Andreas Carney

The Data Protection Commission (DPC) recently published its decision in an inquiry which followed a complaint from an Airbnb host in Berlin about the Dublin-based company’s identity verification requirements.

While finding that Airbnb had a valid lawful basis for processing the host’s photographic ID and that its request for additional photographic ID did not breach the principle of data minimisation, the DPC found Airbnb had infringed the data minimisation principle and the separate storage limitation principle by retaining the ID after verification was completed.

The DPC ordered Airbnb to bring its processing operations into compliance with the GDPR, including by deleting the data it was not permitted to hold and updating ID verification policies and procedures.

Mr Carney said: “While this decision does not introduce new law, it does reiterate the need for controllers to think deeply about what the particular purpose is for which they are collecting data, and about the policies and procedures they need to implement to comply with the GDPR’s principles on data minimisation and storage limitation.

“Many online platforms will require identity verification for legitimate purposes. This case shows that, subject to any specific legislative requirements that controllers are under, it is acceptable to implement an ID verification process that escalates in terms of its requirements where initial steps do not sufficiently verify a person’s identity.

“However, it also shows that controllers need to seek to apply the least intrusive means for verifying identity first — this will often not be the simplest or ideal mechanism from the controllers’ perspective.”

He continued: “The DPC’s decision also emphasises the need for controllers to regularly vet the data they hold through a data cleansing exercise and ensure that, once data is no longer required for the purpose it is intended for, it is deleted.

“In the digital world, deleting data in a GDPR-compliant manner generally requires investment in robust systems, technology, and processes — and people training to underpin that.

“This case also provides a reminder of the risk of ‘purpose creep’, where personal data is used for purposes for which it was not originally gathered. Doing this will generally infringe the GDPR. Here, the DPC took issue with Airbnb retaining ID data for the purpose of using it as a learning tool for its own security systems.”

Mr Carney added: “The DPC’s decision not to impose a fine in this case, favouring a reprimand instead, is also noteworthy. It considered that a fine would not be necessary, proportionate, or dissuasive in the circumstances.

“That evaluation recognises that most aspects of the complaint raised against Airbnb were dismissed and confirms that the DPC will look at such complaints holistically when deciding what enforcement action to take.”