Inquiry concerning Airbnb Ireland UC - June 2023
Date of Decision: 21 June 2023
On 21 June 2023, following an inquiry concerning a complaint received against Airbnb Ireland UC (Airbnb), the Data Protection Commission (DPC) adopted a decision.
The DPC commenced this inquiry on 4 March 2022, on foot of a complaint that Airbnb had unlawfully requested a copy of the complainant’s ID (ID) in order to verify their identity which had not been previously requested by Airbnb. The complainant further contended that this went against the principles of data minimisation and that Airbnb had also failed to comply with the principles of transparency and provision of information. Initial attempts by the complainant to verify their identity had been rejected by Airbnb as the ID provided did not meet their criteria. Ultimately the complainant verified their identity.
The scope of the inquiry concerned an examination and assessment of the following:
- Whether Airbnb had a lawful basis for processing a copy/copies of the complainant’s ID and/or photograph(s) in order to verify their identity, in particular in circumstances where they, as a registered member/host with Airbnb, had not previously provided their ID to Airbnb.
- Whether Airbnb complied with the principle of data minimisation when requesting a copy of the Complainant’s ID and/or photograph(s) in order to verify their account and when processing data relating to same.
- Whether Airbnb complied with the conditions for consent by making the complainant’s continued use of/access to their account and the service conditional on the complainant submitting their ID and/or photograph(s) in order to verify their identity and the processing of this personal data.
- Whether Airbnb complied with principles of transparency and provision of information where the complainant’s personal data was collected.
As the processing under examination constituted “cross-border” processing, the DPC’s decision was subject to the cooperation and consistency mechanism outlined in Article 60 of the General Data Protection Regulation (GDPR) and pursuant to Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinion. As the DPC received no relevant and reasoned objections to the draft decision from the supervisory authorities concerned within the statutory period, the supervisory authorities concerned were deemed to be in agreement with the draft decision of the DPC and are bound by it in accordance with Article 60(6) of the GDPR. The DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR.
The decision, which was adopted on Wednesday, 21 June 2023, records findings of infringement as follows:
- Article 5(1)(c) and Article 5(1)(e) of the GDPR
The DPC found that Airbnb’s retention of a copy of the complainant’s identity documentation following the successful completion of the identity verification process infringed the principles of data minimisation in Article 5 (1)(c) and the principle of storage limitation in Article 5(1)(e). Furthermore, the DPC found that the continued processing and retention of partially redacted and out-of-date identity documents that had been deemed inadequate or insufficient to verify the identity of the complainant infringed the principle of data minimisation that is set out in Article 5(1)(c) and the principle of storage limitation that is set out in Article 5(1)(e).
Following consultation with the supervisory authorities concerned, the DPC adopted its decision in respect of this complaint in accordance with Article 60(7) of the GDPR. In light of the infringements of Article 5(1)(c) and Article 5(1)(e), the DPC issued a reprimand to Airbnb pursuant to Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb pursuant to Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements occurring with regard to data subjects in the future in similar circumstances:
- Delete from all of its systems and records the redacted and out-of-date copies of the complainant’s identity documents that the complainant attempted to upload.
- Delete from all of its systems and records the identity documents that the complainant uploaded (keeping only a record that such documentation was submitted as well as the date of submission).
- Subject to compliance with EU and Member State law, revise its internal policies and procedures concerning user identity verification to ensure that (i) once the identity of data subjects has been verified to Airbnb’s satisfaction, Airbnb discontinues the practice of retaining improperly redacted and/or out-of-date identity documents that may be submitted by data subjects as part of the identity verification process, and (ii) the period for which valid or fraudulent/illegitimate identification documents (which includes identification documents validly redacted in accordance with laws which require certain redactions) submitted by data subjects as part of the identity verification process are stored is limited to a strict minimum (in accordance with Recital 39 of the GDPR).
For more information, you can download the full decision - Inquiry concerning Airbnb Ireland UC - June 2023 (PDF, 6.24mb).