The GSMA, the organizers behind Barcelona’s annual Mobile World Congress (MWC), have been fined €200,000 for not carrying out a data protection impact assessment (DPIA)
Per TechCrunch (opens in new tab), the decision (opens in new tab) (PDF) delivered in Spanish by the Agencia Española de Protección de Datos (AEPD) found that the GSMA fell short when failing to account for biometric data collected from attendees, partially as a result of BREEZZ – an optional, automated identity verification system permitting entry to the event.
The GSMA’s assessment was found, per the decision, to be “merely nominal”, neglecting to account for “substantive aspects” of its data processing methods, nor the risks of, or need for, the BREEZZ system.
The GDPR and MWC's DPIA
The EU’s General Data Protection Regulation (GDPR) requires that a robust DPIA be carried out when data collection may pose a “high risk” to the right to privacy of those affected Biometric facial recognition technology falls into this category in this case because said data was used to identify MWC attendees.
The AEPD also ruled that the GSMA collected passports and EU identity documentation from attendees, and required them to consent to biometric data collection as part of the upload process.
The GDPR clearly states that consent must be specific, and given freely, but, as discovered by digital wellness advocate Dr Anastasia Dedyukhina, this clearly wasn’t an option.
“I could not find a reasonable justification for it,” she wrote in a LinkedIn (opens in new tab) post, “their website suggested that I could also bring my ID/passport for in-person verification, which I didn’t mind.”
“However, the organizers insisted that unless I upload my passport details, I COULD NOT attend the live event and would need to join virtually, which I ended up doing.”
The GSMA continued these practices for the 2022 and 2023 events, but, in light of the AEPD’s ruling, things will likely have to change – almost certainly for the better.
In a statement (opens in new tab), the GSMA said it, “takes data protection extremely seriously and has a robust compliance programme in place to address its data protection obligations. The GSMA continuingly reviews and updates its approach to data protection, employing innovative technology to deliver a safe attendee experience.”
English
Arabic
Belarusian
Bengali
Bosnian
Bulgarian
Chinese (Simplified)
Croatian
Czech
Danish
Dutch
Estonian
Filipino
Finnish
French
Georgian
German
Greek
Gujarati
Hausa
Hebrew
Hindi
Hmong
Hungarian
Igbo
Indonesian
Italian
Japanese
Javanese
Kazakh
Korean
Kurdish (Kurmanji)
Kyrgyz
Lao
Latvian
Lithuanian
Macedonian
Malagasy
Norwegian
Persian
Polish
Portuguese
Punjabi
Romanian
Russian
Serbian
Slovak
Slovenian
Spanish
Swedish
Thai
Turkish
Ukrainian
Vietnamese
Yoruba