GSMA fined €200,000 for MWC facial recognition GDPR infringement

Following a complaint over the use of facial recognition tech at MWC 2021, the Spanish data protection agency has upheld a finding against show organiser GSMA.

We know about this because one of the complainants – Dr Anastasia Dedyukhina of ‘digital wellbeing’ company Consciously Digital – publicised the ruling in a recent LinkedIn post. Dedyukhina was alarmed by the GSMA’s insistence that she upload her passport data in order to attend the 2021 Mobile World Congress event in person (as opposed to virtually). So she lodged a complaint with the Spanish data protection agency (AEPD).

“Long story short, 2 years later, AEPD recognizes GSMA, the organizers of MWC, as guilty of unjustifiably infringing on the privacy of nearly 20,000 attendees, and assigns a fine of 200K euros (not for me though ;)),” wrote Dedyukhina in her post.

She also linked to the AEPD document detailing the appeal process, which upheld the ruling made on 24 February this year. The ways in which the GSMA was found to transgress were fairly technical and concerned article 35 of GDPR, which addresses ‘data protection impact assessment’. Of particular concern was the use of data in conjunction with the BREEZ facial recognition technology used to allow touch-free access to the MWC event.

The ruling states (Google translation) the GSMA “has provided an impact assessment that was merely nominal, since it has not examined its substantive aspects, nor assessed the risks nor the proportionality and necessity of the implementation of the system, its affectation to the rights and freedoms of the interested parties and their guarantees”. It concludes that the appeal didn’t provide enough new evidence to justify a reversal of the ruling.

So it seems the GSMA is guilty primarily of being a bit sloppy in its adherence to GDPR, especially in the use of biometric data and facial recognition technology which, by itself, is not the most egregious transgression. But, as Dedyukhina indicates, it addresses broader data privacy concerns at a time when it’s increasingly difficult to do anything without leaving a digital footprint.

At the most recent MWC event Chinese kit vendor Huawei was suspected of tracking visitors to its giant stand via a device attached to the security badges they were required to carry in order to access it. Meanwhile the UK’s increasing use of live facial recognition technology continues to raise alarm at the prospect of the introduction of a Chinese-style ‘social credit’ system.

Legal measures such as GDPR can seem excessively bureaucratic but without them there are few safeguards for people’s digital privacy. Again, that might seem like a trivial matter but the amount of data a given individual generates as part of their daily lives is already huge. It’s right that personal data should be considered private property, requiring explicit consent for its use, and with the looming prospect of technologies such as CBDCs, enforcement of data privacy rights is more important than ever.


UPDATE, 14:30, 9 May 2023 – We received the following official statement from the GSMA after publication:

“The GSMA notes the recent resolution of the Spanish Data Protection Agency (the “AEPD”). The AEPD’s resolution does not relate to a data breach. There was no data breach or unauthorised access of GSMA’s systems and at no point was the personal data of attendees at MWC Barcelona 2021 compromised or misused.

“The resolution relates to the GSMA’s approach to undertaking a data protection impact assessment for the use of facial recognition technology at MWC 2021. Facial recognition was an option for attendees at MWC 2021 as part of a comprehensive health and safety programme.

“The GSMA takes data protection extremely seriously and has a robust compliance program in place to address its data protection obligations. The GSMA continuingly reviews and updates its approach to data protection, employing innovative technology to deliver a safe attendee experience.

“The GSMA will continue to cooperate with the AEPD and is reviewing the resolution and considering options to respond.”


Get the latest news straight to your inbox. Register for the newsletter here.

  • MWC19 Los Angeles

  • MWC20 Barcelona


  1. Avatar Bernardo 09/05/2023 @ 4:46 pm

    OMG that picture illustrating the article is so inappropriate!

    Anyway, let’s hope GSMA does not take issue with the Spanish bureucratic voraciousness towards other people’s money, and decides to stay in Spain.

  2. Avatar David 10/05/2023 @ 1:11 pm

    Let us also not forget that this technology was used in 2019 when, according to the GSMA itself, “more than 40 per cent of attendees used the service to enter MWC19”. That’s potentially a lot more peoples data being played fast and loose with than at MWC21.

    I wonder if the same casual regard for privacy was displayed back then too.

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.