The Irish Data Protection Commission has adopted its decision in an inquiry concerning Airbnb Ireland UC.
The DPC started the investigation on 4 March 2022, following a complaint that Airbnb had unlawfully requested a copy of the complainant’s ID to verify their identity which had not been previously requested by Airbnb. The complainant argued that this also breached the principles of data minimisation and that Airbnb had also failed to comply with the principles of transparency and provision of information. Initial attempts by the complainant to verify their identity had been rejected by Airbnb as the ID provided did not meet their criteria. Ultimately the complainant verified their identity.
The inquiry considered if Airbnb:
- Had a lawful basis for processing the complainant’s ID and/or photograph(s) to verify their identity, in particular in circumstances where they, as a registered member/host with Airbnb, had not previously provided their ID to Airbnb.
- Complied with the principle of data minimisation when requesting a copy of the complainant’s ID and/or photograph(s) to verify their account and when processing data related to that verification.
- Complied with the conditions for consent by making the complainant’s continued use of/access to their account and the service conditional on the complainant submitting their ID and/or photograph(s) to verify their identity and the processing of this personal data.
- Complied with principles of transparency and provision of information where the complainant’s personal data was collected.
As the processing was cross-border, the DPC’s decision was subject to the cooperation and consistency mechanism in Article 60 of the GDPR. Under Article 60(3) of the GDPR, the DPC submitted its draft decision to the supervisory authorities concerned for their opinions. The DPC received no objection.
The DPC found that Airbnb’s retention of a copy of the complainant’s identity verification process infringed the principles of data minimisation in Article 5(1)(c) and the principle of storage limitation in Article 5(1)(e). Furthermore, the DPC found that the continued processing and retention of partially redacted and out-of-date identity documents that had been deemed inadequate or insufficient to verify the identity of the complainant infringed the principles of data minimisation and storage limitation.
The DPC issued a reprimand to Airbnb under Article 58(2)(b) of the GDPR. In addition, the DPC made the following orders against Airbnb under Article 58(2)(d) to remedy the infringements identified in this case and to prevent similar infringements:
- Delete from its systems and records the redacted and out-of-date copies of the complainant’s identity documents that the complainant attempted to upload.
- Delete from its systems and records the identity documents that the complainant uploaded (keeping only a record that such documentation was submitted as well as the data of submission).
- Subject to compliance with EU and member state law, revise its internal policies and procedures concerning user identity verification to ensure that (i) once the identity of data subjects has been verified to Airbnb’s satisfaction, Airbnb discontinues the practice of retaining improperly redacted and/or out-of-date identity documents that may be submitted by data subjects as part of the identity verification process, and (ii) the period for which valid or fraudulent/illegitimate identification documents (which includes identification documents validly redacted in accordance with laws which require certain redactions) submitted by data subjects as part of the identity verification process are stored is limited to a strict minimum (in accordance with Recital 39 of the GDPR).