Dutch DPA: Airbnb ends processing of national identity numbers
The American company Airbnb has ended the processing of Dutch national identity numbers (BSN) at the insistence of the Dutch data protection authority (Dutch DPA). Airbnb now immediately and automatically deletes the BSN from all digital copies of Dutch identity documents and has deleted all previously collected national identity numbers. The Dutch DPA has received approximately 100 signals from Dutch citizens about the unlawful use of their BSN by Airbnb, and has collaborated with the Irish Data Protection Commissioner to make Airbnb end the infringement.
Airbnb enables people to rent an apartment for a short-term period. In order to be able to do so through Airbnb, people have to upload a digital copy of their passport or similar identity document to the company. In the Netherlands, these identity documents contain the BSN. According to the Dutch data protection act (Wet bescherming persoonsgegevens, Wbp), organisations outside of government may only process the BSN if they have a specific legal obligation to do so.
BSN is a special category of personal data
The BSN is a unique number to identify people. In the Netherlands this belongs to the so called 'special categories of personal data'. Processing of special categories of data is prohibited, unless a specific legal exception applies. Unlawful use of the BSN entails privacy risks, such as abuse of personal data and identity fraud. It is expected that the processing of the BSN will be bound to the same strict rules under the Dutch implementation of the General Data Protection Regulation (applicable law from 25 May 2018 onwards).