DPC (Ireland) - IN-21-3-1: Difference between revisions
m (Formatting) |
No edit summary |
||
Line 71: | Line 71: | ||
}} | }} | ||
The Irish DPA found Airbnb Ireland | The Irish DPA found Airbnb Ireland in breach of the GDPR for requesting a photo ID in order to process a data subject’s erasure request. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
This case concerns two requests from an Airbnb customer (the data subject) to Airbnb Ireland UC (the controller); an access request under [[Article 15 GDPR|Article 15 GDPR]] and an erasure request under [[Article 17 GDPR|Article 17 GDPR]] | This case concerns two requests from an Airbnb customer (the data subject) to Airbnb Ireland UC (the controller); an access request under [[Article 15 GDPR|Article 15 GDPR]] and an erasure request under [[Article 17 GDPR|Article 17 GDPR]]. | ||
The complainant raised a number of issues regarding the handling of their requests by Airbnb. Firstly, there was no lawful basis for requesting a copy of the complainant’s ID for the right to erasure request. Secondly, the complainant alleged that Airbnb failed to properly respond to the erasure request. Thirdly, the controller failed to respond to the access request. | The access request was never addressed by the controller. Regarding the erasure request, when the complainant submitted the request on 17 August 2019, they were asked to verify their identity by providing a copy of their photographic ID. After the complainant refused to provide the copy, the controller offered them the alternative option of logging into their account to verify their identity. Once the complainant had done so, Airbnb advised them that it had initiated their request and, on 24 October 2019, confirmed that the relevant data had been deleted. | ||
The data subject lodged a complaint and raised a number of issues regarding the handling of their requests by Airbnb. Firstly, there was no lawful basis for requesting a copy of the complainant’s ID for the right to erasure request. Secondly, the complainant alleged that Airbnb failed to properly respond to the erasure request. Thirdly, the controller failed to respond to the access request. | |||
The complaint was originally filed with the Berlin DPA, who referred the case to the Irish DPA under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]]. | The complaint was originally filed with the Berlin DPA, who referred the case to the Irish DPA under article 56 GDPR, and in accordance with the procedure outlined in [[Article 60 GDPR]]. |
Revision as of 16:04, 24 January 2023
DPC - IN-21-3-1 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 4 GDPR Article 5 GDPR Article 6 GDPR Article 12 GDPR Article 15 GDPR Article 17 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 25.03.2021 |
Decided: | 14.09.2022 |
Published: | 16.01.2023 |
Fine: | n/a |
Parties: | Airbnb Ireland UC |
National Case Number/Name: | IN-21-3-1 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | English |
Original Source: | DPC (in EN) |
Initial Contributor: | LR |
The Irish DPA found Airbnb Ireland in breach of the GDPR for requesting a photo ID in order to process a data subject’s erasure request.
English Summary
Facts
This case concerns two requests from an Airbnb customer (the data subject) to Airbnb Ireland UC (the controller); an access request under Article 15 GDPR and an erasure request under Article 17 GDPR.
The access request was never addressed by the controller. Regarding the erasure request, when the complainant submitted the request on 17 August 2019, they were asked to verify their identity by providing a copy of their photographic ID. After the complainant refused to provide the copy, the controller offered them the alternative option of logging into their account to verify their identity. Once the complainant had done so, Airbnb advised them that it had initiated their request and, on 24 October 2019, confirmed that the relevant data had been deleted.
The data subject lodged a complaint and raised a number of issues regarding the handling of their requests by Airbnb. Firstly, there was no lawful basis for requesting a copy of the complainant’s ID for the right to erasure request. Secondly, the complainant alleged that Airbnb failed to properly respond to the erasure request. Thirdly, the controller failed to respond to the access request.
The complaint was originally filed with the Berlin DPA, who referred the case to the Irish DPA under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR.
Responding to the first issue (lawfulness of ID request), Airbnb initially noted that merely a “request” to provide ID cannot be considered “processing” within the meaning of Article 4(2) GDPR, as “receipt of or access to” the relevant personal data is required. Furthermore, Airbnb stated that its identity verification procedures are in place to protect the Airbnb platform and its users, in doing so they stressed the risk of fraudulent activity, and stated there is evidence that bad actors use GDPR requests to do harm, deceiving the platform and its users. As such, photo ID verification is a reliable form of proof of identity and a secure authentication method to combat these risks. Accordingly, the collection of this data is lawful in accordance with the “legitimate interest” basis in Article 6(1)(f) GDPR.
