On 2 December 2024, Royal Decree 933/2021 ("Real Decreto 933/2021") officially came into effect, requiring businesses in the tourism sector to collect up to 42 pieces of information on their guests. The law has sparked widespread concerns over data protection and privacy while also imposing a significant burden on both hospitality providers and tourists, earning it the nickname “Big Brother Law.”
The decree applies to businesses such as hotels, campsites, and car rental agencies, mandating that they collect information from individuals aged 14 and older. This data includes identification, contact details, family information, payment records, device information, and activity logs. For those under the age of 14, accompanying adults must provide details about their relationship to the child. Businesses are required to upload this data to the Ses.Hospedajes system, which already holds details on over 4 million visitors, and share it with the Spanish Ministry of Interior. Non-compliance with the decree can result in fines of up to €30,000.
The government justifies the law as a necessary measure to assist Spanish security forces in combating terrorism and organized crime. Authorities argue that previous regulations failed to account for modern forms of accommodation, such as those facilitated through digital platforms, and claim that the law ensures comprehensive coverage of all tourism businesses. However, the decree has faced significant backlash.
The opposition party Partido Popular (PP) has called for the law's complete repeal, citing inadequate technology and staffing to meet the new requirements, a reduction in Spain's competitiveness as a tourist destination, and a lack of consultation with stakeholders in the sector. This criticism directly challenges the law’s preamble, which asserts that its development involved input from affected parties.
One of the most pressing concerns is the risk to personal data privacy in the event of cyberattacks, raising questions about Spain’s compliance with the EU's General Data Protection Regulation (GDPR). Personal data, defined as any information related to an identified or identifiable person, could be vulnerable under the decree's extensive data collection requirements. The Spanish hotel association CEHAT has launched a legal challenge, arguing that the law poses an unacceptable threat to privacy and imposes unreasonable obligations on businesses. In response, the Home Office has defended the decree on the grounds of public security, an area of law that remains under the jurisdiction of individual EU Member States.
Although the law has been implemented, it continues to attract overwhelming criticism from those operating in the tourism sector. The implications of such broad data collection on privacy protection remain a significant and unresolved issue, leaving many stakeholders uncertain about the long-term impact of the decree.
References and Further Reading:
“El registro de viajeros ya está en vigor: conservar datos sensibles durante tres años pone en jaque la privacidad”(El Pais)
BOE-A-2021-17461/ “Real Decreto 933/2021” (BOE)
Article 4 GDPR on ‘Personal Data’
Comments