DPC (Ireland) - Inquiry into Airbnb Ireland UC - 28 September 2023: Difference between revisions
mNo edit summary |
No edit summary |
||
| Line 42: | Line 42: | ||
|GDPR_Article_7=Article 58(2)(d) GDPR | |GDPR_Article_7=Article 58(2)(d) GDPR | ||
|GDPR_Article_Link_7=Article 58 GDPR#2d | |GDPR_Article_Link_7=Article 58 GDPR#2d | ||
|GDPR_Article_8= | |GDPR_Article_8=Article 60 GDPR | ||
|GDPR_Article_Link_8= | |GDPR_Article_Link_8=Article 60 GDPR | ||
|GDPR_Article_9= | |GDPR_Article_9= | ||
|GDPR_Article_Link_9= | |GDPR_Article_Link_9= | ||
Revision as of 17:04, 20 November 2023
| DPC - 28.09.2023 (complaint reference redacted) | |
|---|---|
 | |
| Authority: | DPC (Ireland) |
| Jurisdiction: | Ireland |
| Relevant Law: | Article 5(1)(c) GDPR Article 5(1)(e) GDPR Article 6(1)(f) GDPR Article 13(1)(c) GDPR Article 13(1)(d) GDPR Article 17(1) GDPR Article 58(2)(d) GDPR Article 60 GDPR |
| Type: | Complaint |
| Outcome: | Partly Upheld |
| Started: | 19.10.2019 |
| Decided: | 28.09.2023 |
| Published: | 15.11.2023 |
| Fine: | n/a |
| Parties: | AirBnb Ireland UC |
| National Case Number/Name: | 28.09.2023 (complaint reference redacted) |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | English |
| Original Source: | DPC (in en) (in EN) |
| Initial Contributor: | R_e_ |
The Irish DPC reprimanded AirBnb Ireland for infringing the data processing principles of data minimisation and storage limitation and for invalidly relying on Article 6(1)(f) GDPR as a ground for processing, when retaining a data subject's ID documents.
English Summary
Facts
The data subject was asked by AirBnb (the controller) to submit an ID card together with a newly taken photograph in order to book a property on the platform. The initial redacted copy of his ID was refused. The controller also assumed, when the data subject made a complaint to the Federal DPA in Germany and copied the controller, that the data subject wanted to erase his AirBnb account. The controller requested another copy of his ID at this point, to which the data subject again explained that he wanted his ID documents removed. The controller asked that he fill out a web form explaining everything again, at which point the data subject stopped engaging with the controller.
The controller explained to the DPA that its verification procedures are to preserve the legitimate interests of safeguarding the AirBnb platform and its users, particularly where the hosts and guests will meet face to face in the rental process.
The controller further submitted that when designing its ID verification processes, it gave careful consideration to the correct balance to strike between the privacy rights of its users and their rights as hosts and guests to a safe and secure stay during a reservation. The host of the particular property had asked that verified ID be provided by potential guests.
The controller also stated that given the risks in allowing a fraudulent or otherwise illegitimate booking to proceed, it believed that its redaction policy was adequate, relevant and necessary for the purpose of verifying user identities.
The points to be determined were:
Whether the controller had a lawful basis for requesting a copy/copies of the Complainant's ID and/or photograph/s in order to verify his identity, so that he could complete his booking on the platform.
Whether the controller complied with the principle of data minimisation when requesting an unredacted copy of the data subject's ID and/or photograph/s in order to verify his identity and when processing personal data relating to same processing.
Whether the controller had a lawful basis for retaining a copy of the Complainant's ID after it had verified his identity.
Whether the controller complied with the principles of transparency and provision of information where the data subject's personal data was collected.
Whether the controller received an Article 17 GDPR erasure request from the data subject and if so, whether Airbnb's handling of the data subject's erasure request complied with the GDPR and the Act. The controller was only notified of the data subject's request by the DPC on 19 January 2021, whereas the DPC had received the request from the data subject on 20 April 2020.
Holding
The DPC held that the data controller had not validly relied on Article 6(1)(f) GDPR as the legal basis for processing the data subject's photo ID and supplemental photos because there were other means of validating the data subject's ID and that the host request for ID should not have been given priority over the data subject's rights, although the DPA agreed that the controller had a legitimate interest in ensuring adequate security and safety measures were in place to protect all users of the platform (given the face to face element involved). In comparison, an earlier decision by the DPA involving the controller, handed down on 9 January 2023, allowed photo ID to be processed by relying on Article 6(1)(f) GDPR because all other attempts to verify ID had failed.
Furthermore, that requiring the data subject to submit a complete and unreacted copy of his photo ID infringed the data minimisation principle (Article 5(1)(c)), as there was no apparent effort on the part of the controller to minimise the amount of personal data sent to it with the data subject's ID.
