On May 29, 2017, the French Data Protection Authority (Commission Nationale Informatique et Libertés, or "CNIL") announced that it had authorized nine banking institutions to implement, on an experimental basis, authentication tools based on voice recognition, in the context of user authentication procedures that are mandatory when processing banking transactions.
CNIL determined that these projects comply with the applicable data protection requirements, such as the prior consent of the data subject, limited data retention period, limited scope, confidentiality guarantees, and commitment to provide a report upon the term of the experiment.
As such experimental data processing must ensure that the data subject will control his/her biometric information, CNIL emphasized that biometric information either must be stored on a device in the possession of the data subject, or stored in a centralized database in an encrypted format, provided that only the data subject holds the decryption key necessary to access the biometric data. Following the same trends, other banking institutions have started to use "selfie" authentication tools (biometric authentication that confirms a person's identity using facial recognition technology via a selfie taken by that person) to enable client access to their bank accounts.
In preparation for the effective implementation of the General Data Protection Regulation in May 2018, CNIL also announced that the implementation of data processing involving a voice recognition tool or other tools relying on biometric data (e.g., fingerprints and photographs) will require the data controller to carry out a data protection impact assessment—a comprehensive analysis of the impact of the envisaged processing operations on the protection of the personal data.
CNIL's ability to understand and take into account the appetite of businesses for innovative data processing tools involving biometric data is well illustrated by these experimental projects. Banking institutions operating in France, as well as other businesses for which robust user authentication is critical, should assess the opportunity to implement new authentication tools to simplify interactions with their customers while ensuring a high level of security, in compliance with data protection regulations.