Businesses can learn from Airbnb data protection reprimand

Dublin-based Andreas Carney of Pinsent Masons said businesses can learn lessons from the decision issued by the Data Protection Commission (DPC) (26-page / 6.1MB PDF), which concerned a complaint made about Airbnb’s identity verification requirements. Airbnb is an online platform that brings together people looking to book private accommodation with ‘hosts’ – people who own or manage such accommodation who are willing to rent it out.

In 2020, a complaint raised with Berlin’s data protection authority concerning ID verification on Airbnb by an Airbnb host was passed to the Irish DPC to handle. Airbnb has its European headquarters in Ireland and the DPC was therefore the lead supervisory authority for considering the case under the GDPR. The host had been an active user of Airbnb for two years and claimed Airbnb had made unnecessary requests for the submission of additional identification documentation for the purpose of verifying her identity. The host said Airbnb had made her ability to take new bookings via the platform conditional on the submission of a recent photo of herself and that Airbnb further required her to submit other ID in order to be able to list a second property she owned on the site.

In response to the request for additional ID, the host initially uploaded a copy of her expired ID via Airbnb’s online portal. However, Airbnb said that was not sufficient to enable them to verify her identity. The host subsequently uploaded a copy of her ID to the portal but obscured her photo and redacted the signature and date of birth on the document. This too was considered insufficient by Airbnb. The host complained that there were alternative, less intrusive means by which Airbnb could have verified her identity beyond needing her to upload an unredacted ID and a photo, and also took issue with the fact Airbnb retained the ID and photo she had submitted despite having rejected it as a basis for verifying her identity.

Airbnb said that that it was eventually able to successfully verify the host’s identity in this case. It defended its ID verification requirements as being vital for user safety and described its verification process as being necessary, proportionate and GDPR-compliant. It said that it also retained identity verification data for the purposes of security enhancement – including for improving its ID verification system and processes.

In assessing the complaint, the DPC considered that Airbnb had a valid lawful basis for processing the host’s photographic ID and that it had done so only after it was unsuccessful in verifying her identity using other methods. It said Airbnb did not need consent of the host to process the data – Airbnb could rely on the ‘legitimate interests’ ground for processing the data instead, the DPC said. The DPC also found that Airbnb had met its transparency obligations under the GDPR in respect of the information it needed to provide to the host about its processing of her data.

The DPC also determined that the request made by Airbnb for additional photographic ID did not breach the principle of data minimisation under the GDPR – that being, that personal data is adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.

However, the DPC said Airbnb did infringe the data minimisation principle, and the GDPR’s separate storage limitation principle – which generally requires that personal data is kept for no longer than is necessary for the purposes for which the personal data are processed – by retaining the host’s ID documentation beyond the point at which the identity verification was successfully completed.

By processing and retaining partially redacted and expired ID data, which the host had provided during engagement with Airbnb prior to successful verification, Airbnb also infringed the data minimisation and storage limitation principles, the DPC said.

The DPC ordered Airbnb to bring its processing operations into compliance with the GDPR – including by deleting the data it was not permitted to hold and updating ID verification policies and procedures.

Carney said: “While this decision does not introduce new law, it does reiterate the need for controllers to think deeply about what the particular purpose is for which they are collecting data, and about the policies and procedures they need to implement to comply with the GDPR’s principles on data minimisation and storage limitation.”

“Many online platforms will require identity verification for legitimate purposes. This case shows that, subject to any specific legislative requirements that controllers are under, it is acceptable to implement an ID verification process that escalates in terms of its requirements where initial steps do not sufficiently verify a person’s identity. However, it also shows that controllers need to seek to apply the least intrusive means for verifying identity first – this will often not be the simplest or ideal mechanism from the controllers’ perspective,” he said.

“The DPC’s decision also emphasises the need for controllers to regularly vet the data they hold through a data cleansing exercise and ensure that, once data is no longer required for the purpose it is intended for, it is deleted. In the digital world, deleting data in a GDPR-compliant manner generally requires investment in robust systems, technology, and processes – and people training to underpin that,” Carney said.

“This case also provides a reminder of the risk of ‘purpose creep’, where personal data is used for purposes for which it was not originally gathered. Doing this will generally infringe the GDPR. Here, the DPC took issue with Airbnb retaining ID data for the purpose of using it as a learning tool for its own security systems,” he said.

“The DPC’s decision not to impose a fine in this case, favouring a reprimand instead, is also noteworthy. It considered that a fine would not be necessary, proportionate, or dissuasive in the circumstances. That evaluation recognises that most aspects of the complaint raised against Airbnb were dismissed and confirms that the DPC will look at such complaints holistically when deciding what enforcement action to take,” Carney said.