DPC (Ireland) - Inquiry into Airbnb Ireland UC - 28 September 2023

From GDPRhub
DPC - 28.09.2023 (complaint reference redacted)
LogoIE.png
Authority: DPC (Ireland)
Jurisdiction: Ireland
Relevant Law: Article 5(1)(c) GDPR
Article 5(1)(e) GDPR
Article 6(1)(f) GDPR
Article 13(1)(c) GDPR
Article 13(1)(d) GDPR
Article 17(1) GDPR
Article 58(2)(d) GDPR
Article 60 GDPR
Type: Complaint
Outcome: Partly Upheld
Started: 19.10.2019
Decided: 28.09.2023
Published: 15.11.2023
Fine: n/a
Parties: AirBnb Ireland UC
National Case Number/Name: 28.09.2023 (complaint reference redacted)
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): English
Original Source: DPC (in en) (in EN)
Initial Contributor: R_e_

In the context of a procedure under Article 60 GDPR, the Irish DPC reprimanded AirBnb Ireland for infringing the data processing principles of data minimisation and storage limitation and for invalidly relying on Article 6(1)(f) GDPR as a ground for processing, when retaining a data subject's ID documents.

English Summary

Facts

A data subject was asked by AirBnb (the controller) to submit an ID card together with a newly taken photograph for identity verification when booking a property on the platform. The initial redacted copy of his ID was refused and the controller again requested the data subject to provide a copy of his ID together with a newly taken photograph to prove his identity. The controller only allowed the booking when the data subject provided a high resolution copy of his ID with only the access code redacted.

Following this, the data subject thought that the amount of personal data required was excessive and that the refusal of a redacted copy of his ID by the controller could potentially lead to an identity theft. Thus, the data subject filed a complaint which ended up at the Berlin DPA. In May 2020, however, the complaint was transferred from the Berlin DPA to the Irish DPC as competent lead supervisory authority under Article 56 GDPR, which initiated the cooperation mechanism according to Article 60 GDPR.

The controller explained in its submissions that its verification procedures are to preserve the legitimate interests of safeguarding the AirBnb platform and its users, particularly where the hosts and guests will meet face to face in the rental process. The controller further submitted that when designing its ID verification processes, it gave careful consideration to the correct balance to strike between the privacy rights of its users and their rights as hosts and guests to a safe and secure stay during a reservation. Further, in this case, the host of the property had specifically asked that verified IDs be provided by potential guests and according to its policy, Airbnb is required to facilitate such requests by hosts.

The controller also stated that given the risks in allowing a potentially fraudulent or otherwise illegitimate booking to proceed, it believed that its redaction policy was adequate, relevant and necessary for the purpose of verifying user identities.

In his submissions, the data subject replied stating that such processing is contrary to the principle of data minimisation, that the provision of a copy of his ID was not necessary and that Airbnb should not permanently store ID copies once the verification process has completed. The data subject also stated that he wanted all the ID copies he submitted to be deleted by Airbnb.

In September 2022, the DPC started an inquiry into the present case and stated that the points to be determined were:

  1. Whether the controller had a lawful basis for requesting a copy/copies of the data subject's ID and/or photograph/s in order to verify his identity, so that he could complete his booking on the platform;
  2. Whether the controller complied with the principle of data minimisation when requesting an unredacted copy of the data subject's ID and/or photograph/s in order to verify his identity and when processing personal data relating to same processing;
  3. Whether the controller had a lawful basis for retaining a copy of the data subject's ID after it had verified his identity;
  4. Whether the controller complied with the principles of transparency and provision of information where the data subject's personal data was collected;
  5. Whether the controller received an Article 17 GDPR erasure request from the data subject and if so, whether Airbnb's handling of the data subject's erasure request complied with the GDPR and the Act. The controller was only notified of the data subject's request by the DPC on 19 January 2021, whereas the DPC had received the request from the data subject on 20 April 2020.

Holding

After concluding its inquiry, the DPC issued its final decision on 28 September 2023.

As regards the first issue, the DPC held that the data controller could not validly rely on Article 6(1)(f) GDPR as a legal basis for processing the data subject's ID and supplemental photograph to verify his identity because there were other means of validating the data subject's ID. The DPC further stated that the host's request for ID verification should not have been given priority over the data subject's rights, although the DPC agreed that the controller had a legitimate interest in ensuring adequate security and safety measures were in place to protect all users of the platform (given the face to face element involved). In comparison, an earlier decision by the DPC involving the same controller, handed down on 9 January 2023, allowed photo ID to be processed by relying on Article 6(1)(f) GDPR because all other attempts to verify a user's ID had failed. Yet, in this case, the controller did not even attempt other means of validating the data subject's identity in the first instance.

Regarding the second point at issue, the DPC held that requiring the data subject to submit a complete and unreacted copy of his photo ID infringed the data minimisation principle under Article 5(1)(c) GDPR, as there was no apparent effort on the part of the controller to minimise the amount of personal data sent to it with the data subject's ID.

With respect to the third issue, the DPC considered that the principle of storage limitation under Article 5(1)(e) GDPR was also infringed by the controller as it unlawfully retained the un-redacted documents for as long as the account is in existence, that is, longer than necessary. The DPC further stated that there was no evidence that the controller needed to continue processing the data to comply with a legal obligation beyond the original purposes of ID verification and security, or that retention had been limited to a strict minimum. The (still ongoing) retention of supplemental images also infringed Article 5(1)(c) GDPR and Article 5(1)(e) GDPR, as did the retention of identity documents which the controller deemed inadequate or insufficient for identification. The DPC held that once the verification process had been completed, the controller should have disposed all documents submitted by the data subject.

