European travel agents up in arms against Spanish data decree

The European Travel Agents’ and Tour Operators’ Associations (ECTAA), along with its Spanish representative ACAVE, and in collaboration with the associations FETAVE and UNAV, have warned against the implementation of a new rule that requires travel agents as well as accommodation and transport providers to furnish up to 60 pieces of information for each booking for travel in Spain.

In a press statement, ECTAA says that for the associations, it is crucial to raise awareness among the public and travellers about the seriousness of this regulation, as they will be the main victims of its implementation.

The statement adds that with effect from December 2, travel agencies, tourist accommodations, and car rental companies will be required to provide the Spanish Ministry of the Interior with more than 40 pieces of information for accommodation bookings and over 60 for car rental bookings, many of which are sensitive personal data.

ECTAA says the regulation was developed by the Ministry of the Interior with the goal of security and providing police forces with more information about travellers arriving in and passing through Spain. However, the scope of the requested data is excessive and could violate data protection regulations.

It says that for this reason, the majority of the Spanish Congress approved, on October 23, a proposition demanding that the Spanish Government reopen negotiations and postpone its implementation. Additionally, on November 20, the Spanish Senate also rejected this regulation by a majority vote. “However, the Spanish Government is ignoring the majority approval in Parliament and continues to provide no response to the requests for suspension and review of the regulation, maintaining the December 2, 2024, deadline for full implementation of Royal Decree 933/2021,’’ says ETCAA.

The travel associations warn that the imposition of these new obligations not only represents a serious threat to the privacy of personal data, as it forces travel agencies, tourist accommodations, and car rental companies to collect and transmit to the Ministry of the Interior highly sensitive information, such as financial details, traveller relationships, and even travel patterns for three years, but it also exposes citizens to potential risks of misuse of their information in the event of cyberattacks.

The statement adds that the rule makes travellers the main victims of the potential exposure of their sensitive data, as this regulation is unprecedented in any other European Union country. ECTAA and ACAVE say they have expressed their deep concern about this new regulation, warning of the severe repercussions for the European tourism market and the protection of travellers’ personal data. They have also contacted the Spanish Government and the Spanish Data Protection Agency, requesting the suspension of the regulation and clarification on issues that could constitute a violation of European data protection laws, but have yet to receive any response.