This regulation was developed by the Ministry of the Interior with the goal of security and providing police forces with more information about travellers arriving in and passing through Spain. However, the scope of the requested data is excessive and could violate data protection regulations. For this reason, the majority of the Spanish Congress approved, on October 23, a proposition demanding that the Spanish Government reopen negotiations and postpone its implementation. Additionally, on November 20, the Spanish Senate also rejected this regulation by a majority vote.
However, the Spanish Government is ignoring the majority approval in Parliament and continues to provide no response to the requests for suspension and review of the regulation, maintaining the December 2, 2024, deadline for full implementation of Royal Decree 933/2021.
The imposition of these new obligations not only represents a serious threat to the privacy of personal data, as it forces travel agencies, tourist accommodations, and car rental companies to collect and transmit to the Ministry of the Interior highly sensitive information, such as financial details, traveller relationships, and even travel patterns for three years, but it also exposes citizens to potential risks of misuse of their information in the event of cyberattacks. This makes travellers the main victims of the potential exposure of their sensitive data, as this regulation is unprecedented in any other European Union country.
ECTAA and ACAVE have expressed their deep concern about this new regulation, warning of the severe repercussions for the European tourism market and the protection of travellers’ personal data. They have also contacted the Spanish Government and the Spanish Data Protection Agency, requesting the suspension of the regulation and clarification on issues that could constitute a violation of European data protection laws, but have yet to receive any response.
