If You Stay at a Hotel in Spain, the Government Will Know Your Data

  • Starting in December, a new Royal Decree will come into effect.
  • Hotels and platforms like Airbnb will be required to collect up to 42 different personal data points.
  • Data protection experts agree that it is disproportionate.

On December 2nd, a new Royal Decree 933/2021 will come into force. This new law, approved by the Ministry of the Interior, introduces new obligations when staying at a hotel. Among them, you will be required to provide up to 18 additional personal data points. This is a significant change regarding privacy because where only a few specific data were shared before, now they will know everything from your mobile number to the expiration date of your payment card.

Terrorism as an Excuse to Invade Privacy

Terrorism as an Excuse to Invade Privacy

According to the decree published in the Spanish government’s official gazette (BOE): “the greatest threats to public security are caused by terrorist activity and organized crime.”

Due to this threat, the Ministry of the Interior approved a law last year that requires hotels, travel agencies, car rental companies, and platforms like Airbnb to collect a wide range of new data and share them directly with the State Secretariat for Security, beyond just the police.

Up to 42 Data Points When Staying

According to Annex 1 of the Royal Decree, travelers will now be required to provide up to 42 different data points, compared to the 14 data required under the previous legislation from 2003.

For example, while until now only your ID and date of birth were required, you will now also need to provide your place of residence, mobile and landline phone numbers, email, and the relationship between travelers in the case of minors.

Additionally, details of the accommodation and payment information, including the cardholder and the card’s expiration date, will be collected.

What the Spanish Data Protection Agency (AEPD) Says

Such a large data request cannot be properly implemented without the involvement of the Spanish Data Protection Agency (AEPD). The Royal Decree confirms that it has obtained the necessary technical report from the AEPD.

The AEPD states that “it will be necessary to ensure proper legal justification for such data sharing, particularly within the scope of a specific investigation.”

Disproportionate

In response to Xataka, Borja Adsuara, a professor and lawyer specializing in Digital Law, explains that “data sharing with other police forces should only happen in the investigation of a specific case. It is not permissible to share all our data. That’s what the AEPD says.” In other words, the Ministry of the Interior is requesting a large amount of data as a baseline, which would only be justified in specific cases.

“I believe that the data being requested is disproportionate to the intended purpose. If the goal of the Royal Decree is to fight terrorism and transnational organized crime, why are these data being requested from Spanish citizens?” questions Adsuara.

Spain’s Government Shows a Continued Disregard for Privacy

This massive data collection when staying in accommodations, which will start being requested in December, is unprecedented in Europe. No other European Union country asks for such an extensive amount of data from travelers.

The Ministry of the Interior, led by Grande-Marlaska, once again prioritizes security far above the privacy of citizens. The arguments are similar to the Chat Control case, where, in an effort to combat child sexual abuse, it was proposed to break the encryption of conversations. In this case, the fight against terrorism is being used as justification for an enormous data collection request that experts clearly argue is unjustified.

Leave a Reply

Your email address will not be published. Required fields are marked *