The rules went into effect this week.
Travelers to Spain should know about a significant change that will affect them during their visit. The country’s new “big brother” data law went into effect on December 2, despite backlash and criticism. Called Royal Decree 933/2021, the new law requires tourists to share over 40 personal details with hotels and 60 pieces of information with car rentals. Industry experts are concerned that data privacy and personal information may be compromised.
Related: Summer’s Over But Spain’s Overtourism Problem Is Far From Gone
What’s Changed in Spain?
Hotels around the world require guests to disclose basic details such as name, email address, and ID (i.e. a passport). Spain is going a step further by asking for more sensitive information, such as banking details, home addresses, and relationships between travelers. Hotels, rentals, Airbnb, camping sites, car rentals, and tourism operators must collect this data and send it to the government. Minors are not exempt from this requirement, and all data will be stored for three years.
The decree applies to mainland Spain as well as the Canary and Balearic Islands. Businesses need to register with the Ministry of Interior, send data daily, and maintain records for three years; those who don’t comply face fines of up to €30,000. Airbnb answered the most frequently asked questions about this decree and informed hosts that the platform will also share details while businesses must register themselves separately. If guests refuse to share details, hosts can refuse accommodation, it said.
Continue Reading Article After Our Video
Recommended Fodor’s Video
The new decree increases paperwork for both businesses and consumers, but travel associations and experts are worried about the security risks and infringement on the right to protection of personal data.
What Are Spain’s Concerns?
The regulation was introduced by the Ministry of Interior in 2023 to help the government monitor people arriving and traveling through Spain. The Ministry stated that the data will help them fight terrorism and crime. However, it was delayed multiple times due to criticism from industry experts.
For travelers, experts expect a range of implications. Administrative costs for maintaining and sharing these records will increase, and businesses will charge customers extra to keep up. Moreover, the check-in process will become more complicated, possibly leading to longer wait times. Most importantly, sensitive information such as bank details poses a security threat to customers in the event of cyberattacks.
The Confederation of Spanish Hoteliers and Tourist Accommodation (CEHAT) is one of the major critics of the law and has insisted that the Spanish government ensure compliance with the European Union’s General Data Protection Regulation (GDPR). CEHAT is currently exploring legal action against this decree due to a lack of dialogue with the government. Their statement asserts that the regulation will have a direct impact on both international and domestic tourists, and the complicated administrative work will compromise a guest’s experience.
In addition, the European Travel Agents and Tour Operators Associations and the Corporate Association of Specialist Travel Agencies in Spain have also warned about the seriousness of the regulation. The associations called the data collection excessive and criticized the way it can be used for reasons beyond terrorism and organized crime, saying in a statement, “Applied to more common offenses, the proportionality of the decree can further be challenged.”
It poses a serious threat to the privacy of personal data and also “exposes citizens to potential risks of misuse of their information in the event of cyberattacks,” the statement said. This is unprecedented in any other European country, so the associations have demanded transparency and compliance with European Union data privacy laws.