With regards to the handling of the erasure request itself, the second issue, Airbnb advised that the deletion of an account is a highly technical process, and it could not confirm the exact date this process was completed. However, it was later confirmed that Airbnb emailed the complainant on 24 October 2019 confirming the deletion of the complainant’s personal data.
On the third issue (the access request), Airbnb advised that a review of the documentation indicated that the request was received by Airbnb on 24 October 2019, however this was “regretfully mishandled/misinterpreted” by one of their agents. This was brought to their attention when the complainant followed up on the request on 8 November 2019, however, by this point the account had been deleted and the controller was only able to provide a “post-deletion access file” on 17 July 2020.
Holding
Following its examination and assessment of the complaint, the DPC held as follows.
Regarding the first issue (whether the controller had a lawful basis for the ID request) the DPC stated that, firstly, making photographic ID a mandatory requirement for submitting an erasure request does constitute processing for the purposes of Article 4(2) GDPR. In addition, while the processing of photo ID may be required in some circumstances, Airbnb did not demonstrate that the ID request was either proportionate or necessary in the context of an erasure request. Therefore, it could not be considered that a “legitimate interest” exists for the processing of data and so the controller had infringed Article 6(1) GDPR, in addition to violating the principle of data minimisation in Article 5(1)(c) GDPR.
Concerning the second issue of the controller’s handling of the erasure request, the DPC advised that, once the complainant verified their identity by logging into their account on 2 September 2019, the erasure of the account was commenced the same day and confirmed to have been completed on 24 October 2019. Accordingly, there was no undue delay in handling the request for erasure and the controller did not infringe upon Article 17(1) GDPR.
Finally, the DPC addressed the controller’s obligations under article 12 GDPR regarding both the handling of the erasure and access request. The DPC found no violation regarding the erasure request. However, they found that a considerable delay arose between the date in which Airbnb received the access request on 24 October 2019 and the supply of the post-deletion access file on 17 July 2020, contrary to the requirement to comply with the request within a period of one month (Article 12(3)). Accordingly, the controller infringed Article 12(3) GDPR with respect to its handling of the access request.
Regarding the exercise of corrective powers, the DPC considered the imposition of an administrative fine in accordance with the factors set out in Article 83(2) GDPR. They concluded that a fine would not be necessary, proportionate or dissuasive and that the delay in handling the access request did not arise due to a systemic set of issues but was particular to the circumstances of the case. Accordingly, the DPC did not administer a fine, and instead, made an order requiring Airbnb to bring its activities into compliance with the GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
An Coimisidn um Chosaint SonraiData Protection Commission basis, the draft decision of the DPC in relation to this complaint was transmitted to each supervisory authority in the EU and EEA for their opinion. Complaint Handling by the DPC — Timeline and Summary 1. The complaint was initially lodged with the Berlin DPA and thereafter transmitted to the DPC, on 06 March 2020, via the IMI to be handled by the DPC in its role aslead supervisory authority. The complainant alleged that Airbnb failed to properly respond to an erasure request submitted by them, via email on 17 August 2019, pursuant to Article 17 of the GDPR. Further, the complainant stated that when they submitted their request for erasure, Airbnb requested that they verify their identity by providing a photocopy of their identity document (“ID”), which they had not previously provided to Airbnb. The complainant refused to provide a copy of their ID and Airbnb then provided them with the option of logging into their account to verify their identity. Upon logging into their account to verify their identity, Airbnb advised the complainant that it had initiated their deletion request and.would delete all data to the extent that GDPR permits or requires Airbnb to retain data. On 24 October 2019, Airbnb confirmed to the complainant that their personal data had been deleted pursuant to Airbnb’s obligations under the GDPR. 2. The complainant also alleged that they submitted an access request to Airbnb, via email on 02 September 2019, pursuant to Article 15 of the GDPR, to which they received no response. 3. The DPC notified Airbnb of the complaint by way of letter on 08 June 2020 and provided Airbnb with a copy of the complaint. 