The blow dealt by the Spanish Data Protection Agency (AEPD) to the airport operator Aena, with a fine of 10 million euros for the use of biometric traveler identification systems in eight airports without a correct data protection impact assessment, as required by law, will open an imminent confrontation in court.
The company dependent on the Ministry of Transport has shown total opposition to the sanctioning resolution which penalizes its most advanced passenger boarding program. A few minutes after learning the conclusions of the dossier and the AEPD fine, Aena announced that there would be an appeal in court. In an attempt to contain the tone, the public company speaks of “respectful disagreement” for both reasons of substance and form.
Aena also said that the fine, the same amount as the one received by Google in 2022 for practices such as transferring personal data to third parties without legitimacy, “does not comply with the principle of proportionality”.
The AEPD bases its sanction on the fact that Aena did not adequately comply with the obligation to prepare the aforementioned data protection impact assessment, as required by data protection legislation. An extreme that Aena defines as a “formal obligation”, as well as underlining that the transition to facial recognition systems is voluntary, subject to informed consent, for travellers.
The operator of the public airport network claims to have prepared the assessments before launching biometric identification programs to access aircraft, and does not agree that it did so in violation of the requirements contained in the standard. It will also defend that at no time has there been a security breach or leak of user data. “The custody of the data was not put at risk at any time,” states the company chaired by Mauirici Lucena.
Among the various technical clarifications, Aena specifies that the biometric information of travelers who use facial recognition stations undergo the conservation, blocking and deletion processing provided for by the Organic Law on the Protection of Personal Data and by the Regulation of the European Parliament and of the Council, of 27 April 2016, relating to the protection of natural persons with regard to the processing of personal data.
More than five years after implementation at Meorca and Madrid-Barajas airports, and with four years of experience since the system began to be tested at Barcelona-El Prat airport, Aena recalls that its objective and that of the participating airlines was “to provide passengers with a better experience at airports by simplifying the passage through documentation processes”. With the program frozen, the company says it is working to restart it “as soon as possible.”
Recognition stations based on facial characteristics track the transit of airport users without any physical documentation. The traveler will no longer have to carry their boarding pass or identification documentation with them. Technology companies such as Thales, IECISA and Gunnebo were behind the system.
(Article in progress. There will be expansion)
