Spanish court fines Mobile World Congress for facial recognition GDPR breach
According to Spain’s data protection watchdog, the 2021 edition of the congress was in violation of privacy rules and specifically Article 35 of the GDPR on impact assessments when they collected biometric data on almost 20,000 participants.
GSMA, the organisers of the annual global Mobile World Congress (MWC), have been fined €200,000 by the Spanish data protection authority (AEPD).
According to Spain’s data protection watchdog, the 2021 edition of the congress was in violation of privacy rules and specifically Article 35 of the General Data Protection Regulation (GDPR) on impact assessments when they collected biometric data on almost 20,000 participants. During the 2021 congress, participants could use automated identity verification to enter the venue in person rather than manually show their ID documentation. After learning that sensitive biometric information was a mandatory step of the registration procedure, with no option to opt-out, and that it had been fed into the facial recognition system, one participant filed a complaint with the AEPD.
Two years later, the Court found that GSMA did not adhere to the GDPR regulation and had not assessed the risks, proportionality or necessity of implementing the facial recognition system. Overall, it has not given enough justification for imposing facial recognition on its participants.