AENA under criticism: €10 million fine for facial recognition at Palma airport – a reality check

AENA under criticism: €10 million fine for facial recognition at Palma airport

Key question

How could it come to pass that a major airport operator used biometric facial recognition without a valid Data Protection Impact Assessment (DPIA), and what are the consequences of the AEPD's decision for travelers at Palma airport?

The facts in brief

The Spanish data protection authority AEPD has imposed a fine of more than ten million euros on AENA and temporarily halted the processing of biometric data. AENA has announced it will appeal the decision and insists there was no data breach. According to the company, the systems were intended to speed up the boarding process for voluntary users.

Critical analysis

This is not merely a bureaucratic act between a regulator and a corporation. It concerns principles that have been clear since the EU General Data Protection Regulation: biometric data are considered especially sensitive, and their processing generally requires a thorough Data Protection Impact Assessment (DPIA). Without this, the legal risks are high. For a significant service provider like AENA, one must ask where oversight failed. Were legal hurdles deliberately underestimated, or did operational pressure to speed up processes drive the decision? Either scenario reveals something different: organizational negligence or a prioritization that places efficiency above protection.

What is missing from public discourse

The public debate often focuses on “convenience”: faster through checks, less waiting. Rarely discussed in concrete terms are questions such as how long biometric data are stored, who has access, which third-party providers are involved, and how a system error concretely affects an individual traveler. Equally rarely is the question asked of how voluntary “voluntary” really is when travelers facing long queues are implicitly pressured to accept the technology.

Everyday scene in Palma

Imagine a windy morning at Palma airport. Rolling suitcases at Gate B12, announcements with poor acoustics, a coffee machine that again grudgingly dispenses an espresso. An elderly couple stands perplexed before signs reading: “Biometric boarding – voluntary.” Next to them a young businessman rushes past the queues because he used the service. This scene illustrates how technology can lead to unevenly distributed advantages: for some it saves time, for others it creates uncertainty.

Concrete solutions

1. Tighten transparency obligations: Operators must clearly and publicly disclose before deployment which data are collected, how long they are stored and who has access. This information should be online and clearly visible at the terminal.
2. Effective DPIAs and independent audits: DPIAs must not be handled internally in a single department; they require independent reviews and regular follow-up checks.
3. Genuine opt-in instead of hidden coercion: Voluntariness must not be undermined by longer waiting times. Separate, equivalent routes without biometric checks must be guaranteed.
4. Strengthen local oversight and complaint channels: Travelers in Palma should have simple, fast reporting channels – for example, a help desk in the terminal or a clearly visible supervision hotline number.
5. Technical minimization: Process only the absolutely necessary biometric feature, enforce short retention periods, encrypt data and implement clear deletion routines.

What travelers should watch for

If you are traveling through Palma airport: look carefully before consenting. Ask how long the photo will be stored, whether third parties have access and what alternative is offered. If you feel uncomfortable, insist on your rights – even if that means waiting a bit longer.

Concise conclusion

The AEPD's decision is a wake-up call. Technology must not be introduced at the expense of rights and transparency. For Mallorca this means: we benefit from modern service only if it is organized lawfully and fairly. AENA may appeal, but the real debate should not end in court; it should take place at the gate – visible, loud and with real alternatives for all travelers.