AirBnB ignores the GDPR, and the Irish DPC is a fig leaf

A couple of weeks ago, I decided to delete my AirBnB account. I had only used it two times in some years anyway and – while their platform is certainly comfortable to use – I prefer not to externalize my cost of traveling to those who need a place to live in, as I do in my own hometown. Turns out, deleting your account is easier said than done. While I was writing this article, I even found out that I had already tried to delete my account a year ago without success.

So what happened? The account deletion procedure is quite straightforward: You log into your account, after a while you find the form to delete it, verify yourself with a code sent to your phone, and that is it. Some dark patterns trying to make you “deactivate” your account, which pretty much doesn’t do anything at all, but we’re used to that, right?

Except, a while after I did this, I received an email:

We understand that you would like to exercise one of your data rights, namely the right of erasure. Airbnb is required to verify that the person making the request is the data subject entitled to the information being requested. […]

We kindly ask you to send us both of the following:

  • A re-statement of your request
  • A photocopy of a valid official government ID such as your driver’s license or passport to validate your identity and to facilitate your request

In other words: Thanks for your request. How about you ask us again? Further, your email, password, and the code sent to your phone certainly enable you to spend your money here, but our login system is not secure enough to authorize a deletion of your data.

Well, slightly annoyed, I repeated my request, mentioning that I verified three factors (Email+Password/Phone number/Ownership of email) to authorize my request now. The GDPR was on my side, since Art. 17 defines the right to erasure. While Art. 12(6) reads “[…] where the controller has reasonable doubts concerning the identity of the natural person making the request referred to in Articles 15 to 21, the controller may request the provision of additional information necessary to confirm the identity of the data subject.”, I don’t see any way in which my identity could have been reasonably doubted at this point.

Long story short, what followed was 10 more emails full of customer service bullshit, a mail to the Irish Data Protection Commission (DPC), and finally, three weeks after my initial request – and without me uploading my passport:

We understand that you would like to delete all of your personal data. Please understand that this means that we will no longer be able to provide our services to you.

As you have provided us with sufficient information to prove your identity, we’ve started to review your request.

What a boring adventure! Well, aside from AirBnB not giving a damn about our funny European GDPR, I wondered the most about the DPC’s answer, that, while generally helpful, included the following paragraph:

Please also note that the Data Protection Commission (the “DPC”) acts as an independent regulator, and is therefore not in a position to approve or otherwise any specific data processing operations as this could prejudice the investigation of any future complaints. We are an independent office whose primary function is to give general guidance to members of the public regarding data protection.

To be clear: The responsible party for all AirBnB’s non-payment activity in Europe, where I live, is Airbnb Ireland UC1, which makes the Irish DPC the responsible agency to send complaints to. This agency tells you that it won’t actually interfere with any data processing operations, since this might influence how future complaints are handled. That’s exactly what I thought was part of their job: Giving out fines to companies, thereby further clarifying the GDPR’s application. Or is the Irish DPC more of an outsourced call center for US companies to keep complaining customers busy? It’s not a secret you sometimes have to sue the DPC to make them do their job. But such a clear confession that they don’t intend to enforce the only law they are supposed to deal with is bizarre.

In the European Union, we have a traditional race to the bottom, in which Luxembourg, failing to contribute economic value, makes its money by being an inner-European tax haven. In the same way Luxembourg welcomes companies that don’t intend to pay taxes, Ireland openly advertises for companies who don’t want to be bothered by the GDPR. I told you that AirBnB is based in Ireland? Guess, where AirBnB based their payment services in Europe1.

  1. https://www.airbnb.co.uk/help/article/2860/outside-the-united-states  2