4. Airbnb reverted to the DPC confirming that the complainant's account had been deleted. Airbnb advised the DPC that the complainant had requested that their account be deleted and was asked by Airbnb to verify their identity by providing ID, in accordance with its identity verification procedures, further details of which it advised, are set out in its “Help Centre” article. Airbnb stated that the complainant raised concerns with providing a copy of their ID and so its community support agents verified the complainant's identity using an alternative verification method, namely having the complainant log in to their Airbnb account. Airbnb informed the DPC that, once their identity was verified, its agents notified the complainant that their deletion request was being processed and also that certain data may be retained: “Airbnb will delete your personal data, except to the extent GDPR permits or requires us to retain that data. For example, we retain data that is necessary for An Coimisiin um Chosaint Sonrai Data Protection Commission complying with laws to which we are subject, for exercising the right of freedom of expression and information (such as the content overviews [sic]), and for the establishment, exercise or defence of legal claims (such as Information relating to user disputes)” In addition, Airbnb stated that it informed the complainant that they would not receive any further emails from Airbnb. Airbnb advised the DPC that subsequent to this, the complainant emailed Ajirbnb on 24 October 2019 requesting access to their personal data retained post- deletion, contrary to the complainant’s assertion they submitted their access request on 02 September 2019. Airbnb advised the DPC that, regretfully, the complainant's request was not escalated to the relevant team. Similarly, when the complainant emailed Airbnb’s community support team on 08 November 2019, the agent did not link the request to any particular account as the complainant's account had already been deleted. Airbnb advised the DPC that it was investigating the cause of this oversight and would like to offer its apologies to the complainant for the inconvenience caused by this error. Airbnb advised the DPC that it was, at that time, processing the complainant's access request post-deletion. In an attempt to facilitate the amicable resolution of the complaint, the DPC reverted to the complainant advising them that the DPC had communicated with Airbnb on this matter. The DPC advised the complainant that Airbnb stated that their account, and associated personal data (including phone recordings), had been erased to the extent required by GDPR as they had verified their identity by way of logging in to their Airbnb account, and that no further personal data wasprovided for this purpose. The DPC advised the complainant that, regarding their access request, which was made after the erasure of their account, Airbnb informed the DPC that this request would be processed and issued to them directly by email and that they should have now received this correspondence. The DPC informed the complainant that Airbnb had noted that this request was not initially processed as the account had already been erased and that Airbnb has apologised for this and provided the below explanation: {RE mailed Airbnb on 24 October 2019 requesting access to her personal data retained post-deletion. Regretfully, this request was not escalated to the relevant team. Similarly, wherlfjemailed our community support team on 8 November2019, the agent did not link the request to any particular account as{js account An Coimisiun um Chosaint Sonrai Data Protection Commission 26.With regard to its response to the complainant's erasure request, Airbnb advised that a review of the documentation provided with the complaint by the DPC in June 2020 indicates that the erasure request was received by Airbnb on 17 August 2019. Airbnb noted that the documentation provided with the complaint by the DPC contained a copy of an email from Airbnb to the complainant dated 17 August 2019, confirming receipt of the deletion request and setting out the required authentication steps for the complainant. Airbnb stated that the request was ultimately authenticated by the complainant on 2 September 2019 (and provided the below screenshot of the relevant extract from its records). 27.With regard to the DPC’s request for clarification as to the date the complainant's erasure request was completed and all data was deleted, Airbnb advised that the deletion of an Airbnb account is a highly technical process that involves a number of stages / phases. Airbnb advised that the length of time it takes to delete an account in its entirety is dependent on a number of variables, including the volume and nature of the data on the account as well as confirmations from various internal teams that certain additional data is not required to be held for legal or regulatory reasons. Airbnb stated that it informed the complainant of this fact: “Please note that the deletion process itself happens over a period of time acrossour systems. We are not able to confirm the exact date on which the deletion process for any given request completes”28.Airbnb stated that, in the context of the complaint, Airbnb could not confirm from its records when the deletion process was completed. Airbnb stated that separate deletion processes are in place for phone call recordings, which are automatically deleted on a cyclical basis, unless Airbnb is required to retain these recordings for specific reasons. Airbnb advised that, as confirmed by Airbnb in its response to the DPC dated 22 June 2020 in respect of the underlying complaint, all phone recordings in respect of the complainant had been deleted by that point in time. 29 30. 31. 