The GSMA, the Mobile World Congress (MWC) organizer, will be fined 200,000 euros for using facial recognition technology at the 2021 edition. The Spanish regulator claims the Data Protection Impact Assessment (DPIA) violated European privacy rules because the data protection impact assessment was not properly conducted. The GSMA can still appeal the fine.
So writes US tech site TechCrunch, which has managed to get its hands on the fine decision (pdf) from the Agencia Española de Protección de Datos (AEPD) (1).
The Mobile World Congress or MWC is an event where smartphone manufacturers showcase their latest cell phones and technological marvels to the world. The first edition took place in Cannes in 1987 and was attended by only a handful of enthusiasts at the time. Today, the MWC has become the largest smartphone event in the world. Due to the increasing number of visitors, the MWC moved to Barcelona in 2006.
In 2019, 109,000 smartphone enthusiasts, journalists and managers attended the MWC. Due to the corona pandemic and numerous cancellations as a result, the event could not take place in 2020. The following year, the maximum number of visitors was set at 50,000. Only 17,462 visitors actually attended the event.
To identify visitors, facial recognition technology was deployed by the organization that year. The GSMA used Breez software for this purpose. "BREEZ uses facial recognition to verify your ID, process your registration faster and get instant verification," the organization wrote on its website.
The General Data Protection Regulation (AVG) requires a company or organization to conduct a DPIA or data protection impact assessment as soon as (special) personal data is processed on a large scale. Article 35 states that this is particularly important if "new technologies" are used in the processing of personal data. Facial recognition falls under this heading.
The Spanish regulator received a complaint from one of the event participants. She was unhappy with the use of facial recognition technology, she says on LinkedIn. She writes that employees at the MWC required her to upload her passport data.
As required by the rules, the GSMA commissioned a DPIA. However, the Spanish regulator accuses the organization of a "lack of due diligence." According to the AEPD, the assessment missed "essential elements," such as possible security risks, and "does not meet any purpose." Substantive aspects of biometric data processing were not examined. Nor did it look at the necessity, subsidiarity and proportionality of the measure.
The actions violated Article 35(1) of the AVG. Because of the seriousness of the violation, the Spanish regulator decided to impose a fine of 200,000 euros. While facial recognition was voluntary for visitors, that is irrelevant, according to the AEPD. Of the 17,462 visitors, 7,585 used BREEZ's facial recognition technology. Most chose to identify themselves the old-fashioned way, or to attend a live streaming.
The GSMA can appeal the fine. Whether the MWC organizer will do so is unknown. The GSMA has not yet responded to the Spanish regulator's AVG fine.
Update: the GSMA announces in a response that it is aware of the Spanish regulator's ruling (2). The MWC organizer says the ruling does not relate to a data breach or unauthorized access to personal data of congress participants in 2021. The AEPD only criticized the DPIA's approach to the use of facial recognition technology.
"The GSMA takes data protection extremely seriously and has a robust compliance program to meet its data protection obligations. The GSMA constantly reviews and updates its approach to data protection and uses innovative technology to provide a secure participant experience," the organizer said in a press statement.
Finally, the GSMA says it is in contact with the Spanish regulator, is studying the fine decision and is considering all options to respond.
https://www.aepd.es/es/documento/reposicion-ps-00553-2021.pdf
GSMA statement on AEPD resolution
