The GSM Association (GSMA) has been fined for its use of facial recognition technology at the 2021 Mobile World Congress in Barcelona. The Spanish Data Protection Agency (AEPD) slapped it with a €200,000 (US$219,170) fine in February and has now rejected the GSMA's appeal, saying it failed to conduct a meaningful data protection impact assessment.

During the first pandemic-era MWC conference, GSMA changed its registration process and required in-person attendees to upload their identification documents (a passport or ID), including biometric data, digitally.

The GSMA also offered the option to check an MWC attendee's identity via facial recognition through a system called BREEZ. As explained in AEPD's ruling on the GSMA's appeal – based on a Google translation of the Spanish document – BREEZ analyzes attendees' facial features and creates a biometric token. During the event, an individual's identity is verified by comparing camera data to the token.

Figure 1: In 2021, MWC changed significantly in response to the COVID-19 pandemic.
(Source: Reuters/Alamy Stock Photo)

Not everyone was pleased with the changes. One attendee – Anastasia Dedyukhina – says she was denied entry and had to attend her panel virtually because she had refused to upload the information. This led her to file a complaint with AEPD.

As far as Light Reading could establish with the help of Google Translate, the original complaint alleged, among other things, that there wasn't a sufficient legal basis to collect the data.

It seems the GSMA claimed it was required to transfer the identification and passport data collected to the Mossos d'Esquadra, the local police force. According to an interpretation of the ruling in the Spanish version of Business Insider, AEPD seems to question whether the GSMA collected more data than it was required to.

In the February ruling, AEPD says it isn't clear whether the police required passport copies to be transferred, or if the GSMA extracted the required data from the passport copies manually. Elsewhere, it quotes MWC's privacy policy, which states that the GSMA is obligated to collect details including name, date of birth, nationality, the type and number of identification document, as well as the date of issue.

Impact assessment failure

More importantly, it seems that AEPD took issue with the data protection impact assessment conducted by the GSMA prior to implementing the facial recognition system, calling it merely nominal. According to the agency, the assessment failed to fully evaluate the risks, or the proportionality and necessity of the use of facial recognition.

Indeed, when rejecting the GSMA's appeal, AEPD noted the limited nature of the impact assessment was a key factor in the ruling.

The GSMA's appeal, meanwhile, pointed out the number of people affected was much lower than initially claimed. While, originally, the figure was expected to be close to 20,000, the GSMA says that of the 17,462 registered attendees, only 7,585 people used facial recognition technology to access the venue.

AEPD, however, notes this is still a significant number of people affected, and points to the need to use the system every time an attendee would enter the venue.

The GSMA has responded to the news and was quick to point out no data breach has occurred. It also said it "will continue to cooperate with the AEPD and is reviewing the resolution and considering options to respond."

One of these options is appealing the decision again.

Figure 2: (Source: Dean Bubley on Twitter)

Dedyukhina is not the only person unhappy with the GSMA's treatment of personal data. Dean Bubley of Disruptive Analysis has, for example, claimed MWC "has a long history of intrusive use of scanning badges & IDs to unnecessary degree" on Twitter.

This year, meanwhile, eyebrows were raised at the apparent presence of what looked like circuitry in the access badges issued by Huawei to the visitors to its booth.

Related posts:

— Tereza Krásová, Associate Editor,