UK’s tax office ordered to destroy the voice data of millions

Image: Getty Images/Ikon Images

Imagine the IRS sitting on a vast database of unique voiceprints collected from millions of citizens.

That’s basically what happened in the U.K., but at least the country has an agency to fix the problem. The U.S. has no such safeguard — and one of its agencies has already started collecting face scans.

Her Majesty’s Revenue and Customs office (HMRC) has been instructing customers to submit “voiceprints” since 2017, and it may not have received proper consent to do so. 

Now, the nation’s data protection enforcement agency, the Information Commissioner’s Office (ICO) has filed an official order that the HMRC must delete the Voice ID data of 7 million citizens. It has 28 days to comply with the May 9 order. 

In the U.S., government agencies are also collecting biometric data. Customs and Border Patrol (CPB) is scanning the faces of individuals leaving the country. It says the images are encrypted, and only stored for a short time. But experts worry that introducing facial recognition technology at airports could turn them into tools of mass surveillance. That could lead to unlawful arrests, which would disproportionately affect women and people of color, who facial recognition software has trouble recognizing. 

The problem is, unlike the UK, the U.S. does not have a GDPR-style law — and therefore no agency to make sure that individuals are giving consent to the collection and storage of their biometric data.

Lawmakers are currently considering federal privacy legislation, but debates about what form that should take is slowing the process down. That’s put states on the front lines. California led the way in 2018 when it passed a historic GDPR-style law called the California Consumer Privacy Act. Tech companies are outwardly supporting regulation, but, in California, industry lobbyists are simultaneously working to weaken this law.

The HMRC began prompting citizens to say unique phrases that would serve as Voice ID passwords in 2017. But the password wasn’t just about the content of the phrases — it was about the unique voices issuing them. Users were creating what are known as “voiceprints.” 

Voiceprints qualify as biometric data, which the GDPR treat as “special category” data. Under the law, anyone collecting special category data must receive explicit, informed consent on the collection of that data. Organizations that manage personal data also must have conducted a Data Protection Impact Assessment (DPIA), which would determine how it would ensure the privacy and security of the data, prior to actually collecting any personal information.

The ICO’s investigation found that the HMRC did neither of these things. It says that it did not conduct a DPIA, and that it had subsequently not incorporated “data protection by design and default” into the system. That’s somewhat understandable, since GDPR didn’t come into effect until 2018, and the program began in 2017; understandable, but not an excuse for potentially shoddy data protection.

Of more startling concern to the ICO was that the agency did not provide informed consent to the majority of the Voice ID users. It says that citizens did not understand that they could opt out of the Voice ID system. 

“HMRC collected it in circumstances where there was a significant imbalance of power between the organisation and its customers,” Steve Wood, the ICO’s deputy commissioner for policy, wrote in a blog post.

The ICO reports that this is the first case of biometric data protection enforcement. But as government agencies and companies increasingly rely on and collect our unique identifiers, it certainly won’t be the last. Hopefully, as the U.S. considers its own privacy legislation, it is taking notes.