Spain’s new “Big Brother Law” requiring visitor personal information, including financial information, is collected by hotels, AirBnBs, car rental companies, etc. It is a serious identity theft threat for travelers visiting the nation.
Spain has begun to enforce Royal Decree 933/2021. Dubbed the Big Brother Law, it went into effect last week. The new law requires hotels, guest houses, Airbnbs, camping sites, rental car companies, and tourism operators to collect personally identifiable information from travelers and send it to the Spanish State Secretariat for Security daily. Minor travelers, age 14 and older, aren’t exempt from the law.
Under the new Big Brother Law, tens of thousands of hospitality and travel companies will have to collect visitors’ personal data and store it for three years.
The companies collecting traveler data must store the information for three years. With tens of thousands of hospitality and travel companies storing travelers’ personal information, it’s ripe for hacker theft.
According to Spain’s Ministry of Interior, tracking this information is necessary to monitor travelers in the nation. They said that the information is essential in the fight against crime and terrorism. The Confederation of Spanish Hoteliers and Tourist Accommodation has severely criticized the law. They want Spain to ensure that the new law conforms with the European Union’s General Data Protection Regulation (GDPR), which it doesn’t appear to do.
European travel agents are outraged by Spain’s new data collection from traveler law.
The European Travel Agents and Tour Operators Associations and its Spanish representative, ACAVE, have warned about the serious problems the Big Brother Law is causing. They have said in part:
“The imposition of these new obligations not only represents a serious threat to the privacy of personal data, as it forces travel agencies, tourist accommodations, and car rental companies to collect and transmit to the Ministry of the Interior highly sensitive information, such as financial details, traveller relationships, and even travel patterns for three years, but it also exposes citizens to potential risks of misuse of their information in the event of cyberattacks.”
The personal data Spain is collecting includes visitor credit and debit card information.
What personal data will be at risk? Spanish hotels, guest houses, Airbnbs, etc., have to collect the following information from every visitor to Spain aged 14 and older. They are ordered to collect the full name, gender, nationality, passport number, date of birth, home address, landline phone number, mobile phone number, email address, and details of how visitors’ bills are paid. For example, credit card data will include the type of card, name on the card, card number, expiration date, and the security code.
Visitors should be prepared to prove their relationship to children under 14 traveling with them.
In addition, the law requires adults traveling with minor children under 14 to define their relationship with the children precisely. Adult travelers should be prepared to prove their relationship with any children traveling with them. With serious concerns in Europe about human trafficking, bring documentation of your legal relationship with the children, particularly if you’re a single parent, especially if you’re divorced. You may need to prove custody rights. This is a significantly troubling aspect of the new law that almost no one has yet discussed.
Car rental companies must collect the same information as hotels and full driver’s information. This data collection would be relatively easy as these companies always collect it under the normal course of their business. What’s disquieting about it in Spain is that the companies must store the information for three years.
The potential for hacking isn’t idle speculation. It is very real.
Verizon Business’ 2024 Data Breach Investigations Report outlines that malware, including ransomware and RAW scrapers, web application attacks, and social engineering, are the most significant threats to the hospitality industry. They discuss that the hospitality industry, which relies on connected technologies to provide a quality guest experience with easy check-in kiosks, digital keycards, smartphone integration, guest room automation, and generally the Internet of Things technology, has many openings for potential hacker intrusion.
Moreover, no one should forget that a successful hospitality breach can reap huge rewards, so the industry is a massive hacker target.
Here’s some recent hacker history of major hospitality companies.
Let’s see if hotels, for example, can actually keep our personal data safe.
In mid-2023, MGM Resorts International reported a massive cyberattack that resulted in $100 million in costs and the theft of an unknown amount of guests’ personal data.
In September 2023, Caesars Entertainment confirmed a network breach in which the hackers stole Caesars’ loyalty program database. The attack, apparently launched by the group Scattered Spider, was paid $15 million not to publish the loyalty program database.
In late 2023, the cybercrime group AlphV/BlackCat attacked Motel One, the budget hotel chain in the U.S. and Europe. The hacker group got into Motel One’s network and launched a ransomware attack. The attack caused the company to shut down its network after stealing an unknown amount of customer data, including contact information and credit card details. AlphV/BlackCat claims that they were able to steal more than 24 million files, including the precise kind of data, including credit card information, that Spain requires from visitors.
Those hacker breaches were against big companies with huge resources. Small travel companies don’t have the resources to protect traveler data.
These breaches were against top hospitality companies. They have enormous resources to protect their companies’ and guests’ data. While smaller hospitality and travel companies are lesser reward targets for hackers, since they will be easier to breach, they still will be likely targets along with the large companies.
I’m seriously concerned about my personal information when traveling and have enormous concerns over Spain’s new data collection law.
Spain’s new law negates the financial protection of ApplePay and similar systems.
As a traveler, I combat hospitality and travel industry hackers by using ApplePay to pay my hotel, car rental, store, and restaurant bills. Other smartphone payment systems using similar technology will also combat hackers. The hotels, rental car companies, stores, restaurants, etc., don’t store any customer credit card information on their computers when ApplePay is used. If the companies are hacked, only your name can be stolen, not your credit card information. A security feature of ApplePay and other similar systems is that hotels, rental car companies, stores, restaurants, etc., don’t store any customer credit card information on their computers when ApplePay is used. If the companies are hacked, only your name, not your credit card information, can be stolen because it’s simply not there. When ApplePay is used, hackers can only retrieve the date, amount of the payment, the name of the payee, and a transaction number from ApplePay — no credit card data.
Spain’s new law does away with the financial protection system of ApplePay and similar systems because travelers are required to give the credit card information of the card used within the ApplePay and similar systems. Even though businesses don’t need it, Spain requires that they collect it.
Spain’s new visitor data collection law needs serious changes. Without them, I recommend travelers visit other countries instead of Spain.
Spain needs to change their new law to protect their visitors substantially better. Credit and debit card information shouldn’t be collected. The long-term, three-year storage of visitors’ personal data unnecessarily risks the financial well-being of Spain’s visitors, the vast majority of whom are law-abiding travelers. Moreover, three years of data storage seems unnecessary since Spain’s State Secretariat for Security has the data in their computers sent to them daily.
For now, I can’t recommend traveling to Spain for anyone. Spain is a terrific country to visit. I’ve happily been there multiple times; however, rather than put my personal identity and financial information at risk, I will avoid traveling to Spain for the foreseeable future. There are many other great locations in the world to see.
(Image: The square outside the Primate Cathedral of Saint Mary of Toledo. Copyright © 2024 NSL Photography. All Rights Reserved. All TDM and AI Training are Prohibited.)
READ ALSO:
You need more vacation time in 2025. Here’s how to get it.
Minimum connecting times — especially around the holidays — are too optimistic
After many years working in corporate America as a chemical engineer, executive and eventually CFO of a multinational manufacturer, Ned founded a tech consulting company and later restarted NSL Photography, his photography business. Before entering the corporate world, Ned worked as a Public Health Engineer for the Philadelphia Department of Public Health. As a well known corporate, travel and wildlife photographer, Ned travels the world writing about travel and photography, as well as running photography workshops, seminars and photowalks. Visit Ned’s Photography Blog and Galleries.