The Spanish Data Protection Agency has imposed on Aena the largest technological sanction in Spain. This is not a security or data leak problem, but rather having deployed a “high-risk” technology for fundamental rights without demonstrating that it was really necessary.
The supervisor has also ordered the immediate suspension of all facial recognition at airports until the deficiencies are corrected.
What has happened. The fine of 10,043,002 euros specifically punishes the lack of a valid Impact Assessment before processing biometric data of more than 62,000 passengers.
The resolution, dated November 6 but known now, details that Aena continued with the system despite having received two previous unfavorable reports from the Agency itself during the consultation phase.
The core of the infringement. The problem is not using biometrics, but how the system architecture was designed:
- Aena opted for a “one-to-many identification” model with centralized storage.
- This means that the passenger’s face was not only checked against their documentation at the time of screening, but was stored in a central database for up to two years.
- The regulator considers that there were much less intrusive alternatives to achieve the same objective of speeding up boarding. For example, local biometric authentication or simply the traditional visual verification system that has worked for decades.
Between the lines. The AEPD challenges the premise that the “user experience” justifies any technological deployment. In its resolution, the body headed by Lorenzo Cotino describes Aena’s lack of diligence as “serious” and emphasizes that the company was fully aware that its program involved special category and high-risk treatment.
The system worked at eight airports:
- Madrid-Barajas.
- Barcelona-El Prat.
- Alicante.
- Gran Canaria.
- Tenerife-North.
- Palma de Mallorca.
- Minorca.
- Ibiza.
Going through biometric controls was voluntary and coexisted with traditional documentary controls, which will continue to operate as before.
Aena’s response. The airport manager has announced that it will appeal the sanction before the courtsexpressing his “respectful disagreement.”
- It maintains that the passengers gave their consent voluntarily and that the security of the data was never compromised.
- “There has been no security breach and, therefore, there has been no data leak,” the company stressed.
Aena describes the sanction as “disproportionate” and argues that it is based on an “alleged violation of a formal obligation.” However, in the field of data protection, consent does not validate processing if it is disproportionate or unnecessary from its design.
Yes, but. The suspension dictated by the AEPD will not affect flight operations. It will remain in place until Aena carries out a risk assessment that truly considers the dangers to the rights and freedoms of travelers. The company has assured that it will work to restart the program “as soon as possible.”
In Xataka | “We have not done it well”: the DGT assumes that something has failed in the arrival of the V-16 beacons
Featured image | Aena
GIPHY App Key not set. Please check settings