Mobile World Congress venue access facial recognition

The organiser of the 2021 Mobile World Congress in Barcelona, Spain, has been fined EUR 200,000 by Spain's data protection regulator for illegally collecting facial data about attendees. According (pdf - in Spanish) to Spain's data protection agency AEPD, GSMA had failed to carry out a data protection impact assessment (DPIA).

The GSMA had offered attendees the option of using BREEZ, an automated identify verification system, to enter the venue in person rather than manually showing their ID documentation to staff. 7,585 chose the former, despite the event taking place during the COVID-19 pandemic. 

Under the EU's GDPR privacy law, a DPIA must consider the necessity and proportionality of data processing, and examine the risks and how identified risks are to be minimised. But the complainant had contended that the GSMA had acted disproportionately by insisting in-person delegates upload their passport details online, contradicting its privacy policy.