On May 29, 2017, the French Data Protection Authority (Commission Nationale Informatique et Libertés, or "CNIL") announced that it had authorized nine banking institutions to implement, on an experimental basis, authentication tools based on voice recognition, in the context of user authentication procedures that are mandatory when processing banking transactions.
CNIL determined that these projects comply with the applicable data protection requirements, such as the prior consent of the data subject, limited data retention period, limited scope, confidentiality guarantees, and commitment to provide a report upon the term of the experiment.
As such experimental data processing must ensure that the data subject will control his/her biometric information, CNIL emphasized that biometric information either must be stored on a device in the possession of the data subject, or stored in a centralized database in an encrypted format, provided that only the data subject holds the decryption key necessary to access the biometric data. Following the same trends, other banking institutions have started to use "selfie" authentication tools (biometric authentication that confirms a person's identity using facial recognition technology via a selfie taken by that person) to enable client access to their bank accounts.
In preparation for the effective implementation of the General...