Spain is set to implement Royal Decree 933/2021, known as the “Tourism Big Brother,” requiring travel agencies and companies to collect and report extensive personal data of travellers starting December 2, 2024.
Under this regulation, the Spanish Government will require travel agencies, tourist accommodations, and car rental companies to report sensitive personal information of travellers visiting Spain to the Spanish security forces, such as their phone number, contact email, family relationship details, and even information about payment methods used during the trip.
Trade bodies ECTAA and ACAVE are urging the Spanish Government to reconsider the regulation and delay its enforcement, are raising alarms about the regulation’s implications for travellers’ privacy, highlighting the risks of misuse of sensitive information and the potential for cyberattacks. They say it poses significant challenges for the European tourism market and traveller data protection.
They say the regulation has already been rejected by both the Spanish Parliament and Senate due to concerns over excessive data requests and potential violations of data protection laws, yet the government plans to proceed with its implementation.
ECTAA shared: “The European Travel Agents’ and Tour Operators’ Associations (ECTAA), along with its Spanish representative ACAVE, and in collaboration with the associations FETAVE and UNAV, are warning about the serious implications of Royal Decree 933/2021. For the associations, it is crucial to raise awareness amongthe public and travellers about the seriousness of this regulation, as they will be the main victims of its implementation. Travel agencies, tourist accommodations, and car rental companies will be required to provide the Ministry of the Interior with more than 40 pieces of information for accommodation bookings and over 60 for car rental bookings, many of which are sensitive personal data.
The imposition of these new obligations not only represents a serious threat to the privacy of personal data,as it forces travel agencies, tourist accommodations, and car rental companies to collect and transmit tothe Ministry of the Interior highly sensitive information, such as financial details, traveller relationships, andeven travel patterns for three years, but it also exposes citizens to potential risks of misuse of their information in the event of cyberattacks. This makes travellers the main victims of the potential exposure of their sensitive data, as this regulation is unprecedented in any other European Union country.
The imposition of these new obligations not only represents a serious threat to the privacy of personal data,as it forces travel agencies, tourist accommodations, and car rental companies to collect and transmit tothe Ministry of the Interior highly sensitive information, such as financial details, traveller relationships, andeven travel patterns for three years, but it also exposes citizens to potential risks of misuse of their information in the event of cyberattacks. This makes travellers the main victims of the potential exposure of their sensitive data, as this regulation is unprecedented in any other European Union country.
