DPC (Ireland) - Inquiry into Airbnb Ireland UC - January 2024
DPC - Inquiry into Airbnb Ireland UC - January 2024 | |
---|---|
Authority: | DPC (Ireland) |
Jurisdiction: | Ireland |
Relevant Law: | Article 5(1)(c) GDPR Article 6 GDPR |
Type: | Complaint |
Outcome: | Partly Upheld |
Started: | 08.12.2022 |
Decided: | 31.01.2024 |
Published: | |
Fine: | n/a |
Parties: | Airbnb Ireland UC |
National Case Number/Name: | Inquiry into Airbnb Ireland UC - January 2024 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | [[:Category:|]] [[Category:]] |
Original Source: | [ (in )] |
Initial Contributor: | lm |
The DPA found that Airbnb lacked a legal basis for requiring a data subject’s ID in order to fulfill his erasure request, and thus violated data minimisation obligations in requesting the ID.
English Summary
Facts
A data subject lodged a complaint with the Berlin DPA against Airbnb (the controller). In the process of registering on the platform, a data subject submitted his email address and phone number. When he was prompted to submit his identification information (ID), he decided to cancel his registration. He requested that the controller delete all of his personal data and ensure that none of it was transferred to third parties. The controller informed the data subject that it was not possible to delete his personal data without his ID.
On 7 February 2020, the Berlin DPA transferred the complaint to the Irish DPA (DPC). The DPC informed the controller of the complaint on 25 May 2020. The controller could not locate the data subject's account, but on 1 December 2021 it responded to the DPC's notification. It stated that in 2019, ID verification was its preferred method of authenticating deletion requests and argued that this was based on its legitimate interest in verifying the authenticity of requests and ensuring appropriate deletion of accounts. The controller also noted that despite requesting the data subject's ID, it ultimately fulfilled the data subject's erasure request without requiring the documentation. With regard to sharing data with third parties, the controller stated that it does not sell user data for advertising purposes or sell messaging communications with third parties.
On 8 December 2022, the DPC issued a Notice of Commencement of Inquiry to the controller.
Holding
The DPC found that the controller lacked a legal basis under Article 6 GDPR for processing the complainant’s ID to delete his account. In addition, the controller violated Article 5(1)(c) GDPR’s principle of data minimisation by requiring that the complainant verify his identity with a copy of his ID in order to make an erasure request.
No evidence was provided showing that the controller requested the data subject’s ID during the registration process, and thus the DPC found no GDPR violation for this action. However, there was evidence that the controller requested the data subject’s ID in order to fulfill his erasure request. Even though the controller ultimately fulfilled the data subject’s erasure request without ID documentation, the DPC considered that the ID requirement to exercise Article 17 GDPR erasure rights constituted a collection of personal data. It rejected the controller’s argument that legitimate interest was a proper legal basis. While the DPC acknowledged that the controller had a legitimate interest in ensuring that it does not delete personal data in an illegitimate or inappropriate circumstance, it did not demonstrate that the request for ID was necessary or proportionate in this instance given that the data subject could confirm his identity through other means such as logging in to his account. Thus, there was no legal basis under Article 6 GDPR.
In addition, the DPC found that the controller violated the principle of data minimization when it requested a copy of the data subject’s ID It noted that the controller lacked ‘reasonable doubt’ concerning the data subject’s identity and thus did not have a basis under Article 12(6) to request additional information. The controller also failed to demonstrate that it first attempted to use other tools it already possessed, such as authentication by login.
In light of the violations, the DPC issued a reprimand pursuant to Article 58(2)(b) GDPR. In deciding not to issue a fine, it considered that Airbnb had discontinued the practice of requesting a copy of IDs to verify erasure requests.
Comment
In several decisions last year, the Irish DPC already reprimanded Airbnb for different GDPR violations relating to its processing activities, and in particular concerning its identity verification procedure (see DPC (Ireland) - IN-21-3-1; DPC (Ireland) - Inquiry into Airbnb Ireland UC - 28 September 2023).
What is striking here is that the corrective measure adopted is always a reprimand and never a fine, even though the DPC recognises that it should "select a measure that is effective, proportionate and dissuasive in response to the particular infringements".
As stated in Article 83(2)(e) GDPR, when considering the imposition of an administrative fine, due regard shall be given to relevant previous infringements by the controller. Further, under letter (i) of the same Article, due regard shall be given to the compliance with measures already imposed under Article 58(2) GDPR, which includes reprimands. This suggests that the conditions for imposing a fine were given in this case, but the DPC intentionally decided to, once again, opt for a less dissuasive reprimand.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the original. Please refer to the original for more details.
Inquiry into Airbnb Ireland UC - January 2024 Date of decision: 31 January 2024 On 31 January 2024, following an inquiry concerning a complaint received against Airbnb Ireland UC (Airbnb), the Data Protection Commission (the DPC) adopted a decision. The DPC had commenced this inquiry on 8 December 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the complainant’s ID (ID) in order to verify their identity in order to carry out an erasure request when he decided to discontinue with the registration process. The complainant alleged that during the course of his registration with the platform, Airbnb sought a copy of his identity to complete the registration process. The complainant had entered his email address and phone number. He had also ticked a box to be excluded from advertising emails. The complainant stated that once he was asked to submit his ID documentation, he decided to abort his registration process. He provided his email address and created a password to access an internal area within the platform and within this area he asked Airbnb to delete all of his personal data and ensure that none of his data was transferred to third parties. The complainant stated that he was told that it was not possible to delete his data without his ID. He stated that he did not consider Airbnb’s request to have any legal basis and that it was an infringement of his right to erasure of his personal data. The scope of the inquiry concerned an examination and assessment of the following: Whether Airbnb had a lawful basis for requesting the complainant’s ID at the point of registration of an account. Whether Airbnb had a lawful basis for requesting a copy of the complainant’s ID in order to verify his identity so that he could delete his account. Whether Airbnb complied with the principle of data minimisation when requesting a copy of the complainant’s ID in order to verify his account and when processing personal data relating to same processing. Whether Airbnb complied with the principles of transparency and provision of information at the point when the complainant’s personal data was collected from him. As the processing under examination constituted cross-border processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR. The DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. The decision, which was adopted on 31 January 2024, records findings of infringement as follows: Article 5(1)(c) of the GDPR Article 6 of the GDPR The DPC found that Airbnb did not validly rely on Article 6 of the GDPR as the legal basis for processing the complainant’s ID. Furthermore the DPC found that in the particular situation that arose in this complainant’s case, Airbnb’s requirement that the complainant verify his identity by submitting a copy of his ID in order to make an erasure request constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR. In light of the infringements of Article 5(1)(c) and Article 6, the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. The DPC notes that Airbnb has discontinued the practice of requesting a copy of ID in order to verify identity in order to verify erasure requests. The DPC also notes that following an order made in a previous DPC decision, Airbnb has revised its internal policies and procedures in order to prevent further infringements of Article 5(1)(c), similar to those that occurred in this case, occurring to data subjects in the future. For more information, you can download a copy of the full decision at this link: Inquiry into Airbnb Ireland UC - January 2024 (PDF, 699 KB).