This Article and Article 5(1)(e) were also infringed by the controller by retaining the un-redacted documents for longer than was necessary.
There was no evidence either that the controller needed to continue processing the data for a different legal obligation beyond the original purposes of ID verification and security, or that retention had been limited to a strict minimum. The (still ongoing) retention of supplemental images infringed the same Articles for the same reasons, as did the retention of identity documents the controller deemed inadequate or insufficient to verify the ID of the data subject. Once the verification process had been completed, the controller should have simply retained a record on file that an iD document had been submitted to verify the data subject's identity, and what the document in question was. Additionally, the ID documents which were rejected during the verification process due to redactions should have been deleted once verification was completed with the accepted documents.
The controller was however in compliance with the principles of transparency and provision of information by setting out in its Privacy Policy, Terms of Service and in the identity verification Help Centre materials how it uses and processes information about users to help create and maintain a trusted and safer environment on the platform, such as verifying any identifications provided by users and why the practice is used. The documents were provided to the data subject during the account creation process.
The controller also did not infringe Article 17(1), as it responded to the erasure request within 30 days and erased the unverified IDs as requested by the data subject. It also confirmed the data subject's data would be deleted from its complaint file following the conclusion of this inquiry.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the English original. Please refer to the English original for more details.
Inquiry into Airbnb Ireland UC - 28 September 2023 Date of Decision: 28 September 2023 On 28 September 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (“Airbnb”), the Data Protection Commission (“the DPC”) adopted a decision. The DPC had commenced this inquiry on 7 September 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (“ID”) in order to verify their identity in order to complete a booking on the platform. The complainant stated that he had concerns in relation to identity theft given the volume of personal data that he was required to submit in order to complete his accommodation booking. In this particular instance the complainant stated that Airbnb would not accept his booking until he verified his identity by providing a copy of his ID in addition to a newly taken photograph to ensure that the ID related only to the person making the booking. ID submitted by the Complainant was rejected as he had redacted certain information. Ultimately however the Complainant was successfully able to verify his identity by submitting a copy of his ID with only the online access code redacted. In a further submission the Complainant stated that Airbnb initially misunderstood what he wanted to do and thought he wanted to erase his Airbnb account. He stated that Airbnb requested another copy of ID. In addition to the complaint regarding ID verification the Complainant also wanted Airbnb to delete his ID card, both redacted and unredacted versions. The scope of the inquiry concerned an examination and assessment of the following: Whether Airbnb had a lawful basis for requesting a copy/copies of the Complainant’s ID and/or photograph/s in order to verify his identity, so that he could complete his booking on the platform. Whether Airbnb complied with the principle of data minimisation when requesting an unredacted copy of the Complainant’s ID and/or photograph/s in order to verify his identity and when processing personal data relating to same processing. Whether Airbnb had a lawful basis for retaining a copy of the Complainant’s ID after it had verified his identity. Whether Airbnb complied with the principles of transparency and provision of information where the Complainant’s personal data was collected. Whether Airbnb received an Article 17 erasure request from the data subject and if so, whether Airbnb’s handling of the Complainant’s erasure request complied with the GDPR and the Act. As the processing under examination constituted “cross border “ processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. The decision, which was adopted on Thursday 28 September 2023, records findings of infringement as follows: Article 5(1)(c) , Article 5(1)(e) and Article 6(1)(f) of the GDPR The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic ID and supplemental photographs; that Airbnb’s requirement that the Complainant verify his identity by submitting a complete and unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c); that by retaining, after the identity verification process was successfully completed and until 2 February 2021 a copy of the Complainant’s un-redacted ID documents, Airbnb infringed the principle of data minimisation in Article 5(1)(c) and the principle of storage limitation in Article 5(1)(e); by retaining, after the identity verification process was successfully completed and for the duration of the user’s account, a copy of the Complainant’s supplemental images, Airbnb infringed the principle of data minimisation and the principle of storage limitation; and that Airbnb’s processing and retention until 2 February, 2021 of identity documents that it deemed inadequate or insufficient to verify the identity of the Complainant infringed the principle of data minimisation and the principle of storage limitation. In light of the infringements of Article 5(1)(c), Article 5(1)(e) and Article 6(1)(f) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances. delete from all of its systems and records the supplemental photographs that the Complainant uploaded (keeping only a record that such documentation was submitted and the date of submission). Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023. revise its internal policies and procedures to ensure that the seeking of photographic ID and supplemental photographs in the verification process for users is used only where necessary, proportionate and in accordance with the GDPR for the purpose for which the personal data is collected and processed, having regard, in particular, to Airbnb’s legal obligations and the issue of whether less privacy intrusive verification methods are available and effective. Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023. For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - 28 September 2023 (PDF, 3mb)
