GSMA fined for failing to carry out DPIA on biometric data collection at MWC

The organizers of Barcelona’s Mobile World Congress (MWC), the GSMA, have been fined €200,000 for failing to conduct a data protection impact assessment (DPIA) as required by the European Union’s General Data Protection Regulation (GDPR).

According to reports, the decision issued by the Spanish Data Protection Agency (AEPD) found that the GSMA did not adequately consider the collection of biometric data from MWC attendees, particularly in relation to the BREEZZ system, an automated identity verification system used for entry to the event.

The AEPD concluded that the GSMA’s assessment was superficial and failed to address key aspects of data processing methods and the associated risks and necessity of the BREEZZ system.

Under the GDPR, a thorough DPIA must be conducted when data collection poses a high risk to individuals’ right to privacy. In this case, the use of biometric facial recognition technology to identify MWC attendees falls into that category.

The AEPD also ruled that the GSMA collected passports and EU identity documents from attendees and made their consent to biometric data collection a requirement during the upload process. However, the GDPR mandates that consent must be specific and freely given, which was not the case for attendees who were unable to attend without uploading their passport details.

Dr Anastasia Dedyukhina, a digital wellness advocate, highlighted this issue in a LinkedIn post, stating that she could not find a reasonable justification for the data collection and was forced to join the event virtually after refusing to upload her passport details.

The GSMA continued these practices for the 2022 and 2023 events. However, in response to the AEPD’s ruling, changes will likely be necessary to comply with data protection regulations in future events.

In a statement, the GSMA emphasized its commitment to data protection and stated that it takes compliance seriously, with a robust program in place to address its obligations. The organization also expressed its dedication to reviewing and updating its approach to data protection, leveraging innovative technology to ensure a safe experience for attendees.

The AEPD’s decision serves as a reminder to event organizers and companies to carefully consider data protection requirements and conduct thorough assessments to safeguard individuals’ privacy rights.