Inquiry into Airbnb Ireland UC - July 2023
Date of Decision: 20 July 2023
On 20 July 2023, following an inquiry the Data Protection Commission (DPC) adopted a decision to exercise corrective powers on Airbnb Ireland UC (Airbnb).
The DPC commenced this inquiry on 22 December 2022, on foot of a complaint that Airbnb failed to comply with an access request and subsequent erasure request within the statutory timeframe and, further, that when the Complainant submitted their access and erasure requests, Airbnb requested that they verify their identity by providing a photocopy of their identity document (ID), which they had not previously provided to Airbnb.
The scope of the inquiry concerned an examination and assessment of the following:
1) Whether Airbnb’s provision of the personal data and information concerning the processing of that personal data in response to the Complainant’s access request was compliant with the GDPR and the Data Protection Act 2018.
2) Whether Airbnb’s handling of the Complainant’s access request was compliant with the GDPR and the Act insofar as the information provided to the Complainant was in a concise, transparent, intelligible and easily accessible form using clear and plain language as specified by Article 12(1) of the GDPR.
3) Whether Airbnb’s handling of the Complainant’s erasure request was compliant with the GDPR and the Act.
4(a) Whether Airbnb had a lawful basis for requesting a copy of the Complainant’s ID, and upon their refusal to provide same, whether Airbnb had a lawful basis to thereafter request a telephone call in order to verify the Complainant’s identity in circumstances where he had submitted a request for access and erasure pursuant to Articles 15 and 17 GDPR; and
4(b) Whether Airbnb’s obligation to provide information on action taken in response to the access and erasure requests without undue delay pursuant to Article 12(3) GDPR was suspended until after the verification of the Complainant’s identity by phone call.
As the processing under examination constituted “cross border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion.
As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR.
The DPC adopted its decision in respect of this Complaint in accordance with Article 60(7) of the GDPR. The decision, which was adopted on 20 July 2023, records findings of infringement as follows:
- Article 5(1)(c) of the GDPR
The DPC finds that Airbnb’s request that the Complainant verify their identity by way of submission of a copy of their ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c) of the GDPR. This infringement occurred in circumstances where less data-driven solutions to the question of identity verification were available to Airbnb.
- Article 6(1)(f) of the GDPR
The DPC finds that, in the specific circumstances of this Complaint, the legitimate interest pursued by Airbnb did not constitute a valid lawful basis under Article 6(1)(f) of the GDPR for seeking a copy of the Complainant’s ID in order to process the Complainant’s access and erasure requests.
- Article 15(1) of the GDPR
The DPC finds that Airbnb infringed Article 15(1) of the GDPR at the time of first processing the Complainant’s access request by not providing the Complainant with access to all of their personal data that was being processed by Airbnb on the date of receipt of their access request.
- Article 12(1) of the GDPR
The DPC finds that Airbnb infringed Article 12(1) of the GDPR at the time of first processing the Complainant’s access request by failing to provide the Complainant with an access file that was of a concise, transparent, intelligent and easily accessible form.
- Article 12(3) of the GDPR
The DPC finds that Airbnb failed to provide information to the Complainant on the actions taken on their access and erasure requests within one month of receipt of the requests and therefore failed in its obligations under Article 12(3) of the GDPR.
Corrective Powers Exercised:
- An order for Airbnb to revise its internal policies and procedures as regards the default position to provide a cover email in English when a data protection rights request is received outside the privacy portal.
- A reprimand to Airbnb Ireland UC pursuant to Article 58(2)(b) of the GDPR.
For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - July 2023 (PDF, 4.5mb).