Inquiry into Airbnb Ireland UC - 28 September 2023
Date of Decision: 28 September 2023
On 28 September 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (“Airbnb”), the Data Protection Commission (“the DPC”) adopted a decision.
The DPC had commenced this inquiry on 7 September 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the Complainant’s ID (“ID”) in order to verify their identity in order to complete a booking on the platform. The complainant stated that he had concerns in relation to identity theft given the volume of personal data that he was required to submit in order to complete his accommodation booking. In this particular instance the complainant stated that Airbnb would not accept his booking until he verified his identity by providing a copy of his ID in addition to a newly taken photograph to ensure that the ID related only to the person making the booking. ID submitted by the Complainant was rejected as he had redacted certain information. Ultimately however the Complainant was successfully able to verify his identity by submitting a copy of his ID with only the online access code redacted.
In a further submission the Complainant stated that Airbnb initially misunderstood what he wanted to do and thought he wanted to erase his Airbnb account. He stated that Airbnb requested another copy of ID. In addition to the complaint regarding ID verification the Complainant also wanted Airbnb to delete his ID card, both redacted and unredacted versions.
The scope of the inquiry concerned an examination and assessment of the following:
Whether Airbnb had a lawful basis for requesting a copy/copies of the Complainant’s ID and/or photograph/s in order to verify his identity, so that he could complete his booking on the platform.
Whether Airbnb complied with the principle of data minimisation when requesting an unredacted copy of the Complainant’s ID and/or photograph/s in order to verify his identity and when processing personal data relating to same processing.
Whether Airbnb had a lawful basis for retaining a copy of the Complainant’s ID after it had verified his identity.
Whether Airbnb complied with the principles of transparency and provision of information where the Complainant’s personal data was collected.
Whether Airbnb received an Article 17 erasure request from the data subject and if so, whether Airbnb’s handling of the Complainant’s erasure request complied with the GDPR and the Act.
As the processing under examination constituted “cross border “ processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of GDPR and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.
The decision, which was adopted on Thursday 28 September 2023, records findings of infringement as follows:
Article 5(1)(c) , Article 5(1)(e) and Article 6(1)(f) of the GDPR
The DPC found that Airbnb did not validly rely on Article 6(1)(f) of the GDPR as the legal basis for processing the Complainant’s photographic ID and supplemental photographs; that Airbnb’s requirement that the Complainant verify his identity by submitting a complete and unredacted copy of his photographic ID constituted an infringement of the principle of data minimisation, pursuant to Article 5(1)(c); that by retaining, after the identity verification process was successfully completed and until 2 February 2021 a copy of the Complainant’s un-redacted ID documents, Airbnb infringed the principle of data minimisation in Article 5(1)(c) and the principle of storage limitation in Article 5(1)(e); by retaining, after the identity verification process was successfully completed and for the duration of the user’s account, a copy of the Complainant’s supplemental images, Airbnb infringed the principle of data minimisation and the principle of storage limitation; and that Airbnb’s processing and retention until 2 February, 2021 of identity documents that it deemed inadequate or insufficient to verify the identity of the Complainant infringed the principle of data minimisation and the principle of storage limitation.
In light of the infringements of Article 5(1)(c), Article 5(1)(e) and Article 6(1)(f) the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances.
delete from all of its systems and records the supplemental photographs that the Complainant uploaded (keeping only a record that such documentation was submitted and the date of submission). Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.
revise its internal policies and procedures to ensure that the seeking of photographic ID and supplemental photographs in the verification process for users is used only where necessary, proportionate and in accordance with the GDPR for the purpose for which the personal data is collected and processed, having regard, in particular, to Airbnb’s legal obligations and the issue of whether less privacy intrusive verification methods are available and effective. Details of compliance with this order should be provided to the DPC by Airbnb by Thursday, 21 December 2023.
For more information, you can download the full decision at this link: Inquiry into Airbnb Ireland UC - 28 September 2023 (PDF, 3mb)