A complaint was lodged with the Berlin Commissioner for Data Protection and Freedom of Information (“Berlin DPA”) against Airbnb Ireland UC (“Airbnb”) and was thereafter transferred to the DPC to be handled in its role as lead supervisory authority.

The complainant alleged that Airbnb failed to comply with an erasure request and a subsequent access request they had submitted to it within the statutory timeframe . Further, the complainant stated that when they submitted their request for erasure, Airbnb requested that they verify their identity by providing a photocopy of their identity document (“ID”), which they had not previously provided to Airbnb .

The DPC initially attempted to resolve this complaint amicably by means of its complaint handling process. However, those efforts failed to secure an amicable resolution and the case was opened for further inquiry. The issues for examination and determination by the DPC’s inquiry were as follows: (i) whether Airbnb had a lawful basis for requesting a copy of the complainant’s ID where they had submitted an erasure request, pursuant to Article 17 GDPR, (ii) whether Airbnb’s handling of the said erasure request was compliant with the GDPR and Data Protection Act 2018 and (iii) whether Airbnb’s handling of the complainant’s access request was compliant with the GDPR and Data Protection Act 2018.

Airbnb responded to the complainant’s allegations, justifying its request for photographic ID given the adverse effects that would flow from a wrongful deletion of an account. Airbnb highlighted that fraudulent deletion of an Airbnb account can lead to significant real-world harm including, in the case of hosts, the economic harm through cancelled bookings and loss of goodwill built up in the account and, in the case of guests, the potential loss of accommodation while travelling abroad. Airbnb stated that these are not trivial risks and appropriate steps must be taken to address them. It further stated that the provision of an ID document to authenticate an erasure request is a reliable proof of identification and that it does not place a disproportionate burden on the individual making the erasure request. It posited that photographic identity can be considered to be an evidential bridge between an online and an offline identity.

Airbnb ultimately complied with the complainant’s erasure request, validating their identity by providing them with the option of logging into their account to verify their identity, without the necessity to provide ID . Following intervention by the DPC, Airbnb complied with the complainant’s access request . Having completed its inquiry, on 14 September 2022, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. In its decision, the Data Protection Commission found that the data controller, Airbnb Ireland UC, infringed the General Data Protection Regulation as follows:

Article 5(1)(c) of the GDPR

The DPC found that Airbnb’s requirement that the complainant verify their identity by way of submission of a copy of their photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1) (c) of the GDPR. This infringement occurred in circumstances where less data-driven solutions to the question of identity verification were available to Airbnb;

Article 6(1) of the GDPR

The DPC found that, in the specific circumstances of this complaint, the legitimate interest pursued by the controller did not constitute a valid lawful basis under Article 6 of the GDPR for seeking a copy of the complainant’s photographic ID in order to process their erasure request; and

Article 12(3) of the GDPR

The DPC found that Airbnb infringed Article 12(3) of the GDPR with respect to its handling of the complainant’s access request. This infringement occurred when Airbnb failed to provide the complainant with information on the action taken on their request within one month of the receipt of the access request.

In light of the extent of the infringements, the DPC issued a reprimand to Airbnb Ireland UC, pursuant to Article 58(2)(b) of the GDPR. Further the DPC ordered Airbnb Ireland UC, pursuant to Article 58(2)(d), to revise its internal policies and procedures for handling erasure requests to ensure that data subjects are no longer required to provide a copy of photographic ID when making data erasure requests, unless it can demonstrate a legal basis for doing so. The DPC ordered that Airbnb Ireland UC provide details of its revised internal policies and procedures to the DPC by 4 November 2022. Airbnb complied with this order by the set deadline .