The GSMA, organizers of the annual Mobile World Congress (MWC) in Barcelona, have been fined €200,000 for failing to carry out a Data Protection Impact Assessment (DPIA)
Behind TechCrunch (opens in a new tab), decision (opens in a new tab) (PDF) provided in Spanish by the Agencia Española de Protección de Datos (AEPD) stated that the GSMA did not consider biometric data collected from participants, partly as a result of the operation of BREEZZ – an optional, automatic identity verification system enabling entry to the event.
According to the decision, the GSMA’s assessment was considered “only nominal”, not taking into account the “substantial aspects” of its data processing methods, nor the risks associated with or the need for the BREEZZ system.
GDPR and DPIA MWC
The EU’s General Data Protection Regulation (GDPR) requires a robust data protection impact assessment to be carried out when data collection may pose a “high risk” to data subjects’ right to privacy. Biometric facial recognition technology falls into this category in this case, as the aforementioned data was used to identify MWC attendees.
The AEPD also ruled that the GSMA collected passports and EU identity documents from participants and required their consent to collect biometrics as part of the submission process.
The GDPR clearly states that consent must be specific and voluntary, but as discovered by digital health advocate Dr. Anastasia Dedyukhina, this was clearly not possible.
“I couldn’t find a reasonable justification for this,” she wrote on LinkedIn (opens in a new tab) post, “their website suggested I could also bring my ID/passport for personal verification, which was fine with me.”
“However, the organizers insisted that if I did not submit my passport details, I could NOT attend the live event and would have to join virtually, which I ultimately did.”
The GSMA continued these practices for events in 2022 and 2023, but in light of the AEPD ruling, things will likely have to change – almost certainly for the better.
IN statement (opens in a new tab)said the GSMA, “takes data protection very seriously and has a robust compliance program in place to meet its data protection responsibilities. The GSMA is constantly reviewing and updating its approach to data protection, using innovative technologies to ensure a secure participant experience.”