As regards the fourth point, the DPC held that the controller did act in compliance with the principles of transparency and provision of information under Article 13(1) GDPR. In the DPC's view, by setting out in its Privacy Policy, Terms of Service and in the identity verification Help Centre information on how Airbnb uses and processes information about users to help create and maintain a trusted and safer environment on the platform, the controller acted in compliance with the GDPR. These documents were provided to the data subject during the account creation process.

Lastly, as to the fifth issue, the DPC held that the controller did not infringe Article 17(1) GDPR nor Article 12(3) GDPR as it duly responded to the erasure request within 30 days and erased the unverified IDs as requested by the data subject. It also confirmed the data subject's personal data would be deleted from its complaint file following the conclusion of this inquiry.

For these reasons, the DPC decided to reprimand the controller in light of Article 58(2)(b) GDPR.

Comment

This is the fifth decision of the Irish DPC against Airbnb Ireland UC as a controller in the past year. Notably, the Irish DPC already reprimanded Airbnb for different GDPR violations relating to its processing activities, and in particular concerning its identity verification procedure (see DPC (Ireland) - IN-21-3-1).

What is striking here is that the corrective measure adopted is always a reprimand and never a fine, even though the DPC recognises that it should "select a measure that is effective, proportionate and dissuasive in response to the particular infringements".

As stated in Article 83(2)(e) GDPR, when considering the imposition of an administrative fine, due regard shall be given to relevant previous infringements by the controller. Further, under letter (i) of the same Article, due regard shall be given to the compliance with measures already imposed under Article 58(2) GDPR, which includes reprimands. This suggests that the conditions for imposing a fine were given in this case, but the DPC intentionally decided to, once again, opt for a less dissuasive reprimand.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the English original. Please refer to the English original for more details.

Inquiry into Airbnb Ireland UC - 28 September 2023

Date of Decision: 28 September 2023

 

On 28 September 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (“Airbnb”), the Data Protection Commission (“the DPC”) adopted a decision.

The DPC had commenced this inquiry on 7 September 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (“ID”) in order to verify their identity in order to complete a booking on the platform. The complainant stated that he had concerns in relation to identity theft given the volume of personal data that he was required to submit in order to complete his accommodation booking. In this particular instance the complainant stated that Airbnb would not accept his booking until he verified his identity by providing a copy of his ID in addition to a newly taken photograph to ensure that the ID related only to the person making the booking. ID submitted by the Complainant was rejected as he had redacted certain information. Ultimately however the Complainant was successfully able to verify his identity by submitting a copy of his ID with only the online access code redacted.

In a further submission the Complainant stated that Airbnb initially misunderstood what he wanted to do and thought he wanted to erase his Airbnb account. He stated that Airbnb requested another copy of ID. In addition to the complaint regarding ID verification the Complainant also wanted Airbnb to delete his ID card, both redacted and unredacted versions.

The scope of the inquiry concerned an examination and assessment of the following:

Whether Airbnb had a lawful basis for requesting a copy/copies of the Complainant’s ID and/or photograph/s in order to verify his identity, so that he could complete his booking on the platform.

Whether Airbnb complied with the principle of data minimisation when requesting an unredacted copy of the Complainant’s ID and/or photograph/s in order to verify his identity and when processing personal data relating to same processing.

Whether Airbnb had a lawful basis for retaining a copy of the Complainant’s ID after it had verified his identity.

Whether Airbnb complied with the principles of transparency and provision of information where the Complainant’s personal data was collected.

Whether Airbnb received an Article 17 erasure request from the data subject and if so, whether Airbnb’s handling of the Complainant’s erasure request complied with the GDPR and the Act.

As the processing under examination constituted “cross border “ processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.

The decision, which was adopted on Thursday 28 September 2023, records findings of infringement as follows:

Article 5(1)(c) , Article 5(1)(e) and Article 6(1)(f) of the GDPR

The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic ID and supplemental photographs; that Airbnb’s requirement that the Complainant verify his identity by submitting a complete and unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c); that by retaining, after the identity verification process was successfully completed and until 2 February 2021 a copy of the Complainant’s un-redacted ID documents, Airbnb infringed the principle of data minimisation in Article 5(1)(c) and the principle of storage limitation in Article 5(1)(e); by retaining, after the identity verification process was successfully completed and for the duration of the user’s account, a copy of the Complainant’s supplemental images, Airbnb infringed the principle of data minimisation and the principle of storage limitation; and that Airbnb’s processing and retention until 2 February, 2021 of identity documents that it deemed inadequate or insufficient to verify the identity of the Complainant infringed the principle of data minimisation and the principle of storage limitation.

In light of the infringements of Article 5(1)(c), Article 5(1)(e) and Article 6(1)(f) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances.

delete from all of its systems and records the supplemental photographs that the Complainant uploaded (keeping only a record that such documentation was submitted and the date of submission). Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.

revise its internal policies and procedures to ensure that the seeking of photographic ID and supplemental photographs in the verification process for users is used only where necessary, proportionate and in accordance with the GDPR for the purpose for which the personal data is collected and processed, having regard, in particular, to Airbnb’s legal obligations and the issue of whether less privacy intrusive verification methods are available and effective. Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.

 

For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - 28 September 2023 (PDF, 3mb)