MWC organizers fined over GDPR biometric security concerns

(Image credit: Future)

The GSMA, the organizers behind Barcelona’s annual Mobile World Congress (MWC), have been fined €200,000 for not carrying out a data protection impact assessment (DPIA)

Per TechCrunch, the decision (PDF) delivered in Spanish by the Agencia Española de Protección de Datos (AEPD) found that the GSMA fell short when failing to account for biometric data collected from attendees, partially as a result of BREEZZ - an optional, automated identity verification system permitting entry to the event.

The GSMA’s assessment was found, per the decision, to be “merely nominal”, neglecting to account for “substantive aspects” of its data processing methods, nor the risks of, or need for, the BREEZZ system.

The EU’s General Data Protection Regulation (GDPR) requires that a robust DPIA be carried out when data collection may pose a “high risk” to the right to privacy of those affected Biometric facial recognition technology falls into this category in this case because said data was used to identify MWC attendees.

The AEPD also ruled that the GSMA collected passports and EU identity documentation from attendees, and required them to consent to biometric data collection as part of the upload process.

The GDPR clearly states that consent must be specific, and given freely, but, as discovered by digital wellness advocate Dr Anastasia Dedyukhina, this clearly wasn’t an option.

“I could not find a reasonable justification for it,” she wrote in a LinkedIn post, “their website suggested that I could also bring my ID/passport for in-person verification, which I didn’t mind."

> Google sued for collecting biometric data without consent

> What does AI mean for data privacy?

> We’ve also listed the best privacy tools right now

"However, the organizers insisted that unless I upload my passport details, I COULD NOT attend the live event and would need to join virtually, which I ended up doing.”

The GSMA continued these practices for the 2022 and 2023 events, but, in light of the AEPD’s ruling, things will likely have to change - almost certainly for the better.

In a statement, the GSMA said it, "takes data protection extremely seriously and has a robust compliance programme in place to address its data protection obligations. The GSMA continuingly reviews and updates its approach to data protection, employing innovative technology to deliver a safe attendee experience."

Here’s our list of the best business VPNs right now

Luke Hughes holds the role of Staff Writer at TechRadar Pro, producing news, features and deals content across topics ranging from computing to cloud services, cybersecurity, data privacy and business software.