speaker’s, or even to determine which speaker, in a group of known speakers, most closely matches the unknown speaker (and in this case it is more appropriate to refer to identification systems, instead of authentication systems).

According to the General Data Protection Regulation (article 9), biometric data may be regarded as a ‘special category’ of data (commonly said: sensitive data).

However, in order for it to be considered as processing of special categories of personal data (Article 9) it requires that biometric data is processed “for the purpose of uniquely identifying a natural person”.

In short, in the light of articles 4.14 and 9, three criteria must be considered:

  • Nature of data: data relating to physical, physiological or behavioural characteristics of a natural person,
  • Means and way of processing: data “resulting from a specific technical processing”,
  • Purpose of processing: data must be used for the purpose of uniquely identifying a natural person.

Sensitive data may only be processed if specific conditions are met, for example:

  • the data subject has given its express consent, which should be freely given, specific, informed and unambiguous;
  • processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  • processing relates to personal data which are manifestly made public by the data subject;
  • processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  • processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Being an EU Regulation, the GDPR is directly applicable in all EU Member States, but we should remember that in some cases it leaves States free to adopt specific rules, as in the case of the special categories of data.

Member States may actually maintain or introduce further conditions, including limitations, with regard to the processing of genetic, biometric or health data.

Attention should thus be paid to State-specific rules and regulations.

(Romagna Tech, Claudia Cevenini)

References

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation)