Airbnb Ireland UC – Complaint Upheld (Ireland, 2022)

This case concerns two requests from an Airbnb customer (the data subject) to Airbnb Ireland UC (the controller); an access request under Article 15 GDPR and an erasure request under Article 17 GDPR. Regarding the erasure request specifically, when the complainant submitted the request on 17 August 2019, they were asked to verify their identity by providing a copy of their photographic ID. After the complainant refused to provide a copy of their ID, the controller offered them the alternative option of logging into their account to verify their identity. Once the complainant had logged in to confirm their identity, Airbnb advised them that it had initiated their request and, on 24 October 2019, confirmed that the relevant data had been deleted. The complainant raised a number of issues regarding the handling of their requests by Airbnb. Firstly, there was no lawful basis for requesting a copy of the complainant’s ID for the right to erasure request. Secondly, the complainant alleged that Airbnb failed to properly respond to the erasure request. Thirdly, the controller failed to respond to the access request. The complaint was originally filed with the Berlin DPA, who referred the case to the Irish DPA under article 56 GDPR, and in accordance with the procedure outlined in Article 60 GDPR. Responding to the first issue (lawfulness of ID request), Airbnb initially noted that merely a “request” to provide ID cannot be considered “processing” within the meaning of Article 4(2) GDPR, as “receipt of or access to” the relevant personal data is required. Furthermore, Airbnb stated that its identity verification procedures are in place to protect the Airbnb platform and its users, in doing so they stressed the risk of fraudulent activity, and stated there is evidence that bad actors use GDPR requests to do harm, deceiving the platform and its users. As such, photo ID verification is a reliable form of proof of identity and a secure authentication method to combat these risk