Airport operator to appeal 10-million-euro facial recognition fine imposed by data protection agency in Spain

Spain's main airport operator Aena will appeal in court against the 10-million-euro fine imposed by the Spanish data protection agency (AEPD) for its biometric boarding system, considering it "disproportionate" and claiming there has been no security or data breach "at any time".

The data watchdog argues that Aena has deployed facial recognition systems - a high-risk processing of special category data - without a formal data protection impact assessment (DPIA) that must be done to meet the criteria of necessity, suitability and proportionality.

In a statement issued on Tuesday, Aena insists that there has been no leak of user data from the various biometric boarding programmes deployed at the operator's network of airports across Spain, with data security, it affirms, "not being at risk at any time".

The AEPD's fine is based on the alleged failure to comply with formal requirements in the DPIA, although Aena disagrees with this assessment and maintains that users gave their informed consent.

The sanction imposed on Aena is based, according to the company, on the alleged breach of a formal obligation: the failure to properly carry out a data protection impact assessment that met all regulatory requirements.

Aena, however, maintains that the impact assessments were indeed carried out prior to starting to use the biometric access programmes and, therefore, "respectfully disagrees" with AEPD's assessment that they did not adequately meet the requirements.

For this reason, also because it believes the decision is not in accordance with the principle of proportionality, the airport operator has confirmed that it will appeal the decision in court.

In its statement, Aena insisted that its biometric programme has guaranteed the privacy and security of users at all times. The company has stressed that there has been no data breach affecting users of the various biometric programmes deployed across the airport network in Spain, nor a breach of any third-party data.

"The security of this data has not been at risk at any time," asserts the airport operator.

Furthermore, Aena reiterates that the processing of biometric data was carried out after obtaining the informed and voluntary consent of passengers and that such data has been subject to the retention, blocking and deletion procedures set out in the current regulations.

The airport operator concludes that it will continue to work on streamlining passenger documentation processes in order to restart the biometric boarding programme "as soon as possible".

The AEPD has fined Aena 10,043,002 euros for failing to comply with article 35 of Spain's general data protection regulations (GDPR) in the implementation of its facial recognition system at its airports.

The resolution imposing the fine states that Aena failed to conduct a valid data protection impact assessment prior to the processing, nor did it justify the necessity and proportionality of using biometric data for passenger identification.

The system, designed to expedite passenger transit and improve security, processed special category biometric data, such as facial patterns, along with other personal data.

The AEPD determined that the processing did not comply with the principles of necessity and proportionality, as less intrusive alternatives existed to achieve the same objectives. In addition, deficiencies were identified in the risk management and security measures adopted.

The fine includes the temporary suspension of biometric data processing until Aena carries out a proper impact assessment. The resolution will also be published in the official state gazette (BOE), given that the fine exceeds one million euros.