Home / News / GDPR fine for MWC’s biometric ID checks due diligence

GDPR fine for MWC’s biometric ID checks due diligence

European conferences and other in-person events are rushing to use facial recognition without considering data protection risks. beware: Spain’s data protection watchdog fined Mobile World Congress (MWC) organizers €200,000 ($224k) for violating privacy rules at the 2021 show in Barcelona.

The Agencia Espaola de Protección de Datos (AEPD) found MWC infringed Article 35 of the General Data Protection Regulation (GDPR), which requires a data protection impact assessment (DPIA), in an 8-page decision (PDF in Spanish) dismissing the GSMA’s appeal.

The GSMA collected biometric data on show attendees for its BREEZZ facial recognition system, which allowed attendees to enter the venue without showing ID to staff.

In 2021, the mobile industry event took place during COVID-19 pandemic concerns over attending in-person events. MWC’s organizer still held a physical conference in the summer of that year, months later than usual and with far fewer exhibitors and attendees.

According to GSMA disclosures to the AEPD, 17,462 people registered to attend MWC 2021 in person, and 7,585 used BREEZZ to enter the venue. Most chose manual ID checks. (However, with MWC 2021 taking place (still) in the pandemic, the GSMA also offered virtual attendance, with conference sessions streamed to remote viewers without ID checks.)

In cases where processing people’s data poses a high risk to their rights and freedoms, the GDPR requires proactive DPIAs. Facial recognition technology processes biometric data, which the GDPR considers special category data when used to identify individuals. Biometric identification falls into this high-risk category that requires proactive assessment.

This assessment must evaluate the processing’s necessity, proportionality, risks, and proposed mitigation measures. The AEPD found the GSMA breached Article 35 because it failed to conduct a robust and rigorous proactive assessment of risky processing, as required by the GDPR.

According to the resolution, the GSMA’s DPIA failed to assess risks, proportionality, or “substantive aspects” of data processing.

“What the resolution concludes is that a [DPIA] that does not contemplate its essential elements is neither effective nor fulfills any objective,” the AEPD says, confirming that the GSMA’s DPIA did not meet GDPR requirements [NB: this is a machine translation of the original Spanish text].

Additional AEPD resolution:

The [GSMA’s DPIA] document lacks an assessment of the necessity and proportionality of the processing operations with respect to its purpose; the use of facial recognition for event access; its assessment of the risks to data subjects’ rights and freedoms referred to in Article 35(1) of the GDPR; and the measures envisaged to address the risks, including safeguards, security measures, and mechanisms to protect personal data and demonstrate compliance. It also lists the passport and identity card data that the Mossos d`Esquadra [local police] require to connect it with the photo taken with the software, which initiates facial recognition to match your identity and allow access.

The AEPD’s resolution suggests that the GSMA failed to conduct an adequate DPIA and used a security justification for collecting show attendees’ passports or EU ID documents, claiming that Spanish police had ordered “strict processes” for identity-screening attendees.

The AEPD also noted that BREEZZ asked attendees to consent to biometric processing of their facial data as part of the ID upload process.

The GDPR requires informed, specific (not bundled), and freely given consent to be a legal basis. Consent cannot be forced. (While sensitive data like facial biometrics requires even more explicit consent to be legally processed.)

Dr. Anastasia Dedyukhina, a digital wellness speaker at MWC 2021, filed a complaint with the AEPD against the GSMA’s data processing due to conference attendees’ inability to upload sensitive biometric data. Her complaint led to GSMA sanctions two years later.

“I could not find a reasonable justification for it,” she wrote on LinkedIn late last week, criticizing the GSMA’s disproportionate request that MWC attendees upload ID documents. “Their website suggested I bring my ID or passport for in-person verification, which I didn’t mind. However, the organizers insisted that unless I uploaded my passport details, I could not attend the live event and would need to join virtually, which I did.”

Adam Leon Smith, a technologist who co-authored her complaint, wrote on LinkedIn: “Facial recognition in public spaces is highly sensitive, and if you really need to use it, use an excellent lawyer and tech team.”

Smith told : “Firstly, we found that the privacy policy said we were providing identification for facial recognition for identity purposes on the basis of consent. It became apparent that opting out was impossible. Second, the tech company was in Belarus, outside the EU. This was public information when we filed complaints. ScanViz, the technology provider, now lists a Hong Kong address on its website.”

“The AEPD requested internal privacy assessment documents from MWC and found them outdated and insufficient.” The AEPD’s decision mostly focuses on that,” he added. There were no other remedies, but the MWC will need to carefully assess the risk and impact.

Smith suggests that the Spanish data protection regulator’s resolution did not address the GSMA’s legal basis for biometric processing because it found the DPIA inadequate and decided a fuller technical assessment was not necessary.

He predicted that the GSMA would abandon facial recognition technology. “This kind of application of the technology would fall within the high-risk category in the latest drafts of the [EU] AI Act,” which requires independent conformity assessment.

The GSMA did not respond to a request for comment on the AEPD’s penalty.

The GSMA could appeal to Spain’s Audiencia Nacional (National High Court) if AEPD’s administrative process on this complaint ends with this resolution.

As Smith notes, the pan-EU AI Act will establish a risk-based framework for AI regulation in the coming years.

In 2021, the Commission proposed a ban on remote biometrics like facial recognition in public places, which would increase the regulatory risk of implementing automated verification checks in the future. (Additionally, parliamentarians want to strengthen the remote biometrics ban.) That’s on top of GDPR risks for data processors who don’t do risk due diligence or have a legal basis for sensitive data processing.

Both this year and last, the GSMA has offered MWC attendees a facial biometrics-based automated ID check option and required ID document uploads for in-person registration. Given the GDPR sanction, it will be interesting to see if it changes its privacy disclosures or MWC 2024 registration process. If it keeps offering a biometrics-based automated ID check at the show, it may want to make sure its technology supplier is EU-based.

About Chambers

Check Also

The Air Force has abandoned its attempt to install a directed-energy weapon on a fighter jet, marking another failure for airborne lasers

The U.S. military’s most recent endeavor to create an airborne laser weapon, designed to safeguard …