Anastasia Dedyukhina was going to participate in a conference at the Mobile World Congress in Barcelona in 2021: “I dedicate myself to giving talks, I am very interested in going to such a big fair.” Her physical presence is essential in her work, where her contacts lead to new opportunities. “It was still the middle of the pandemic, but I had the vaccines, everything was fixed. So they asked me for a biometric test, ”she recalls. That is, that she uploaded her passport with the photo to the system. The request was to enter the fair with facial recognition and avoid further physical contact. That was when she began a very long exchange of emails with representatives of the GSMA, organizers of the Mobile, consultations with lawyers and a complaint to the Spanish Agency for Data Protection (AEPD) that she has ended. with a fine of 200,000 euros to the organizers of the Mobile.

Dedyukhina is a 41-year-old Russian and British citizen and digital wellbeing expert who has given TED talks. When he received that request, he went to read the fine print of the Mobile terms: “There they said that I could choose not to upload my document,” he explains, and present it in person once in Barcelona. But that year it was not allowed: the reason was covid infections, they answered, and the Mossos, the Catalan regional police, require it.

“I did not feel comfortable, it is not because I am the great defender of privacy, just because I know the Data Protection Regulation and I know what I can ask,” she reasons to EL PAÍS from her residence in London. “It deserved at least some basic explanation,” he adds. That clear explanation never came and Dedyukhina ended up participating virtually in the congress. “They never explained to me how they were going to store my information. I asked over and over again, they sent me links that didn’t work, they deleted a paragraph from their website, they edited, nothing matched. It seemed negligence, as if there was a disagreement between what they said and what was written on their website,” says Dedyukhina, who even exchanged emails with the GSMA data officer.

One of the added problems of Dedyukhina is that there were allegedly servers that were going to store this data outside the EU, according to the AEPD resolution now says: “The SCANVIS entity with which it has a facial recognition system treatment order to access to the headquarters, is in a country outside the EU, and GSMA has signed standard contractual clauses with SCANVIS”, develops the regulatory body. It was not clear, therefore, what happened to that information once it was uploaded. The AEPD has sanctioned GSMA for violating article 35, which provides that if data processing “involves a high risk for the rights and freedoms of individuals”, the person responsible must carry out “an impact assessment”. That report, according to the AEPD, lacked “an assessment of the necessity and proportionality of the operations.”

Following a request from this newspaper, GSMA has issued a statement where it repeats that the fine is due to the “GSMA’s approach to conducting a data protection impact assessment for the use of facial recognition technology at MWC 2021.” In addition, it ensures that they take data protection “very seriously” and that they “use innovative technology to provide a secure experience” to attendees. Regarding the sanction, they say that they will continue to cooperate with the AEPD and that they are “reviewing the resolution and considering options to respond.” The statement also states that there has never been a “data breach.”

After participating online in Mobile, Dedyukhina spoke with a lawyer friend and filed a complaint with the AEPD. “There are several problems with the MWC’s approach,” says Adam Leon Smith, a data protection expert who collaborated on the complaint. “However, the main problem was that they had not completed a sufficient risk assessment, they were not clear on important issues such as consent, and they claimed that the Mossos insisted on biometric authentication. It is unlikely that the police will ask for a specific technology”, says the lawyer.

The Data Protection Regulation requires people to file complaints. Dedyukhina admits that his decision is somewhat easier because he is inside the sector and knows his rights better: “It was easy for me to ask and I didn’t have to pay anything, otherwise I would probably have been discouraged,” she says. “Mobile wanted a photo of my face. I refused and they have been fined 200,000 euros”. What has she actually achieved? “Well, I don’t get any of those 200,000 euros and I will have potential problems until the end of my days with Mobile, but it is a moral satisfaction, I did it for my professional integrity, because I tell people that privacy is important”, recognize.

This detail is key: “The Data Protection Regulation works with complaints. People should file complaints!” criticizes Smith, the lawyer. Without the efforts of citizens like Dedyukhina, these cases would not exist. In the AEPD they have only found three other recent resolutions for facial recognition in Spain. One of 2.5 million euros against Mercadona and two other minors. In all cases, there is a citizen or employee who raised the situation with the regulator.

“My recommendation is to at least ask questions,” sums up Dedyukhina. “That puts pressure on the company to respond. We have a kind of twisted reality where I have to prove it, when in reality they are the ones who have to do it. Asking for explanations for our biometric data should be the new normal. That is what we are letting happen by not asking,” she reasons.

A case like this has sufficient reasons for there to be a sanction, according to Smith, but a complaint is necessary: ​​”In this case, I expected an investigation, because the practices seemed strange and there was a company outside the EU that said on its website that it processed confidential data. The main lesson I’ve learned is that if something looks suspicious in a privacy policy, it probably is,” he adds.

