The GSMA, the organizers behind Barcelona’s annual Mobile World Congress (MWC), have been fined €200 million for not carrying out a data protection impact assessment (DPIA)
Per TechCrunch (opens in new tab), the decision (opens in new tab) (PDF) delivered in Spanish by the Agencia Española de Protección de Datos (AEPD) found that the GSMA fell short when failing to account for biometric data collected from attendees, partially as a result of BREEZZ – an optional, automated identity verification system permitting entry to the event.
The GSMA’s assessment was found, per the decision, to be “merely nominal”, neglecting to account for “substantive aspects” of its data processing methods, nor the risks of, or need for, the BREEZZ system.
The GDPR and MWC’s DPIA
The EU’s General Data Protection Regulation (GDPR) requires that a robust DPIA be carried out when data collection may pose a “high risk” to the right to privacy of those affected Biometric facial recognition technology falls into this category in this case because said data was used to identify MWC attendees.
The AEPD also ruled that the GSMA collected passports and EU identity documentation from attendees, and required them to consent to biometric data collection as part of the upload process.
The GDPR clearly states that consent must be specific, and given freely, but, as discovered by digital wellness advocate Dr Anastasia Dedyukhina, this clearly wasn’t an option.
“I could not find a reasonable justification for it,” she wrote in a LinkedIn (opens in new tab) post, “their website suggested that I could also bring my ID/passport for in-person verification, which I didn’t mind.”
“However, the organizers insisted that unless I upload my passport details, I COULD NOT attend the live event and would need to join virtually, which I ended up doing.”
The GSMA continued these practices for the 2022 and 2023 events, but, in light of the AEPD’s ruling, things will likely have to change – almost certainly for the better.