The organization behind telecom fair Mobile World Congress has received a GDPR fine of 200,000 euros for using facial recognition in 2021. The Spanish privacy authority believes that the data protection impact assessment carried out was insufficient.
Organizer GSMA first used facial recognition software Breez in 2021 to verify the identity of visitors. Using Breez was optional for visitors; they could also choose to show their ID to MWC personnel. In order to use the facial recognition, GSMA carried out a data protection impact assessment required under the GDPR to identify risks and necessity.
TechCrunch writes that assessment according to the Spanish privacy authority AEPD was insufficient. There would not have been enough research into the necessity and proportionality of facial recognition, and the security risks would also not have been sufficiently mapped. The organization can still appeal against the fine. Breez was used by 7,585 of 17,462 visitors, according to the GSMA. The rest therefore opted to have the identity documents checked manually. There was also a virtual version without identity checks.
MWC speaker Anastasia Dedyukhina filed the complaint with the Spanish privacy authority, she writes on LinkedIn. The digital wellbeing speaker was dissatisfied with GSMA’s way of doing things, because she was required to upload her ID, even if she didn’t want to use Breez. Dedyukhina chose to attend the fair virtually. GSMA has continued to use facial recognition or manual identity checks in the past two MWC editions. It’s not clear if GSMA wants to stop using Breez or improve its rating.