Spain fines Mobile World Congress 200,000 euros for facial recognition use

One of the largest technology fairs in the world is facing a fine for using remote biometric tech in violation of European data privacy laws.

The organizer of Mobile World Congress (MWC) in Barcelona, GSMA, will have to fork out  200,000 euro (around US$220,700) after deploying a facial recognition system that allows visitors to access the venue, according to a decision by the Spanish Agency for Data Protection (AEPD).

The system which collects biometric data from visitors was installed in 2021 without a prior impact assessment, according to the AEPD resolution. The agency ruled that the conference violated several provisions of the General Data Protection Regulation (GDPR).

The Breeze facial recognition access control system was developed by Hong-Kong based ScanVis, a subsidiary of Comba Telecom.

The €200,000 fine is considered low since MWC did not show an intention to deceive, although it did show “a serious lack of diligence,” according to the decision. GSMA tried to appeal by noting that visitor’s biometric data was processed and stored only for 4 months, but the agency was not convinced.

The case was opened after a complaint was filed by a British citizen who was invited to attend the conference as a speaker, Business Insider reports. As part of the COVID-19 measures, the speaker was asked to upload an image of his passport which he refused claiming that the MWC does not have sufficient grounds to store his data. Although MWC presented the facial recognition event registration as optional, the conference organizers declined to make exceptions for the speaker.

The European Data Protection Board (EDPB) updated its guidelines for fines under GDPR last year.

Article Topics

AEPD  |  biometrics  |  data protection  |  face biometrics  |  GDPR  |  MWC  |  Spain