32. An Coimisign um Chosaint Sonrai Data Protection Commission .With regard to the complainant’s access request, Airbnb advised that a review of the documentation provided with the complaint by the DPC in June 2020 indicated that the complainant's access request was received by Airbnb on 24 October 2019. Airbnb noted that the documentation provided with the complaint by the DPC contains a copy of the request from the complainant to Airbnb dated 24 October 2019. Further, Airbnb stated that a review of the documentation provided with the complaint by the DPC in June 2020 indicated that one of Airbnb’s agents responded to the complainant on 24 October 2019 but mishandled / misinterpreted the complainant's request. Airbnb noted that the documentation provided with the complaint by the DPC contained a copy of this response dated 24 October 2019. Airbnb advised that these issues were outlined in its response to the DPC dated 22 June 2020 in respect of the complaint handling process, with the relevant extracts set out below for ease of reference: “Subsequently, emailed Airbnb on 24 October 2019 requesting access to her personal data retained post-deletion. Regretfully, this request was not escalated to the relevant team. Similarly, when mailed our community support team on 8 November 2019, the agent did not link the request to any particular account as W's account had already been deleted. We are investigating the cause of this oversight and would like to offer our apologies toM— for the inconvenience caused by this error. As stated above, we are processing is access post- deletion request now and will send it to her by email at f Airbnb stated that it provided the complainant with the post-deletion access file on 17 July 2020. However, as the account had been deleted, Airbnb’s investigations into the issues that resulted in the mishandling of the post-deletion access request have not yielded further insight into what transpired. The DPC received a response from the complainant via the Berlin DPA on 19 July 2021. In their response, the complainant confirmed that they were agreeable to all information that they had previously provided in the context of the complaint handling process being used for the purposes of the Inquiry. In_ their correspondence the complainant informed that DPC that they did not provide a copy of their ID to Airbnb for identification purposes. The complainant also provided a number of correspondence they had exchanged with Airbnb. The DPC reverted to Airbnb via email on 24 January 2022. The DPC advised Airbnb that, in addition to the issues previously notified to Airbnb in its Commencement Notice, the following issue was also deemed to form part of the Inquiry under, and in accordance with, Section 110(1) of the Data Protection Act, 2018: 10 33. An Coimisiin um Chosaint SonraiData Protection Commission d) Whether Airbnb has complied with its obligations in accordance with Article 12 of the GDPR with respect to its handling of the complainant's erasure request and access request. The DPC also posed a number of queries relating to the issues outlined in the Scope of the Inquiry. Airbnb responded via letter dated 07 February 2022. With regard to the DPC’s request for a copy of Airbnb’s Terms of Service, Privacy Policy and supplemental Privacy Policy that were in place in January 2018 when the complainant created their account where it notified the complainant that Airbnb required that users provide a copy of the government issued ID in order to verify their identity, Airbnb provided the DPC with copies of the Terms of Service and Privacy policy that were in place in January 2018. 34.Airbnb advised that Section 2 of its Terms of Service describes Airbnb’s identity 35. 36. verification practices and that Section 2.3 states that “Airbnb may make the access to and use of the Airbnb Platform, or certain areas or features of the Airbnb Platform, subject to certain conditions or requirements, such as completing a verification process”. Further, Airbnb advised that Section 2.4 of its Terms of Service informs users that Airbnb may “ask Members to provide a form of government identification or other information or undertake additional checks designed to help verify the identities or backgrounds of Members”. Airbnb stated that its Privacy Policy also contained a number of disclosures around identity verification, such as Section 1.1 which states “Other Authentication- Related Information. To help create and maintain a trusted environment, we may collect identification (like a photo of your government-issued ID) or other authentication information. To learn more, see our Help Center [sic] article about providing identification on Airbnb”. Further, Airbnb advised that Section 2.2 of its Privacy Policy describes practices deployed to “Create and Maintain a Trusted and Safer Environment”, including steps to “Verify or authenticate information or identifications provided by you”. Airbnb stated that these disclosures form part of a series of disclosures, throughout the various iterations of its Terms and Privacy Policies, which inform users about identity verification. In response to the DPC’s request that Airbnb clarify how its records indicate that the complainant had previously uploaded a copy of their |D document shortly after joining the platform, Airbnb provided the DPC with a redacted extract of the post- deletion access file. Airobnb advised that the redacted extract contains a log entry (Figure 2 below) - originally included at row 73 in the Security Data tab of the access file - which indicates that a government ID was uploaded to the 11