What happened

Spanish airport operator Aena was fined EUR 10 million and ordered to suspend its biometric facial recognition boarding system operating in several major Spanish airports, including Madrid-Barajas and Barcelona-El Prat. The sanction was imposed by the Spanish Data Protection Agency (AEPD).

The facial recognition system was used for passenger identification and boarding, with nearly 40,000 travellers voluntarily enrolling in the scheme between 2023 and 2024.

The core of the incident, which occurred across airports like Madrid, Barcelona, and Menorca (with pilot schemes operating between at least 2019 and 2022/2024), was the failure to meet the requirements of the European Union's General Data Protection Regulation (GDPR).

This failure is seen to have directly violated the fundamental privacy rights of passengers, and created an inherent risk of unlawful processing, data misuse, or future data breaches.

The suspension of the system was warned by industry insiders to potentially lengthen security and boarding queues, causing disruption for travellers, especially during busy periods.

Why it happened

The AEPD's sanction was based on Aena's failure to conduct a valid Data Protection Impact Assessment (DPIA), as required under Article 35 of the GDPR for high-risk data processing like biometric identification.

• Lack of necessity and proportionality: The AEPD found that Aena’s DPIA failed to demonstrate that collecting passengers' biometric data was strictly necessary or that less intrusive alternatives (such as digital tokens stored on passengers' own devices) were adequately explored.

• Transparency and accountability limitations: Aena’s reliance on the system being voluntary and having data encrypted was not sufficient. The incident highlights a failure of corporate accountability to rigorously fulfill a formal, mandatory legal obligation (the DPIA) that serves as a cornerstone of the GDPR's "privacy by design" and "privacy by default" principles, especially when deploying a high-risk AI system. The absence of a valid DPIA demonstrates a serious lack of transparency and upfront risk analysis regarding the impact of the AI technology on user rights.