Event tech
Mobile World Congress receives GDPR fine
Mobile World Congress , organised by GSMA , has been fined following a breach of GDPR compliancy discovered by a Spanish watchdog
espite pushback against
D remote biometric surveillance at inperson events , such as by the European Union , events including Mobile World Congress ( MWC ) have implemented the system .
MWC has since been fined € 200k ($ 215k ) following a breach of privacy at the 2021 event found by the Spanish data protection watchdog Agencia Española de Protección de Datos ( AEPD ). The watchdog concluded that MWC infringed Article 35 of the Data Protection Regulation ( GDPR ) – a law which applies to companies and entities established in the EU .
It was found that the event ’ s use of BREEZ , a facial detection system , allowed MWC ’ s organiser , GSMA , to collect the biometric data of the show ’ s attendees . The system allowed attendees to opt into automatic identity verification for entry , rather than by showing their official ID to staff . Of the event ’ s over 17k attendees , 7,585 used the BREEZ system . Virtual attendees did not require IDs to access the event .
GDPR Facial recognition technology requires biometric data , the processing of which the GDPR considers at high risk of violating individuals ’ rights . To counter this , the law requires that a data protection impact assessment ( DPIA ) be carried out . In its eightpage dismissal of an appeal by GSMA against the findings , AEPD found that the event ’ s DPIA : “ lacks an assessment of the necessity and proportionality of the processing operations
“ Facial recognition technology requires biometric data , the processing of which the GDPR considers at high risk of violating individuals ’ rights .”
l The AEPD ’ s dismissal of the GSMA ’ s appeal can be found in PDF format on the agency ’ s website , aepd . es with respect to its purpose ” ( translation from Spanish ).
Complaints A complaint to the AEPD coauthored by digital well-being expert Dr Anastasia Dedyukhina and senior technologist Adam Leon Smith highlighted the concerns of individual attendees . Both addressed their concerns in separate LinkedIn posts , with Dedyukhina saying : “ The organisers asked me to upload biometric data ( passport ) online in order to verify my identity , which I refused because I could not find a reasonable justification for it . However , the organisers insisted that unless I upload my passport details , I COULD NOT attend the live event and would need to join virtually , which I ended up doing .”
Dedyukhina added that the joint complaint followed research into the issue by the co-authors , which demonstrated the mishandling of the biometric data by the organisers . This research can be found in the eight-page dismissal .
In his LinkedIn post , Smith concluded that : “ Facial recognition is public spaces is highly sensitive and if you really need to use it , use an excellent lawyer and tech team .”
www . exhibitionworld . co . uk Issue 3 2023 41