The Spanish Data Protection Agency (AEPD) has fined the GSMAthe organizing entity of the MWC, with 200,000 euros, for violate privacy regulations during the 2021 edition of the Mobile World Congress held in Barcelona. In the statement in which they announce their decision, that the GSMA can appeal before the National Court, the agency points out that the organization breached article 35 of the GDPR, which deals with the necessary requirements to carry out an impact assessment of data protection (DPIA).
Specifically, the violation of the regulation is related to the collection of biometric data of the attendees of the event carried out by the GSMA, including those obtained from a facial recognition system that it installed and that offered attendees the option of using a automated identity verification to enter the venue, instead of manually showing your documentation to the event staff.
The 2021 edition of the MWC in Barcelona, still held in the midst of the pandemic, meant that very few people attended the event in person, compared to editions held normally. That is why that year, in which the edition was even moved to the beginning of the summer, there were less than 20,000 people in person at the MWC. In total, there were 17,462. And of them, only 7,585 used the facial recognition system, BREEZZ, to access it. Most therefore opted for a manual inspection of their documentation.
Regarding biometric identification, according to current regulations, it is necessary to carry out a DPIA proactively in situations in which the processing of people’s data poses a high risk to the rights and freedoms of individuals.
Facial recognition involves the processing of biometric data, which is used to identify individuals. For this reason, facial recognition is classified with a special category under the GDPR. This means that the use of biometrics for identification is always considered high risk, which requires a proactive assessment.
This assessment must take into account the necessity and proportionality of the proposed processing, in addition to examining the risks and detailing the measures planned to address the identified risks. The GDPR puts the focus on data controllers carrying out rigorous proactive risk assessment of processing. Therefore, the AEPD has established that the GSMA violated article 35 because it has not demonstrated that it had carried out the task indicated by the regulations.
In fact, the AEPD has described the GSMA’s DPIA as «merely nominal«, and points out that in this they have not examined «important aspects” of the data process. Nor did it assess the risks or the proportionality and necessity of the implemented system. Nor does it include the measures planned to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data.
The resolution also indicates the passport data and identity documents required by the Mossos d’Esquadra, which apparently served to connect the data with the photo taken by the software, which initiates the facial recognition process. The GSMA reportedly claimed security reasons for collecting attendees’ identity documents and passports, noting that Spanish police had asked them to use strict procedures to identify attendees.
Additionally, it appears that the organization asked attendees to consent to the biometric processing of their facial data as part of the ID upload process. The AEPD points out that the consent information offered by BREEZZ, which asked people for their consent to do so, in order to use «the biometric data obtained from the photographs provided for identification validation purposes in the context of online registration and for access to the MWC Barcelona facilities«.
The latter is important, since the GDPR makes it clear that there must be consent for there to be a legal basis, which must be informed, specific and freely given. Therefore, such consent cannot be forced.
In fact, the lack of free choice of those attending the event when providing their sensitive biometric data was what led to a complaint against the GSMA data processing, filed with the AEPD by Anastasia Dedyukhina, an expert speaker on digital well-being who had been invited to participate in a panel at MWC 2021 who made her complaint public a few days ago. Due to her complaint, the AEPD has decided to sanction the GSMA. Dedyukhina could not find a justification for the actions of the GSMA in terms of the collection and processing of data, which, as it was proposed, prevented attending the event in person if the passport or identity document data was not provided electronically.
From the GSMA they have stated that «the recent resolution of the AEPD is not related to a data breach. There was no data breach or unauthorized access to GSMA systems, and the personal data of MWC Barcelona 2021 attendees was never compromised or misused. The ruling is related to the GSMA’s approach to conduct a data protection impact assessment for the use of facial recognition technology at MWC 2021. Facial recognition was an option for MWC 2021 attendees as part of a comprehensive health and safety program.
The GSMA takes data protection extremely seriously, and has a robust compliance program in place to meet its data protection obligations. The GSMA continually reviews and updates its approach to data protection, using innovative technology to deliver a secure experience for attendees. The GSMA will continue to cooperate with the AEPD and is reviewing the resolution and assessing the options to respond to it«.
In the meantime, the organization continues to offer a facial biometrics-based, automated identity verification option for MWC access, both this year and last, and will continue to require identity documents to be sent digitally for attendance registration at person. Therefore, it will be necessary to see what changes he makes for 2024 because of this sanction.