Hybrid Cloud
Cyber Security & NaaS
AI & Data
IoT & Connectivity
Business Applications
Intelligent Workplace
Consulting & Professional Services
Small Medium Enterprise
Health and Social Care
Industry
Retail
Tourism and Leisure
Transport & Logistics
Energy & Utilities
Banking and Finance
Sports
Smart Cities
Guest registration controversy in Spain
This situation will be very familiar to readers; we've all experienced it. You arrive at a hotel or tourist accommodation and present your ID so they can collect the necessary information to register travelers. Nowadays, with the internet and the diversification of the tourism sector—empty receptions and portals with access codes—the procedure can be carried out in many ways, even online through data requests via messaging apps like WhatsApp.
In my case, I've always felt uncomfortable providing this personal information online. I've even generated specific images of my national ID, often rejected by the property owner, that hide data that, in my view, is not necessary for the purpose of registration.
In this article, we'll analyze a new controversy surrounding a legislative twist that could imply greater exposure in terms of privacy and an increased administrative burden for accommodations and individuals offering these services, all in the name of greater protection and operational capacity for national security.
Achieving a balance between security and privacy is a very difficult target to hit.
What is the origin of the controversy?
Until now, the regulation governing these guest registrations dated back to 2003 and included a set of 14 data points such as the type and number of identity document, date of birth, full name, date of entry, etc.
The new regulation, whose implementation date has been postponed until December 2, 2024, considerably increases the data to 42 pieces of information that must be collected by owners of tourism-oriented accommodations.
It now becomes necessary to register personal data such as current address, email, contact mobile number, the payment method used for the accommodation, or the relationship to minors under 14 if they are also included among the travelers.
Why are these changes being made?
The reasons stated by the Ministry of Interior to justify the need for this new registry are outlined in the regulation itself: Currently, the greatest threats to public safety are posed by both terrorist activity and organized crime, both of a marked transnational character.
In both cases, lodging logistics and motor vehicle acquisition or use play a special role in criminals' modus operandi. Their hiring is done today through countless means, including telematics, which provides greater privacy in these transactions.
This data must be provided through an online platform called SES Hospedajes, created for this purpose by the Ministry of Interior. However, both privacy and data protection experts and significant members of the hospitality sector express concern about the implementation of this new regulation.
Hospitality sector expresses disagreement. They believe it notably increases the administrative burden and slows down the check-in processes at accommodations, particularly for small businesses or individuals providing these services, directly impacting customer satisfaction.
From a privacy perspective, experts like Borja Adsuara, a professor and lawyer in Digital Law, show concern and consider the increase and nature of the data requested for the intended purpose in the upcoming regulation—which will come into effect this December—to be disproportionate.
The interconnection with state security and law enforcement databases must have proper authorization.
Protection of personal information
The Spanish Data Protection Agency has issued a technical report on the impact of the new royal decree, and we strongly encourage full reading.
Some conclusions can be drawn:
- The agency recommends an "impact assessment on data protection of the collection and communication described" to ensure compliance with the principle of data minimization under the personal data protection regulation.
- The agency highlights that there are European directives yet to be transposed in Spain regarding the processing of personal data for the purposes of prevention, investigation, detection, or prosecution of criminal offenses, which, it warns, may render the provisions mentioned in the new royal decree meaningless.
- The agency mentions that it sees the need to clarify who exactly are the competent authorities to receive information and questions the need to include the Ombudsman in general, given its purpose.
- The agency adds that it will be necessary to have due legitimacy for the interconnection with state security forces' databases to take place within the scope of a specific investigation.
Conclusions
The balance between security and privacy is a very difficult target to hit; there will always be reasons to justify one position or the other.
Regarding the specific topic of this article, in my opinion—and agreeing with the Spanish Data Protection Agency analysis-it is necessary to clarify and ensure compliance with the principles of data minimization, adequacy to the purpose of data processing, and conduct a detailed and rigorous impact analysis that ensures national security. But without risking, beyond what is strictly necessary, individuals and citizens' privacy.
On the other hand, the use of an online platform for submitting information, while it may facilitate implementation and usability, can also, in my view, generate transcription errors or a greater exposure of an "attractive" asset for cybercriminals, such as a database with sensitive and relevant information.
With the increase in cyberattacks and leaks of confidential information, the fortification of these databases or files must be carried out with the utmost care and following basic security principles like zero trust, principles of least privilege, and strict access control.
We conclude with a reflection from Edward Snowden:
Arguing that you don’t care about privacy because you have nothing to hide is like arguing that you don’t care about free speech because you have nothing to say.
______
